Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: secure backups

from [Fred Cohen] Network Security [Permanent Link]
Subject: Re: secure backups
Date: Mon, 31 Oct 2005 11:24:57 -0800 
No. - Sort of.

Understanding the rationality and effectiveness of an approach is not as simple as it may be portrayed. Passwords are effective at mitigating specific threats for specific time periods under specific conditions. And the mechanism by which the password is applied is also important to understand. Here are two examples that help to bring some of these issues to light:

Suppose the password is on the hard drive controller and the drive itself is encrypted internally so that without the password the content does not properly decode. Then the password may be adequate unless the attacker has a strong capability to plant a Trojan in the disk or try many passwords or decrypt the content directly by removing the controller and replacing it with one that allows more direct access followed by decryption.

Suppose the password is the first file on the tape drive and the software reads it to determine if it can then read the rest of the tape. Trivially bypassed by moving the tape up a file and reading. Trivially forged by replacing the password file with another to which you know the password.

You need to provide a complete description in order to have a properly knowledgeable expert analyze a situation relative to the these issues. These problems are far more complex than your question belies.

On Oct 30, 2005, at 2:00 PM, Kirk Brady wrote:

Hi Steven

Is password protecting the media/session not enough? Do members of the super users group need to be able to add/modify the jobs, or just be able to run them? Most backup software can work with any user that has Read permissions for the backup target, and can incorporate password level protection for the session or media which is needed for a restore. Unsure how this holds up to a brute force attack though.

HTH
Kirk Brady

-----Original Message-----
From: Steven Meyer [mailto:meysteven@gmail.com]
Sent: Saturday, 29 October 2005 12:52 AM
To: security-basics@securityfocus.com
Subject: secure backups


I am looking for a backup software that only the Superusers could use
to backup, but only the administrator could restore. That way nobody
could bring data out from the office and I wouldn't need to do
regularly backup on the user computer.
May be the backup should be done with a private and public key.
If anybody has a good idea, it would be very appreciated.
thank you
Steven Meyer



-- This communication is confidential to the parties it is intended to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
Security Management Partners policygeeks.com Livermore, CA 94550

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Risk Assessment/Management, Simon Borduas
Next by Date:  Re: Unknow process listening on high port, Adam
Previous by Thread:  RE: secure backups, Kirk Brady
Next by Thread:  [Full-disclosure] Security, Hacking & Social Engineering Presentation., Emmanuel Goldstein
Indexes:  [Date] [Thread] [Top] [All Lists]