# Ransomware Data Protections (Immutable Backups, Snapshots) One-sentence definition: Controls that ensure restorable, untampered copies independent of attacker influence. ## Key Facts - Immutable/WORM backups; offline/air-gapped copies. - Frequent snapshots with separate credentials/paths. - Least privilege for backup operators; MFA; break-glass isolation. - Test restores; measure RPO/RTO vs plan. - Detect mass encryption patterns; auto-suspend risky sessions. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose safeguard that defeats backup encryption by attackers. **Mnemonic:** “If you can change it, they can too—**lock** it.” ## Mini Scenario Q: Backups encrypted by attacker—what was missing? A: Immutability/offline copies and split admin model. ## Revision Checklist - Name 3 ransomware-hardening steps for backups. - Define immutable vs offline. - State a restore testing metric. ## Related [[Backups for Data Protection (Domain 2 view)]] · [[Object Storage Security (Buckets, Versioning, Immutability)]] · [[Endpoint Data Protections (FDE, EDR, Port Controls)]] · [[RTO, RPO, WRT]] · [[Email Security for Data Protection (SPF, DKIM, DMARC, DLP)]] · [[Domain 2 - Index]]