I have an external HDD permanently connected to my PC via a USB port. The HDD has it's own power supply, and is switched on when the computer is switched on (they're both plugged into the same 4-way extension lead). The computer does an automatic back-up every 24 hours, using Acronis True Image.
Am I right in thinking that this would not necessarily protect me in the case of a virus infection, ransom-ware or other malware, because the external HDD would be detected and infected at the same time as the PC by any decent self-respecting malware?
I should also add that assuming I'm right, I do a monthly backup to another external HDD that isn't permanently connected to my PC, but only when I do the back-up.
The risk there is that if there is a surge, spike or brownout you stand a chance of getting the PC *and* backup drive corrupted or damaged. If it's on a surge protector that might protect against surges or spikes but wouldn't protect against a brownout. If you have a UPS you should be protected (to a greater degree anyway) against all events.
We recently had a brownout and this PC (an Apple Mac Mini) survived it because they use an external laptop-like PSU, as does my server. The wife's PC is in a UPS so she was fine also. A std PC I also had on at the time rebooted.
Ok.
Correct, depending on the abilities / restrictions of your AV / AM software?
Also, say you downloaded an email that carried some malware and your AV/AM software didn't catch it at the time. The worst that might happen is that malware file might then get backed up but wouldn't be a threat unless you actually ran that file. If you did and it only corrupted your system drive, it's possible you could still recover the system from the last backup (complete with malware attachment) and as long as you didn't run it again, would be ok.
The vulnerability (to a virus or malware) of the data on the backup drive can be a function of how it's stored.
Then at least you only risk the loss of 29 days data. ;-)
I think the safest was to automatically protect your backup drive would be to cause it to dismount after it's done a backup and re-mount before it but I'm not sure how you would do that (automatically ... on any OS).
In Linux you could write a simple script to mount the drive do the backup and then unmount it. Just need to use the mount and umount commands. I suspect if you leave the drive physically connected it will retain the same end point and ease your script. Otherwise you would need to do a quick scan to find it. Will depend on how it is connected as a device.
I'd have said the big risk is from the ransomeware attack which will not so much "infect" the disk as encrypt the FAT or whatever the current "filing system" is called. For that reason my backup USB drivess are either only powered up when required and in some cases not plugged in until required.
What do you need to backup and how often? Do you need a HDD with its large capacity, or could you make do with a USB memory stick? If you are generating umpteen GB of new files every few days, then I can understand the need for a HDD. If not, use a "grandfather, father, son" method using three memory sticks. Firstly, keep all your large unchanged files (maybe folders of photos and videos from several years) on your internal hard drive, and the backup as usual on your external HDD.
Then make a full backup to your first memory stick, but omitting the photo/video folders, etc you've put on the external drive. Remove the memory stick and store safely. The next day, make a new backup to the second memory stick, and repeat the next day with the third stick. On day 4, use the first memory stick again with an incremental backup, then the next day use the second memory stick, etc.
After a while, it is possible the memory stick will fill up, or the backup software will tell you it is going to do a new full backup. That's ok - I find it easier to delete everything on that first stick and then let the full backup go ahead.
Thanks for the comments. It's as I suspected. I'll stick with what I've got, on the basis that if the worst happens, I only lose one month's stuff at most, and I don't regard any of it as being vital for my future existence.
Could you not do the same in Windows / OSX though Lee? I mean, we have the little Eject hardware applet in Windows so I'm guessing that could be called via a script etc?
Understood.
I made daughter an OMV NAS and it has the feature to recognise an external drive being attached, run a backup and then I think it's dismounts the drive afterwards, so you can pull it etc.
I currently have a 1.5TB USB drive connected to my Windows Home Server taking a daily backup. I took it from an old PC that my mate gave me that sometimes wouldn't start (it just clicked) but it seems to be fine in this external enclosure. I can hear it spin up before the server run a backup (after it's backed up the client) and I'm not sure if any malware / virus on the client PC's could get the server drive to spin up to be able to write to it? It may well as it might just be sleeping.
I don't have a solution for ransomware unfortunately.
But, I can give the benefit of some experience.
I've has around five or six backups ruined. I run a verify on them, the verify fails. When I throw the backup file into a hex editor, it's not a backup file, it's something else, and it's not encryption. One file was mostly zeroed but still had some sections that might have been backup material. The other one, looked almost like a section out of an NTFS file system, but when I tried to open it that way, it wasn't an NTFS file system.
I have other large files that don't seem to be damaged (things like .vhd files for virtual machines). it's only files with the backup extension, getting damaged.
I recommend at the very least, opening the backup software once in a while and doing a verify, just in case. I haven't a clue how to debug that either, because this might be happening over a period of months, and it's pretty hard to lay a trap for a period of time like that.
Just because your external drive has a bunch of large files on it, in an emergency, it could turn out they're all trash. And not even ransomed.
*******
The other thing you have to think about, is the attack vector.
I can give an example. This is the only example I know of where a USENETter got ransomware.
A guy in another group, has a web server and bought a domain for it from GoDaddy. As is usual with this sort of thing, they put your particulars, like your email address, into the registration page. (There is an option to hide this, but I don't know how you do that.)
OK, so he's sitting in his chair, when an email comes in. It's from Godaddy, an "invoice" to renew his domain. Being a dumb ass, he "double-clicks" the attachment. It looked like a PDF, but it wasn't.
Fast forward about two hours, he starts seeing funny file extensions. He writes into the newsgroup he uses and asks "does anyone know what .osirus comes from".
I look it up, and something with roughly that spelling is an encrypted file from ransomware. I deliver the bad news, and it's already too late. He's wiped out. It wormed through the network and got all the computers on the LAN, then put up the red box with the details.
He had *zero backups*. None. He really was cooked. He's one of these people that buys used hard drives, to save a buck.
It took around three months, before he at least had OSes and software reinstalled. It's the usual deal, he has a CD and no key, he has a key and no CD, and so on. Every reinstall task is a chore (and an adventure). He's got no backups, and while he has plenty of junk in his junk room, it takes a while to get enough stuff to finish up a machine.
It doesn't get much worse than this.
Like any dumpster fire, always go in style. If the flames aren't tall enough, pour in a bit of gas. He couldn't have made it any worse, if he tried.
*******
Summary: Don't double-click email attachments, and that's a start to not having any sad stories to tell. Detach an attachment, inspect, scan, be suspicious.
At some point, you'll be uninstalling Adobe Flash, Silverlight and so on. Maybe Adobe AIR. This will reduce your attack surface a bit. I haven't heard of any Adobe Flash exploits lately, but it's an obvious target.
And just do your usual Safe-Hex thing. Be suspicious of downloads and freebies. If you're getting a large freebie from a seemingly financially unsupported site, you have to ask yourself where the money comes from for this. I saw a site the other day, glossy web layout, no physical street address for the business, offering a 70MB download, no annoying adverts on the web page. No signs of income. When I see these, I call it "levitation", because the outfit is defying gravity.
Indeed. You need a backup that is not accessible to malware, human error etc. You also have the risk that you are destroying your one good backup each time you make a new one.
That's better - although still not a total solution.
A bit depends on what you are backing up and how... If you are just doing an image of the current state, then you can restore stuff to how it was when you last made a backup. However if ou discover you messed up a file a month back and did not notice at the time, you would likely find your only backup is of the already corrupted file. So some form of "generational" backup that keeps multiple versions of individual files is good.
Having copies of you backup that are not vulnerable to any physical pitfall that could befall your main system (fire, theft, flood etc) is also good.
Yup you can add and remove drive letters or graft a volume into an existing folder tree (unix style) from the command line. There are a number of tools that will help.
No I'm using the normal back up software in windows, and in all the years I've been using pcs, I've not seen anything take out the plugged in western Digital drive. I have it portable as I have two machines, one off site and when I'm allowed to get to the place its kept in future, I take it with me every month and do a back up, but the drive is really only big enough for one back up. I suppose one can take backing up to all sorts of lengths though. Who would want my rubbish?
Cloud is good for that, I happen to have 1TB of space on Microsoft OneDrive, it might not be the best way to buy space but in my case it comes "free" with the parts of Office365 that I need anyway, plenty of other providers.
That appears to be a commercial service where your data is stored in The Cloud.
I'm just running a Linux Mint laptop at home, and use Déjà Dup. It's simple and effective. The more complicated a backup process is, the less liable you are to use it.
He's probably sorry it happened, but I don't think it made some sort of "convert" of him.
If he avoids double-clicking untrusted stuff, that would be a big step forward.
With phishing, the people doing that stuff are very clever. If todays phishing pros were sent to pen test my old work site, they'd have a field day in there. Take the "dropped USB stick in parking lot trick". That would work a treat at my work. All the sticks you dropped, would get plugged into work computers.
A company that I worked for became quite hot on security. A member of their staff, working on plant, wanted to watch TV at work and plugged a USB streaming device in (presumably wi-fi connected to his mobile) - exposing the entire, isolated, "secure" network to the outside world.
They were also concerned about the "dropped" USB stick.
They now lock everything down with software, but for a while, every USB port was simply filled with epoxy resin!
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.