Security Basics mailing list archives
Re: secure backups
From: Fred Cohen <fred.cohen () all net>
Date: Mon, 31 Oct 2005 11:24:57 -0800
No. - Sort of.Understanding the rationality and effectiveness of an approach is not as simple as it may be portrayed. Passwords are effective at mitigating specific threats for specific time periods under specific conditions. And the mechanism by which the password is applied is also important to understand. Here are two examples that help to bring some of these issues to light:
Suppose the password is on the hard drive controller and the drive itself is encrypted internally so that without the password the content does not properly decode. Then the password may be adequate unless the attacker has a strong capability to plant a Trojan in the disk or try many passwords or decrypt the content directly by removing the controller and replacing it with one that allows more direct access followed by decryption.
Suppose the password is the first file on the tape drive and the software reads it to determine if it can then read the rest of the tape. Trivially bypassed by moving the tape up a file and reading. Trivially forged by replacing the password file with another to which you know the password.
You need to provide a complete description in order to have a properly knowledgeable expert analyze a situation relative to the these issues. These problems are far more complex than your question belies.
On Oct 30, 2005, at 2:00 PM, Kirk Brady wrote:
Hi StevenIs password protecting the media/session not enough? Do members of the super users group need to be able to add/modify the jobs, or just be able to run them? Most backup software can work with any user that has Read permissions for the backup target, and can incorporate password level protection for the session or media which is needed for a restore. Unsure how this holds up to a brute force attack though.HTH Kirk Brady -----Original Message----- From: Steven Meyer [mailto:meysteven () gmail com] Sent: Saturday, 29 October 2005 12:52 AM To: security-basics () securityfocus com Subject: secure backups I am looking for a backup software that only the Superusers could use to backup, but only the administrator could restore. That way nobody could bring data out from the office and I wouldn't need to do regularly backup on the user computer. May be the backup should be done with a private and public key. If anybody has a good idea, it would be very appreciated. thank you Steven Meyer
-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax University of New Haven unhca.com 925-454-0171 Fred Cohen & Associates all.net 572 Leona Drive Security Management Partners policygeeks.com Livermore, CA 94550
Current thread:
- secure backups Steven Meyer (Oct 28)
- Re: secure backups Viktorija (Oct 31)
- <Possible follow-ups>
- RE: secure backups Kirk Brady (Oct 31)
- Re: secure backups Fred Cohen (Oct 31)