I work for an ASP (application service provider). I have a deep understanding of what it means to provide an Internet based service to customers.
I can understand how EZBoard is vulnerable to an attack (especially if it was an inside job - like an ex-employee). I can understand how long it can take to recover from this situation and how taxing it is on servers and staff to work through this type of issue.
What I absolutely cannot understand is that the attacker was able to delete production and backup data. That is absolutely unacceptable. Any reputable company with any kind of experienced IT staff should have strict policies about where backup data is stored. I have inferred from the EZBoard information about this hack that they have backup data online. THis makes sense has they probably need to be able to restore quickly for normal operations.
What makes no sense whatsoever is why a copy of that backup data is not stored OFFSITE in a physically and logically inaccessible location. For example, my company maintains online and offline backups. The offline backups are stored on tape which are picked up by a service and stored in a vault at a facility across town. This is not a luxury service. It is not expensive (relative to the cost of not being able to restore data) and has been an industry standard practice for many years. My past 3 jobs have all used offsite storage of some kind.
I suppose that offsite isn't really the issue though. The fact of the matter is that EZBoard has all but confessed that they don't even have backups going to tape (or other removable offline media). What the heck? Backing up to tape has been a common practive sense, like forever (we're talking 1970's here if not earlier).
Lame, lame, lame. As an IT Manager, I would love to talk to their IT Manager and smack him around for running a half-ass shop.
Hey, I realize that everything costs money, even tape backups. There are alternatives. There are cheap alternatives. There are 50,000,000 ways to get your data to a secure location (ie - not connected to the network).
There is no excuse and I hope that their second step after plugging security holes is to create a viable offline backup process.
IDIOTS.
/vent
I can understand how EZBoard is vulnerable to an attack (especially if it was an inside job - like an ex-employee). I can understand how long it can take to recover from this situation and how taxing it is on servers and staff to work through this type of issue.
What I absolutely cannot understand is that the attacker was able to delete production and backup data. That is absolutely unacceptable. Any reputable company with any kind of experienced IT staff should have strict policies about where backup data is stored. I have inferred from the EZBoard information about this hack that they have backup data online. THis makes sense has they probably need to be able to restore quickly for normal operations.
What makes no sense whatsoever is why a copy of that backup data is not stored OFFSITE in a physically and logically inaccessible location. For example, my company maintains online and offline backups. The offline backups are stored on tape which are picked up by a service and stored in a vault at a facility across town. This is not a luxury service. It is not expensive (relative to the cost of not being able to restore data) and has been an industry standard practice for many years. My past 3 jobs have all used offsite storage of some kind.
I suppose that offsite isn't really the issue though. The fact of the matter is that EZBoard has all but confessed that they don't even have backups going to tape (or other removable offline media). What the heck? Backing up to tape has been a common practive sense, like forever (we're talking 1970's here if not earlier).
Lame, lame, lame. As an IT Manager, I would love to talk to their IT Manager and smack him around for running a half-ass shop.
Hey, I realize that everything costs money, even tape backups. There are alternatives. There are cheap alternatives. There are 50,000,000 ways to get your data to a secure location (ie - not connected to the network).
There is no excuse and I hope that their second step after plugging security holes is to create a viable offline backup process.
IDIOTS.
/vent
