COMPSEC

Dr. Gerry Santoro – Founding Associate Professor

Module 7 – Data Backups

Introduction

As mentioned earlier in this course, while many people equate information security with the threat of hackers or malware, the fact is that more information is lost because of user error, hardware malfunction, or software bugs.Anyone who has ever encountered a computer that would not start up or a storage device with corrupted files has faced this problem.

Information security is concerned with the confidentiality, availability, and integrity of information and information services—regardless of the nature of the threat.

In this section and the next, we will look at two important approaches that lessen the impact from hardware failure, software bugs, and user error: maintaining data backups and planning for system restoration.These approaches will also lessen the impact of a catastrophic malware infection—one that cannot simply be removed.

Data Backups

Almost every computer user has, at one time or another lost an important data file.The causes of loss vary from accidental user deletion to corruption of a storage device.While information in digital format has the potential for very long life, it is a fact that storage devices will degrade over time due to environmental factors and the evolution of digital formats.

As an example of the former, a friend asked me, many years ago,to help him recover data that had been stored on a floppy disk.The disk had been left sitting in direct sunlight for many weeks. Heat resulting from direct sunlight had caused a degradation in the physical medium and certain sectors of important data files on the disk had becomeunreadable.Using a forensics utility, I was able to retrieve some, but not all, of the data.

As an example of the latter, I remember discarding boxes of 5.25-inch floppy disks after first moving important files to other formats, because floppy disk drives were becoming increasingly scarce.Today many computers do not come with any kind of floppy disk drive at all, although some can still be found as options for new computers. New digital formats are constantly evolving. Now many people store their information in the cloud using a service such as an FTP server, Google Drive, or Dropbox.Even if you store files on CD or DVD, you must be periodically copy the data to new storage to avoid the possibility of loss. According to the Records Management section of the U.S. National Archives Web site, the life expectancy of CDs and DVDs is two to five years, although a variety of factors (such as heat and handling) can reduce this.Unrecorded CDs and DVDs have a shelf life conservatively estimated to be between five and tenyears, so it is best to purchase new media as you need them rather than buying a large number for future use.

Just Data Backups?

When you are restoring information to your system, consider data backups specifically, instead of backups of data and applications. This is primarily because application backups will also backup any application vulnerabilities or malware that might have existed at the time the backup was made.I have heard many horror stories of restoring a system from backups that had been damaged by malware only to discover that the malware had also been restored.

If you need to restore an application, your best approach would be, for commercial (licensed) applications, to keep the installation disks andother installation information, and for any open source applications, to keep note of the source from which you downloaded them. These can then be re-installed as necessary. In many cases, applications will not need to be re-installed.

Many strategies exist for data backups, ranging from making copies on removable media to using a cloud-based backup service. Whichever strategy you use, it should be one that will be easy to follow and easy to recover.

My data backup strategy starts withgrouping my data files into two categories: low risk and high risk.Low risk data files are files that I could lose and not suffer major inconvenience. An example would be music files in MP3 format that I ripped from a music CD that I had purchased.I can always rip another copy if needed.This may be inconvenient, but it is not a disaster.High-risk data files are files whose loss would be disastrous.An example would be digital pictures of a vacation or special family event. Another example would be student grades.With loss of digital pictures, the loss is permanent; with loss of student grades, a large amount of work would have to be re-done.

Low-Risk Data File Backup

I backup low-risk data files to multiple removable storage devices—my favorite being USB-connected portable hard drives. I make at least two copies, being respectful of redundancy.I then make yearly checks of the drives by copying the contents to a temporary location to identify any corrupted files. If using CD or DVD for this, I could simply copy the data to a new CD or DVD, although I have found that the convenience of using 1TB removable hard drives greatly outweighs their cost.I have also found that it can be useful to have multiple copies on the same storage device, because device corruption will not always affect the entire device.

Warning: Do not have your only backup on the same device as your original. I once had a friend ask me for help in restoring files after his primary hard drive had crashed.I asked if he had backups, and he said that he did. Unfortunately, I discovered that his backups were on the same primary drive and were also lost.

High-Risk Data File Backup

High-risk data files need more care because their loss would result in greater problems. One way to address this is with multiple backups. Another way is with backups to different media. I backup important personal data files, such as pictures, videos, and documentsto multiple storage devices as well asto a cloud-based service provider.In the case of personal documents, the files are first encrypted —which will be covered in a later topic. In the case of student information, I use FERPA-compliant cloud storage provided by Penn State.

Another Advantage to Removable Media

The use of removable media provides another advantage—files can be carried with you and accessed as needed. I only keep the operating system, applications, and copies of data files (such as a subset of my music collection) on the primary hard drives of my computers.All other data files are maintained on removable media, which I can regularly and conveniently back up.

By following this approach, I have found that when a hardware problem arises on one of my computers— as will inevitably happen—I need only move the storage to a different computer (having the needed applications) and I am back in business.

Sidebar for small businesses

Backup maintenance is a very important function of the small business IT group. Data servers and network-connected computers can be easily backed up on a regular basis.Many organizations instruct their users to log off network-connected computers, as opposed to powering them off, so that backups and other maintenance can be applied overnight.

Removable storage devices and BYOD devices pose special challenges for the small business. It may not be easy to regularly backup data on these devices.There are various ways to address these challenges, such as always using cloud-based services, where the data are stored on a cloud server rather than the portable device.Whatever approach is chosen, it is important that users be educated in the correct procedures and the reasons for those procedures.

Resources

  • Frequently asked questions about optical storage media from US National Archives:
  • 26 Online Backup services Reviewed:
  • Backup – Wikipedia:
  • Seven Backup Strategies for your Data, Multimedia, and System files:
  • How to Backup Files on your Computer – a 5-part Series:
  • The Best Data Backup Strategy for you: