cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

Offline backups, in the encyclopedic sense

My supervisor handed me a questionnaire provided by our cybersecurity underwriter, which asks us to describe our company's cybersecurity posture.  Many questions were sensible (direct questions about RDP use and hardening, inquiring about the typical scope of a VA / pentest partner, "please describe your data retention policy," etc.), but one question which stood out was about daily offline backups of critical data.

 

Some refer to "offline backups" as those which will permit a prod database to keep running.  Others refer to the term as synonymous to "offsite backups", which I disagree with for obvious reasons.  A third school suggests offline means in a different storage infrastructure (CIFS versus SMB, for example) or on a custom / isolated network range.

 

What's your usage of this term?

 

edits in italics

-----------
A claim is as good as its veracity.
3 Replies
CISOScott
Community Champion

Offline backups - You hook a device to the network, make the backup, then disconnect from the network. Could also be that you make a backup tape/media and then remove that media from the media creator (tape drive/storage) so that it cannot be overwritten/damaged without being put back into the storage creation device. Hence the data would be onsite, but offline.

Offsite backups - You make a backup and then take the storage media to another site that is not at the same site. Then the data would be offsite and also presumably offline.

Redundant site - Data is replicated to a hot site or redundant site. Unless precautions were taken, the data would be offsite but still online.

 

If you fear ransomware you definitely want your backups to be offline so that they cannot be corrupted via the same attacker or attack.

If you fear an insider or on premise attack, you definitely want your backups offsite so that someone cannot remove/tamper/destroy them without knowing where the offsite backup location is.

 

denbesten
Community Champion

Given that it is an underwriter asking the question, I would answer as if "offline" means that the backup has been made unavailable to the computer so as to prevent ransomware from being able to corrupt both the running machine and its backup.   Here are my definitions (with a few thrown in for good measure):

 

online - The backup remains immediately available to the computer after the backup is complete (e.g. when one copies a file from c:\ to d:\)

offline -  The backup can not be modified by the computer once the backup is complete (traditionally, a tape on a shelf).

 

onsite - the backup is located in the same "building" as the device being backed up.

offsite - the backup is located else ware, presumably many miles away.

 

point-in-time - the backup is done at specific times and contains a copy of what the machine looked like at that moment.

continuous - the backup updates every time a file is changed so it always has the same content as the machine.

 

Industry wide, there has been an almost complete shift to online backups due to convenience and reduced labor costs, which puts us at much greater collective risk of malware destroying the backups, hence the underwriter's use of the word "offline".

 

I have seen examples of all the above combinations.  The least-typical being "offline, onsite, continuous" -- which one can find in the paper journal attached to the electronic voting machines, and historically with WORM drives.

ericgeater
Community Champion

Thank you both for your examples!

-----------
A claim is as good as its veracity.