Assessment
A global assessment should be the very first step of the cybersecurity enforcement project.
For this purpose, we have developped the following assessment checklist to be used as a starting point.
Since this is a living documentation, you are welcome leaving any enhancements suggestions using the contact form.
| Item | Comments | Result |
| Screening | Are people screened before accessing to the datacenter ? | yes/no/partially/unsure |
| Physical RBAC | Is physical access to the backup infrastructure limited by role based access rules ? | yes/no/partially/unsure |
| Tailgating | Are there any tailgating prevention systems in place ? | yes/no/partially/unsure |
| Surveillance | Is suspicious activity monitored inside and outside the datacenter ? | yes/no/partially/unsure |
| Multi Factor Authentication | Is MFA used to enter the premises ? | yes/no/partially/unsure |
| Racks locking | Are physical racks containing the backup infrastructure physically locked ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Recovery strategy existence | Is there a recovery strategy in place ? | yes/no/partially/unsure |
| Recovery strategy test | Is the recovery strategy regularily tested ? | yes/no/partially/unsure |
| Dedicated recovery infrastructure | Is there a dedicated recovery infrastructure ? | yes/no/partially/unsure |
| Item | Comments | Result |
| EDR-XDR | Is an EDR or XDR deployed to detect threats ? | yes/no/partially/unsure |
| Honeypots | Are there honeypots deployed ? | yes/no/partially/unsure |
| VeeamOne | Is Veeam One deployed and monitoring threats ? | yes/no/partially/unsure |
| Item | Comments | Result |
| 3 copies | Are there 3 different copies of the data ? | yes/no/partially/unsure |
| 2 medias | Are copies hosted on two different medias ? | yes/no/partially/unsure |
| 1 offsite | Is one copy offsite ? | yes/no/partially/unsure |
| 1 immutable/air gapped copy | Is one copy immutable or air gapped ? | yes/no/partially/unsure |
| 0 errors | Are the backups regularily tested to ensure they can be restored ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Anonymous accounts | Do account names contain reference to their roles ? | yes/no/partially/unsure |
| Password change policy | Are passwords changed on a regular basis ? | yes/no/partially/unsure |
| Lockout policy | Are users disconnected after a given inactivity period ? | yes/no/partially/unsure |
| Role based access control | Can backup infrastructure be accessed only by backup accounts ? | yes/no/partially/unsure |
| Honeypot accounts | Are there visible honeypot accounts which are monitored ? | yes/no/partially/unsure |
| Multi Factor authentication | Is MFA employed to login to backup infrastructure ? | yes/no/partially/unsure |
| Item | Comments | Result |
| At rest | Is data encrypted on the repositories ? | yes/no/partially/unsure |
| In transit | Is data encrypted in transit ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Specific segmentation | Is the backup infrastructure on specific segments ? | yes/no/partially/unsure |
| MFA | Is MFA enabled on the backup infrastructure segment ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Veeam DB | Is access to the Veeam database restricted ? | yes/no/partially/unsure |
| Console | Is console uninstalled from VBR server ? | yes/no/partially/unsure |
| Backup infrastructure servers cleanup | Have the servers been cleaned-up from all unnecessary roles/components ? | yes/no/partially/unsure |
| Patching and updates | Are the servers patched/updated on a regular basis ? | yes/no/partially/unsure |
| Remote management | Are remote management tools disabled/uninstalled ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Immutability | Is the repository immutable ? | yes/no/partially/unsure |
| HArdening | Is the repository hardened ? | yes/no/partially/unsure |
| Item | Comments | Result |
| Domain controller credentials | Is domain admin account stored in Veeam ? | yes/no/partially/unsure |
| gMSA | Is gMSA used for guest interaction ? | yes/no/partially/unsure |
