6 Steps to Securing Your Backup Media in Transport

Companies use significant resources to secure their production systems. The security of backup elements of the same infrastructure, especially the backup files are overlooked. This lack of security can be an excellent opportunity for an attacker.

Example scenario:
One of Shortinfosec Democorp branch office Domain Controllers has failed. A support expert is invited to assist, and he suggests to install a new server and restore the DC from system state backup of the failed one, thus retaining the SID of the old DC and other special configurations that have been implemented. The backup is kept at head office, and is sent on a CD via courier.
The CD is received, restored to the new server, and everything is good as new.

Two days later, a hacker attacks the Shortinfosec Democorp. The investigation concludes that the attacker used a domain user name and password to enter the computer system. The investigation concludes that the only possible breach of security was during the transport of the System State CD via courier.

Analysis:
The attacker has infiltrated the courier company used by Shortinfosec Democorp, and paid the courier to make a copy of all CD-s that are transited for Democorp. This can be performed even easier if the CD-s are sent via public mail, where a large number of personnel have access to sent material.
From the copy of the System State, the attacker recreated multiple clones of the domain controller in a VMware lab environment, and performed the following attacks in parallel:


  1. Scanned the dumped clone for vulnerable services.

  2. Performed enumeration of the domain users contained on the domain controller.

  3. Performed brute force attack of the domain users contained on the domain controller. Any lockout was bypassed by simply restoring a copy of the clone and continuing with the attack

  4. Performed systematic social engineering attack on targeted domain users to contained on the domain controller.


Conclusions and recommendations:
A good attacker is the one you have to be weary most about. Such an attacker will use any method to collect information, including media theft.


  1. Any backup media must therefore adhere to the following recommendations:

  2. All individual media containers with backup media should be sealed with a tamper evident unique label (a tamper evident bar code label with non-repeating serial number)

  3. All such media must be logged, with dates of creation and tamper evidence protection label code. The log must be kept in two copies, one accompanying the tape and one kept by a person of authority which has no direct access to media containing backup (internal auditor, security officer).

  4. All media containing information (erased and containing backup) must be kept in a locked enclosure with controlled access.

  5. If backup is kept on a system (file server), the system must be configured for FULL AUDIT audit on access of all files. Audit logs must be regularly reviewed by a person of authority which has no direct access to media containing backup (internal auditor, security officer).

  6. When the need arises to transfer media to another location, all transport methods must be treated as hostile. The media containing backup should be encrypted, and decryption keys should be transported by different channel. Also, all media must be protected by tamper evident labels with non-repeatable serial numbers, or placed in a tamper evident envelope with non-repeatable serial numbers.

About the Author:

Spirovski Bozidar, CISSP, MCSA

Spirovski Bozidar is an ICT and security expert. Mr. Spirovski has worked in information management and security since 1999 His professional experience includes from Head of Systems and Security of an ISP, and Senior Solution Designer within an Incumbent Telco Opator. Bozidar currenty holds the position of a Chief Information Security Officer for bank, member of a large multinational group.
He has been involved as a guest speaker in a multitude of international conferences on information systems in CEE, covering the subjects of Personal Data protection and EU regulations, Risk Analysis and Business Continuity and Reliable Data hosting.

He is the author of the ShortInfosec Portal (http://www.shortinfosec.net)

Article Source: ArticlesBase.com - 6 Steps to Securing Your Backup Media in Transport

Computer Security, Information Security, Backup Security, Backup Transport