there are lots of problems with unencrypted backups.
first, they are seldom accessed, so it's unlikely you'll know they are missing.
second, they are easily and undetectably copied.
let's say an iron mtn employee went rogue, and decided to borrow and copy (then return) a single tape per day from random banking customers. what is the likelihood that this would be detected?
oh, i have some new tricks also. that old tricks still work well may be more entertainment than news.
storytelling is often useful in educating people (other than those here).
(you might as well criticize yoda for having wrinkles. when you as old as i am, then *your* weight we will measure.)
there are two reasons for asking this question.
one reason is to determine how mindful they are about what their secrets are. (many companies have no labeling program for confidential material, and their employees have low awareness of secrecy.)
the other reason is to get them to identify secrets
which they think ought to be well protected, and see if in fact they are.
almost any interested insider would be able to find this out quickly. there's no point in wasting their money determining it independently.
most of my attack scenarios feature insiders with limited privilege, because these attacks can be extremely damaging.
Slashdot Mirror
there are lots of problems with unencrypted backups. first, they are seldom accessed, so it's unlikely you'll know they are missing. second, they are easily and undetectably copied. let's say an iron mtn employee went rogue, and decided to borrow and copy (then return) a single tape per day from random banking customers. what is the likelihood that this would be detected?
oh, i have some new tricks also. that old tricks still work well may be more entertainment than news. storytelling is often useful in educating people (other than those here). (you might as well criticize yoda for having wrinkles. when you as old as i am, then *your* weight we will measure.)
there are two reasons for asking this question. one reason is to determine how mindful they are about what their secrets are. (many companies have no labeling program for confidential material, and their employees have low awareness of secrecy.) the other reason is to get them to identify secrets which they think ought to be well protected, and see if in fact they are. almost any interested insider would be able to find this out quickly. there's no point in wasting their money determining it independently. most of my attack scenarios feature insiders with limited privilege, because these attacks can be extremely damaging.