Americas

  • United States

Asia

Europe

Oceania

Popular Topics

Topics

About

Policies

Our Network

More

HomeBlogsPosts by Security RenegadesBack-ups: The weakest link in data security
by Security Renegades

Back-ups: The weakest link in data security

Opinion
Jun 05, 20073 mins
Business ContinuityData and Information SecurityPhysical Security

There have been many examples of misplaced hard drives exposing sensitive information.  The most recent example being the Travel Security Administration losing an external hard drive which contained 100,000 employee records.  Companies continue to strive to lock down their live environment yet ignore the security implications of back-ups.  What makes this data less sensitive when it exists on a back-up tape than when it existed on a live server?

The attack surface of course changes.  You can’t use an SQL injection attack over a web connection against a back-up tape sitting on a shelf.  However it is a lot easier to walk out the door with a back-up tape under your coat than to try and carry out a live server.  The fact of the matter remains; regardless of attack surface the data classification does not change.  The business impact of that data being exposed is no less significant.  So what should be done?

Security for data back-ups is not a cut and dry issue.  The answer of “encrypt the data” is too simple to be helpful.  How often are back-ups taken?  What media are they stored on and in what format?  Where is this media kept?  How long do we keep back-ups?  How is media handled when the data has reached the end of its life cycle?  These are all questions to be considered.

The type of back-up makes a huge difference in how it is handled.  Consider a “hot” back-up of a system which is a duplicate of a live system which can be made live should the main system experience issues.  Obviously encrypting this drive makes it less viable as a “hot” back-up.  However, encryption may be the answer for a back-up tape which simply holds copies of old records for a data preservation or disaster recovery use.  This raises other questions though.  Where are those tapes stored?  How do they get from the back-up machine to that storage facility?  Encryption is not fool proof.  While it will provide some protection if the tape is lost or stolen, it is obviously better to avoid such events all together by securely transporting and storing these drives and tapes.

While each type of back-up is a very different animal and should be treated in different ways, in the end one tenet holds true of all back-ups regardless of shape or size: A copy of data is no less sensitive than the original data.

– John

by Security Renegades

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Amazon.com. Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.

Most popular authors

Show me more

feature

Top cybersecurity M&A deals for 2023

By CSO Staff
Sep 22, 202324 mins
Mergers and AcquisitionsMergers and AcquisitionsMergers and Acquisitions
Image
brandpost

Unmasking ransomware threat clusters: Why it matters to defenders

Sep 21, 20233 mins
Cybercrime
Image
news analysis

China’s offensive cyber operations support “soft power” agenda in Africa

By Michael Hill
Sep 21, 20235 mins
Advanced Persistent ThreatsCyberattacksCritical Infrastructure
Image
podcast

CSO Executive Sessions Australia with Nicole Neil, Director of Information Security at Seer Medical

Sep 20, 202312 mins
CSO and CISO
Image
podcast

CSO Executive Sessions Australia with Siddiqua Shaheen, Head of Cyber Governance at Lander & Rogers

Sep 07, 202317 mins
CSO and CISO
Image
podcast

CSO Executive Sessions / ASEAN: IHH Healthcare's Francis Yeow on defining the CISO role

Sep 06, 202310 mins
CSO and CISO
Image
video

CSO Executive Sessions Australia with Nicole Neil, Director of Information Security at Seer Medical

Sep 20, 202312 mins
CSO and CISO
Image
video

What is zero trust security?

Sep 06, 20233 mins
AuthenticationZero TrustNetwork Security
Image
video

CSO Executive Sessions / ASEAN: IHH Healthcare's Francis Yeow on defining the CISO role

Sep 06, 202310 mins
CSO and CISO
Image