Backup Options in a CyberSecurity Emergency

Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.

Keep in mind that backup options, vulnerabilities, and advantages shift in relation to available technologies and to common attack vectors. My current understanding of backup options are as follows:

  1. USB attached hard-drive (more on this below)
  2. fixed media, such as CD-ROM, DVD-ROM, SD-card, etc.
  3. thunderbolt attached hard-drive
  4. firewire attached hard-drive
  5. network backups, such as network attached storage (NAS), cloud services, and the old Linux stand-by NFS
  6. non-internet network backups (i.e. use a off-line server, cross-over cable, and network protocol to make a backup)

USB Backups

It is incredibly difficult to create a clean USB backup. I will outline one of the few ways that I know of which may work. Please take this with a grain of salt and only attempt this method if you have the time, patience, and skill to deal with potential re-infections.

Detect USB Trojans

It is important to know how to detect whether a USB backup is tainted with a trojan. One possibility is to assume that any USB backup is tainted. Another possibility is to examine, by eye, the behavior of a clean OS immediately after inserting a tainted USB (the behavior is a bit bizarre, as a root-kit is being automatically run in the background and an experienced user can detect this by eye). Otherwise, once the trojan binary is identified, anti-virus scanners will be able to detect the presence of a trojan, but it typically takes expert computer scientists months to identify the trojan binary and produce scanning software. Not to mention that clever trojans will also hide from the anti-virus software.

Prevent Install of USB Trojans

Clean a USB Backup of Trojans

This method is based on my best working hypothesis of these trojans, and has not been thoroughly tested. I've used this method in miniature to clean USB OS install media, but have yet to use it for a full, tainted, backup.

Keep in mind that it seems possible to use the following method several times in a row with several USB drives, to iteratively clean up a backup copy using the following workaround. Again, this is a conjectured method of cleaning a USB backup. Keep in mind that attackers may find a vulnerability in this workaround.

Power of Two Choices

With backups, it is important to consider making two clean backups and storing them in separate locations. This leverages the power of two choices [Mitzenmacher, 2001].


  1. Brainstorm another way to prevent installation of USB trojans.
  2. Brainstorm another workaround for cleaning a tainted USB backup.
  3. Help a friend make a clean backup of their data.
  4. Talk with your local IT professionals to brainstorm more backup options.
  5. Consider delegating your security and backup solutions to someone else.
  6. Isolate the code for a USB trojan, dissect it, and fix the hardware and software vulnerabilities which make USB trojans so virulent and prevalent.
  7. If you are in a leadership position, strongly consider providing extra security, backup, and IT resources to minority employees who may be subject to bias and attack.

Mitzenmacher, M. The power of two choices in randomized load balancing, 2001. Parallel and Distributed Systems, IEEE Transactions on 12(10):1094-1104.

© 2015-2021 Intrepid Net Computing. All rights reserved.