Penetration Testing
Data in transit (with a twist)... Nov 23 2011 04:11PM
cribbar (crib bar hotmail co uk) (2 replies)

Hey Guys,

This is not so much a pen testing question (although perhaps you pen test
physical transfers) â?? but as many of you are absolute security experts, some
I assume will be CHECK/CREST approved â?? it is a valuable resource Iâ??d like
to tap into for some general brainstorming and advice.

I need some best practice controls, ideally in the form of a best practice
checklist that will satisfy internal and external auditors - for when our
data is in transit. The twist is, I am not on about â??In transitâ? in terms of
electronic transfer; â?? I am on about backup tapes and redundant drives
physically being transferred from one site to another. The data on such
falls into â??fairly sensitiveâ?, i.e. no credit card details, but a degree of
personal data non the less.

Iâ??ve got 2 scenarios really â??

(1) All â??serversâ? and backup facilities are in a secure data centre (lets
say building A). When they are physically taken out of this environment and
transferred, I class this data and media as â??vulnerableâ?, whereas on site,
in terms of physical security I have reasonable assurance the data is
â??relatively safeâ?.

Redundant (those flagged as ready for disposal) drives out of the few
remaining physical servers (some process/store sensitive data) are initially
transferred to local HQ (building B). These drives ARENT encrypted. Also,
backup tapes (again NOT encrypted) are transferred from building A >
building B as part of disaster recovery ops.

(2) We also have building C which is where the main employees office is.
From here redundant IT kit, such as old PCâ??s are flagged up as ready for
collection. IT collect the kit and it is stored in building B. Once the
store in building B is high enough, a local 3rd party service will collect
the PCâ??s, and â??data-wipeâ? them. Workstation drives ARENT encrypted. Laptop
devices ARE encrypted.

We need some procedural safeguards in all of this. Especially around
accountability, integrity, and confidentiality. I am struggling to locate a
really detailed best practice guide around physical collection, physical
transfer and storing of redundant hardware and backup media in an
unencrypted state. I assume this falls under â??asset managementâ? but again I
am struggling to find a comprehensive best practice checklist that I can
align procedures around. I want to align our procedures with best practice
in this area from a reputable source, but to my surprise there doesnâ??t seem
to be much out there. However, perhaps searching asset management is the
wrong terminology in IT circles.

The risks are obvious. We are essentially transferring highly sensitive data
from different sites in an unencrypted state (issue in itself). There are
accountability, integrity and confidentiality risks to the hardware AND data
resident on this media. There is also potential availability risks in
relation to the backup media, as well as the integrity and confidentiality
risks to the data and backup media. This must fall into compliance for
issues like PCI and HIPAA.

Any best practice or comments will help no end.

Thanks for your time in reading this.



View this message in context:
Sent from the Penetration Testing mailing list archive at


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]
Re: Data in transit (with a twist)... Nov 23 2011 07:22PM
Bog Witch (iambogwitch gmail com)
Re: Data in transit (with a twist)... Nov 23 2011 06:10PM
Vic Vandal (vvandal well com)


Privacy Statement
Copyright 2010, SecurityFocus