Six steps to beating backup server hacks

1. Lock down unused ports
Consult your backup vendor's documentation to determine which ports are absolutely necessary for proper operation of your backup system, and then lock down all others. For example, if your backup server doesn't need to be a NFS (Network File System) or CIFS (Common Internet File System) server, then shutdown or remove its ability to provide those services. The same is true for Web, print, Telnet and any other services that aren't necessary for proper backup server operation.

2. Require encrypted access
If you are using plain text protocols to manage your backup server, an intruder can monitor your packets and determine your administrative password. Create a policy that forbids plain text access to your backup server, and enforce it. Start by uninstalling or shutting down plain text protocols, such as Telnet, FTP, HTTP, etc. Then require all administration to be done via encrypted protocols such as SSH, HTTPS, secure FTP and SCP.

3. Minimize the number of people with full access
If your backup software requires root or administrator access for administration, limit the number of people with that access. Give backup servers a different administrative password, and only give it to those who require access to backup servers. Regular administrators probably won't like it -- because they're used to having the administrative password to the entire world -- but explain that it's for their own protection. Put the administrative password for the backup system in a sealed envelope in a safe and only permit access those who really need it.

4. Log backup activity and changes to a separate server if possible
Use syslog capabilities in Unix backup servers or third party data protection management products to log all backup activities and changes to a separate server that can't be overwritten by a malicious administrator.

Related information Learn more about beating backup threats in this webcast. Download this presentation to learn basic techniques for encrypting sensitive data.

5. Separate media management from backup management
You can also apply the separation of powers concept to media management by dividing the responsibilities of loading tapes and configuring backups between two people. Typically, one person performs these tasks, but separating these duties makes it harder for a malicious employee to wreak havoc. If a malicious employee has administrative privileges but cannot get their hands on media, they can't do any damage. If they can get their hands on media but can't put anything on it because they don't have the right privileges, they also can't do any damage.

6. Investigate the security features of your backup product
Backup software products have added a number of security features over the last few years, including encryption, role-based security, and enhanced authentication of clients and administrators. Encryption features may encrypt backup sessions, backup tapes or administrative sessions. Role-based security stops the process of requiring root/administrator access to administer the system, and gives you the ability to split duties and separate powers. Finally, enhanced authentication systems abandon the old practices of using IP addresses and hostnames to authenticate systems. Investigate which of these features your product has implemented, and start using them immediately.

Some of these tips will be harder to follow, but following any of these tips is better than following none of them. Let's lock down those backup servers!

About the author
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters at Information Security Decisions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Enterprise Data Governance,   Enterprise Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.