Companies use significant resources to secure their production systems. The security of backup elements of the same infrastructure, especially the backup files are overlooked. This lack of security can be an excellent opportunity for an attacker.
Update: Here is an example of the risks associated with improper protection of backup media
One of Shortinfosec Democorp branch office Domain Controllers has failed. A support expert is invited to assist, and he suggests to install a new server and restore the DC from system state backup of the failed one, thus retaining the SID of the old DC and other special configurations that have been implemented. The backup is kept at head office, and is sent on a CD via courier.
The CD is received, restored to the new server, and everything is good as new.
Two days later, a hacker attacks the Shortinfosec Democorp. The investigation concludes that the attacker used a domain user name and password to enter the computer system. The investigation concludes that the only possible breach of security was during the transport of the System State CD via courier.
The attacker has infiltrated the courier company used by Shortinfosec Democorp, and paid the courier to make a copy of all CD-s that are transited for Democorp. This can be performed even easier if the CD-s are sent via public mail, where a large number of personnel have access to sent material.
From the copy of the System State, the attacker recreated multiple clones of the domain controller in a VMware lab environment, and performed the following attacks in parallel:
- Scanned the dumped clone for vulnerable services.
- Performed enumeration of the domain users contained on the domain controller.
- Performed brute force attack of the domain users contained on the domain controller. Any lockout was bypassed by simply restoring a copy of the clone and continuing with the attack
- Performed systematic social engineering attack on targeted domain users to contained on the domain controller.
A good attacker is the one you have to be weary most about. Such an attacker will use any method to collect information, including media theft.
- Any backup media must therefore adhere to the following recommendations:
- All individual media containers with backup media should be sealed with a tamper evident unique label (a tamper evident bar code label with non-repeating serial number)
- All such media must be logged, with dates of creation and tamper evidence protection label code. The log must be kept in two copies, one accompanying the tape and one kept by a person of authority which has no direct access to media containing backup (internal auditor, security officer).
- All media containing information (erased and containing backup) must be kept in a locked enclosure with controlled access.
- If backup is kept on a system (file server), the system must be configured for FULL AUDIT audit on access of all files. Audit logs must be regularly reviewed by a person of authority which has no direct access to media containing backup (internal auditor, security officer).
- When the need arises to transfer media to another location, all transport methods must be treated as hostile. The media containing backup should be encrypted, and decryption keys should be transported by different channel. Also, all media must be protected by tamper evident labels with non-repeatable serial numbers, or placed in a tamper evident envelope with non-repeatable serial numbers.
Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Talckback and comments are most welcome