Lose your backup tapes? It could be worse

Commentary--Security watcher Jon Oltsik says there are plenty of reasons to worry about ID theft, but lost backup tapes does not number among them.

Commentary--Identity theft became a real possibility for millions of Americans last year when corporate backup tapes got lost while being moved from data centers to off-site storage facilities. The list of companies reporting transportation foul-ups included blue-chip names like Bank of America, Citibank, Marriott and Time Warner. Incredibly, any career IT person will tell you that companies have been losing tapes for years.

What's new here are disclosure laws. For example, the California Database Breach Act (SB 1386) mandates that organizations publicly disclose data breaches if a single California resident's personal information is at risk. If this personal data just happens to be on misplaced backup tape, so be it.

Unlike the '70s however, there are far easier and safer ways to steal data today.

SB 1386 and other similar laws were certainly enacted with the best of intentions, but do lost tapes really create a security risk? The technically accurate answer is yes but the realistic answer is no. Here's why.

There is no doubt that backup tapes could be a source of confidential data like customer credit cards or trade secrets, and stealing backup tapes isn't a new threat. One well-publicized crime took place in 1977 when a disgruntled IT administrator snatched a bunch of tapes in an attempt to extort money from his employer, Imperial Chemical. The crime was thwarted by the gumshoes at Scotland Yard who nabbed the would-be crook while posing as street cleaners in London.

Crimes like this are still possible but not nearly as probable. To pull off this caper, you'd need to be a knowledgeable insider with criminal intent. Unlike the '70s however, there are far easier and safer ways to steal data today.

If I work in IT, I can simply log on to a database server as "administrator" and steal anything I want. I can also steal someone's user name and password and use their account or install a backdoor on a system so I can access it whenever and wherever I want to. Even if I know nothing about systems or network administration, I can copy a file to a USB storage key and walk off with a few gigabytes of confidential info. A few million credit card numbers? No problemo.

There is no doubt that all of our personal data is in more peril than ever, but we do need to balance vigilance with common sense.

Compare this to stealing backup tapes where I'm bolting out the emergency door of a data center with a container full of magnetic media. Suspicious behavior, to say the least, not to mention the physical evidence I've burdened myself with. You'd need to be either really brave or really stupid to do this.

Finally, it's not hard to realize that a container full of tapes is gone. Once this is discovered, alarms sound and law enforcement types are called in to start grilling the IT staff. In a "logical" type of attack, you can compromise a system, "own" it for months, and cover your tracks if you know what you are doing. Last time I checked, criminals aren't looking for notoriety or challenges, they are looking for money.

OK, so what happens if a bad guy is walking down the street and finds a couple of backup tapes? What's the risk of a data breach then? Think 'winning the lottery' or 'getting hit by a bolt of lightning.'

First off, backup tapes are pretty fragile and don't take well to shock or extreme climates. A tape could become unreadable after a few hours of sitting in the rain or extreme heat and it might be completely useless if it fell out of a truck at 40 mph.

Here's another thing about tapes: They are virtually anonymous. Tapes generally have two identifiers on them, a bar code and serial number, neither of which is useful for identification. In other words, tapes don't come with labels on them that say, "Customer credit card numbers from Acme Bank." Even if I knew where they came from, I still would have no idea what data they contained.

The data on tapes also depends upon backup operations (warning, this is a bit geeky but here goes).

Some backups ("full backups") capture all the data in a system but the majority of backups only capture any data that has changed since the last backup ("incremental backups"). Most shops do one full backup per week while protecting daily changes with incremental backups.

These backup processes mean you'd be far more likely to find tapes from an "incremental" than "full" backup run. Incremental backup tapes would have pieces of data that would be difficult to understand without access to the actual system. Even if you knew how to read this data, tapes wouldn't contain the "millions of personal records" we read about in the papers.

Finally, would the average criminal have the skills to read a found tape and have access to the right equipment? He could try taking them to a tape forensics specialist but any reputable shop would be suspicious of someone walking in off the street with no knowledge of where the tapes came from or what type of tape drive and backup software were used in the process. This would just as likely end with a call to the FBI as a successful heist.

Put all of these factors together and you realize that some crook would need a combination of skills, resources, a four-leaf clover, horseshoe and rabbit's foot to steal data off a few found backup tapes.

There is no doubt that all of our personal data is in more peril than ever but we do need to balance vigilance with common sense. Tapes are going to get lost as they always have but this type of attack vector (i.e. stolen backup tapes) is pretty passe with digital crooks. Too obvious and risky.

The risk of some random sleazebag serendipitously profiting from found tapes on the side of the highway is extremely remote-–a really small needle in a humongous haystack.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.