The LTO-CM Chip As a Potential Attack Vector
Cybercriminals look for novel ways to build their assaults, and while the LTO-CM chip stores an extremely limited amount of data, it could potentially serve as an attack vector. This could become a more significant issue with future versions of the LTO format — as the LTO-CM chip increases in storage size, attackers could attempt to install malware directly on the chip. Viruses smaller than 16 kilobytes are common, though a cybercriminal would need to use creative methods in order to execute malware on a current-generation CM chip.
More practically, the LTO-CM chip contains information about tape usage that could inform a cybercriminal’s actions. In a targeted attack, the data could prove useful; if a bad actor understands a company’s backup schedule, they could attempt to eliminate all existent backups before a primary attack occurs.
For these reasons, the LTO-CM chip needs to be completely sterilized along with the data storage portion of the tape cartridge. Sanitization isn’t difficult, but most enterprises are unaware of the potential threat.
Does the LTO-CM Chip Store Usable Data?
The LTO-CM chip does not store “real" data under typical circ*mstances. In other words, when the drive writes to the tape, it does not pass that data through the chip; the purpose of the cartridge memory is to allow the tape drive to function more efficiently.
With that said, the CM chip still needs to be sanitized properly. Shredding tape cartridges often leaves the CM chip untouched (and as we’ve discussed on this site, shredding modern LTO cartridges can leave a tremendous amount of recoverable data). Degaussing is more a secure method of tape disposal when done properly — though operators need to understand degaussing techniques — but does not affect the CM chip.
Remember, All Data Storage Media Presents Risks
The LTO format has built-in security features to protect data from cybercriminals. Given its fast read/write speeds, large capacity, and low cost, LTO-8 is an excellent option for enterprise data storage. It’s easily the most popular non-obsolete data format in constant use, and we have no reason to advise against LTO-8 or the upcoming LTO-9 and LTO-10 formats.
With that said, all storage media must be used — and sanitized — using appropriate methods. The CM chip presents a unique vector for potential attacks, and operators must develop safeguards to eliminate unnecessary vulnerabilities.
Our recommendations for using LTO tapes equipped with a cartridge memory chip:
● Use appropriate sanitization methods. The CM chip should be wiped or destroyed as part of a sanitization procedure. Degaussing will not target the chip, and neither will shredding; incineration is effective for destroying the cartridge memory (along with the rest of the cartridge), but can be costly.
● Limit peripheral access to backup systems. When secured, tape backups are a powerful defense against ransomware and other cyberattacks. Enterprises should limit all peripheral use for these important systems — that includes optical media, flash drives, and external hard drives.
● Maintain records when data cartridges contain sensitive information. Keep track of all processes performed, including regular backups and sanitization procedures.
Total Data Migration’s experts can help your enterprise form an appropriate sanitization strategy. For a free consultation, contact us or call (800) 460-7599.
Why Is Data Migration Seen as Difficult and Risky?
\he short answer is "data gravity." Although the concept of data gravity has been around for some time, the challenge is becoming more significant because of data migrations to cloud infrastructures. In brief, data gravity is a metaphor that describes:
- How data attracts other data to it as it grows
- How data is integrated into a business
- How data becomes customized over time
- To move applications and data to more advantageous environments, Gartner recommends "disentangling" data and applications as a means of overcoming data gravity. By making time at the beginning of the project to sort out data and application complexities, firms can improve their data management, enable application mobility, and improve data governance.
What is the Best Approach?
The main issue is that every application complicates data management by introducing elements of application logic into the data management tier, and each one is indifferent to the next data use case. Business processes use data in isolation and then output their own formats, leaving integration for the next process. Therefore, application design, data architecture, and business processes must all respond to each other, but often one of these groups is unable or unwilling to change. This forces application administrators to sidestep ideal and simple workflows, resulting in suboptimal designs. And, although the workaround may have been necessary at the time, this technical debt must eventually be addressed during data migration or integration projects.
Given this complexity, consider promoting data migration to "strategic weapon" status so that it gets the right level of awareness and resources. To ensure that the project gets the attention it needs, focus on the most provocative element of the migration – the fact that the legacy system will be turned off – and you’ll have the attention of key stakeholders, guaranteed.
What Is Data Migration?
Data migration is the process of moving data from one location to another, one format to another, or one application to another. Generally, this is the result of introducing a new system or location for the data.
The business driver is usually an application migration or consolidation in which legacy systems are replaced or augmented by new applications that will share the same dataset.