feature

8

Backing-up data is essential for any business, in case the original informa-tion is destroyed. The very nature ofback-up is to copy data from live sys-tems to contingency systems, whetherthey are secondary servers or storagemediums such as tape or optical.However, many organizations overlookthe security vulnerabilities introducedby the back-up software, proceduresand the location of the data, in theirdisaster recovery plans.

Physical access to live servers is com-monly well thought out and implement-ed with swipe cards and RSA Security’sSecurID logins. It is often adequatelyaudited, recording access to data in greatdetail. Access to tape back-ups however isoften overlooked, with data left onshelves in open offices, sitting in recep-tions or loading bays awaiting collectionby couriers and even in the post withRoyal Mail!

A great deal of effort and time is spenton the security of servers, stoppingunnecessary services, securing TCP/IPports and hardening servers fromunwanted network access. Back-up soft-ware is designed to shift large contents ofdata from a server, usually across aTCP/IP network, and by its very natureis almost the exact opposite of a harden-ing exercise. This vulnerability is oftenoverlooked; even the rudimentary securi-ty provisions on many back-up applica-tions are not implemented when they areavailable, mostly through ignorance oftheir presence it seems.

When implementing a well-securedback-up facility, the risks associated withthe ability to move large amounts of dataare often overlooked. Access to all thedata on the server that is required forback-up is typically provided via TCP/IP,usually on a proprietary port, with a

proprietary protocol. This protocol pro-vides some protection, but the main riskcomes from the use of the correct soft-ware, from the wrong machine.Therefore it is important that organiza-tions have procedures in place that iden-tify the source and the destination of thebackup.

To illustrate the risks, let us considertwo scenarios. One scenario is an unau-thorized backup, where a malefactorinvades the network using a machine thatis configured as a backup server andspoofs the real backup server’s IP /MACaddress. After contacting the data criticalservers with backup requests, which theyrespond to by backing up data to theinvading machine, the malefactorabsconds with the company’s most sensi-tive data.

This scenario depends on someonegaining access to a physical location onthe network, but this does not limit theintrusion to an unauthorized employee.Should a network be compromised fromthe outside, then a clever cracker couldconvert an existing server to be a spoofedbackup server, and gain access to data onnon-compromised machines.

The other scenario involves someoneinvading the network and spoofing abackup client’s IP/MAC address. Onceaccomplished the invading machine con-tacts the backup server and recovers thedata originally backed-up to the client itis spoofing.

This scenario leaves more of an audittrail as most applications record tapemovements for restore/backup. But, theadvantage to this is that it could be quick-er than a backup because there is no filelevel processing on a disk to be complet-ed. Although scenario one, could gainmore information from multiple mach-ines at once, scenario two, with typical

data transfer speeds of 10mb/sec on mod-ern tape devices could remove a lot ofdata very quickly.

As yet none of the major manufac-turers have implemented really securebackup systems though Public KeyInfrastructure (PKI), or a certificate-based authentication would seem to bethe logical step. The only way to accom-plish this currently is the use of SSH tun-nels and port forwarding, an inelegantand inefficient solution. This really fallsinto the philosophy adopted by manyvendors today that until someoneexploits the bad design, and there is apublic scandal, the manufacturer will notrectify the situation. Let us hope that thebackup manufacturers answer the call ofthe industry and enhance their accesscontrols soon.

Mirroring With the cost of online disk storagefalling at what seems like a daily rate, on-site mirrors are often used to provide arestoration means when minor problemsoccur such as daily ‘error’ backups, usererrors and small-scale corruption. In larg-er organizations tape backups are nowdriven by one requirement — disasterrecovery. Data can now be a company’snumber one asset, worth more to theoperating business than its premises andCEO combined. To safeguard against lossof that data there is only one option; senda copy away from the original in case ofdisaster.

However, this too poses additionalthreats to the data. The physical locationof the backup media is often overlookedas a risk and little consideration is givento the fact that should someone obtainseveral backup cartridges it is possible torecreate large amounts of a company’sdata. With the introduction of new largecapacity tape devices in the open systemsarena, such as LTO and SuperDLT, oftenwith capacities of 200Gb or more, wholeservers can be stored on one cartridge.With most companies choosing to useoff-site boxes of tapes, it is possible for anintercepted shipment to contain most, ifnot all, of a company’s vital data.

Data security: the BackupBackdoorPaul White, senior consultant, HarrierZeuros

02 Nese Feb.qxd 2/15/02 4:21 PM Page 8

Specialist off-site storage companiesoffer the most secure location for disasterrecovery copies of an organization’s data.They handle the cartridges correctly, theyhave secure facilities, and they only carrysensitive data and consequently have staffthey can trust. The most secure policy isobviously to only store data on companyowned sites, so that cartridges are neverwith a third party for long. This is anexcellent plan with only one failing in thetransport arrangements — couriers!

Freezing the dataCouriers transport everything, and noth-ing very carefully. Most modern data car-tridges are sensitive to shock andvibration, which couriers are not lookingto minimize, only to deliver on time.Another aspect of using couriers is tem-perature gradients. Materials that are sentby courier will often be shipped fromoffices with an ambient temperature of 23degree celsius to unheated warehouseswith an average temperature of just abovefreezing, before being transported in vanswith even greater temperature extremes!

The use of insecure transport, whetherit is staff, couriers, or even Royal Mail, is a

serious breakdown in a company’s datasecurity defence. Companies spend thou-sands of pounds securing their Internetportals, in the hope that no one hacks inand steals information. Consider off-sitebackup, all you have to do is turn up in avan that is the right colour, mumblesomething unintelligable to a receptionistand make her sign your clipboard and offyou go with the whole datacenter in theback of the van!

Administrative access to the mainservers in an enterprise environment istypically well controlled. However, back-up administrator, or restore rights areoften granted to helpdesk support staff.This enables those staff, who may be tem-porary or contracted, to restore any data,including that belonging to senior mem-bers of the company.

This is an important aspect of riskassessment that is often overlooked.While it may be impossible to stealanother users login because of smartcardsand the like, if helpdesk staff can restore data, all other security mea-sures can become redundant. This is ahard problem to tackle; most backupapplications will only allow access control

at a server level per user, so either a com-pany must have administration rights toall the server functions or none at all! Theonly solution is to restrict restore access toa few trusted personnel, unfortunatelythis usually has a detrimental effect ondaily operations.

feature

9

There are several simple steps to reduce therisk associated with access to back-ups:

• Ensure the network is well managed andthere are no unmonitored machinesattached to the network (for examplethose owned by contractors).

• Use TCP wrappers to restrict host accessto certain ports (hard on Windows NT).

• Use back-up application security torestrict host access. This can be achievedusing enterprise class products such asVeritas NetBackup and LegatoNetWorker.

• Control software installation.

• Ideally, offer no user access to serverLAN.

• Back-up over SSH tunnels.

Restricting access to back-ups

Stop PressSecurity spending to grow in2002According to several studies publishedlast month, information security spend-ing will continue to grow during 2002.

Dataquest Incorporated, a Gartneranalysis firm, predicts that the world-wide software security market will reach$4.3 billion in 2002, an 18% increasefrom 2001.

This was echoed in another study bymarket researcher International DataCorp. (IDC), which claimed that net-work protection providers will see theirprofits rise from $720 million in 2000 to$2.2 billion in 2005.

Collen Graham, an industry analyst atDataquest, Inc. said: “Enterprises arelooking particularly at defensive security

technologies such as anti-virus software,intrusion detection systems and fire-walls. Technologies such as biometricsand other forms of authentication are also getting a great deal of atten-tion, but because of the high cost ofrolling out such technologies, massadoption of these products will notoccur before 2003.”

Government, education, IT andfinancial services are all expected toincrease their security spending duringthe next year, while telecommunicationsservices and communications companiesare expected to cut back on their securityspending.

Graham commented: “Financial ser-vices companies are critically concernedabout the infrastructure-dependent natureof the industry and are anxious to preventoutages, such as those suffered after 11September, from occurring again.”

IDC’s study found that the most clear opportunities for new deals formanaged security service providers arewithin small-medium-sized businesseswhere there is a strong need for security,but a low level of knowledge orresources.

Allan Carey, senior analyst at IDCsaid, “The managed security servicesmarket is being driven primarily byresource constraints to capital and security expertise, as well as the growingcomplexity of networks and rogue accesspoints, which exponentially increaseexposure to vulnerabilities and threats.These factors combined are drasticallyaffecting the way organizations approachrisk mitigation. Customers want infor-mation security solutions to seamlesslyintegrate into the network, ensure scala-bility, and provide a measurable returnon investment.”

02 Nese Feb.qxd 2/15/02 4:21 PM Page 9