Page last updated on Tuesday, November 29 2005 at 1535 UK

Companies Unaware of Threat to Data Backup Systems

Corporate IT managers may be failing to address security vulnerabilities in crucial information backup systems

Computer hackers and authors of malicious software are turning their attention to exploiting flaws in information backup systems, says research backed by the UK Government’s Home Office.

The annual SANS Top 20 report on critical internet vulnerabilities has identified a shift over the past 12 months away from traditional attacks targeted at operating systems like UNIX and Windows. The latest wave of attacks in 2005 has concentrated on backup and recovery applications, as well as the antivirus and security tools which organisations rely on to keep them safe.

"We are seeing a trend to exploit not only Windows, but other vendor programs installed on large numbers of systems," says Rohit Dhamankar, lead security architect at 3Com’s TippingPoint division. "These include backup software, anti-virus software, database software and even media players. Flaws in these programs... have the potential to compromise the entire network."

Director of research for the SANS Institute, Alan Paller, says that many IT departments are failing to properly secure vulnerable data backup and storage systems. Paller believes that part of the problem is down to a lack of communication between vendors and users.

"Many of the owners of these systems do not know that their systems are vulnerable because the vendor no longer has their email, as they may have changed their address, and because backup software users rarely check for updates", explains Paller. "Sadly, that's where the most valuable data is stored, because people only back up important information".

The SANS Top 20 report also points to a second new threat in the form of vulnerabilities in network devices such as routers and switches.

As the complexity of the on-board software in these devices increases, they can be programmed just like computers. This type of attack provides hackers with an ideal platform for eavesdropping or gaining entry into other areas of a network system.

The SANS Top 20 (2005) list is available here.

Print page Print this article