Continuity™ provides the industry’s ONLY storage & backup security solution, to help you protect your most valuable data.
We analyzed data from a large number of storage risk assessments, to provide a unique insight into the state of storage security. The analyzed data covers multiple storage vendors and models, including Dell EMC, IBM, Hitachi Data Systems, HPE, Cisco, Brocade, NetApp, and others.
The analysis covered the configuration of block, object and IP storage systems, SAN / NAS, storage management servers, storage appliances, virtual SAN, storage network switches, data protection appliances, storage virtualization systems and other storage devices.
We discovered over 6,000 security misconfigurations, allowing us to uncover recurring patterns and important security considerations many organizations fail to get right when managing storage & backup systems.
These misconfigurations fit into four main categories:
423 enterprise storage devices were analyzed, and a total of 6,300 security risks (vulnerabilities & security misconfigurations) were detected, spanning more than 170 security principles that weren’t adequately followed.
In this post, we address the most common types of security risks found:
Three additional risk types were discovered. Although these are less frequent than the top five risks above, each could lead to substantial data compromise if exploited. These include:
Lets go through each of the risks, and explain they’re so critical
Storage protocols span both traditional networking (IP over Ethernet and WAN) and dedicated Fibre-Channel storage networking. It is critical to secure those protocols both during session establishment, and while exchanging data. However, in a far too-high number of cases, and in most environments, it is still common to find configuration gaps such as:
|Significance of the risk: cybercriminals can use such configuration mistakes to retrieve configuration information and stored data, and in many cases, can also tamper with (e.g., modify, destroy, lock) the data itself, including the copies used to protect the data.|
There is a variety of software components used for Storage devices, and storage networking, that get updated from time to time, including:
Vulnerabilities are discovered on an ongoing basis for such devices, and Common Vulnerability and Exposure (CVE) records are accordingly published. In most cases, a fix in the form of an upgrade, or configuration change is suggested. Common vulnerability management tools used by organizations and enterprises do not detect many storage CVEs (but rather focus on server OS, traditional network gear, software products), and there’s a rather large percentage of storage devices (close to 20%) that are exposed. More than 70 different CVEs were detected in the environments covered in this research (of course, many more exist)
|Significance of the risk: each CVEs details the possible exposures and outcomes it presents – and these span a rather wide range. Among the risks identified in environments that were included in this research were the ability to exfiltrate files, initiate denial-of-service attacks, and even take ownership of files and block devices.|
Access control to storage, includes several different configuration levels:
A large number of devices were affected by improper configuration, including unrestricted access to shared storage, unrecommended zoning and masking configuration, ability to reach storage elements from external networks, and more.
|Significance of the risk: incorrect access right management, can at best lead to data exposure, and at worst to compromise of the data itself and its copies, and in some cases, of the operating systems of the hosts that use the storage|
Storage devices are managed using users and roles, and in many cases, access to the data itself is also regulated using similar means. There are basic recommendations for user management and authentication that are, for a variety of reasons, not kept for storage devices at the same rigor allied for compute and network elements. These include:
|Significance of the risk: incorrect and insecure configuration can allow cybercriminals to take full control over the storage device, up to, and including exfiltration and destruction of the data and its copies.|
Logging and auditing is a fundamental requirement of any sound security practice – including storge. All administrative activities and security configuration should be logged, and for sensitive information, it is also recommended that storage access should also be logged. Proper logging involves the correct configuration of logging (including level of detail, event types) – the configuration of approved, redundant central logging servers, correct timekeeping and more. A large percentage of production storage devices (around 15%) were not logged at all, and a substantial additional percentage of those that were logged was susceptible to manipulation.
|Significance of the risk: improper logging can help cybercriminals mask malicious activities, and interfere with the ability of central security tools to detect anomalies.|
Modern storage devices become more sophisticated, and offer advanced ransomware detection and prevention capabilities, as well as advanced capabilities for locking retained copies, protecting critical data from tampering and deletion, and certain forms of air-gapping. These features are often overlooked – and even when used, many configurations did not meet vendor best-practices.
|Significance of the risk: limited or no protection from ransomware, cybercriminals can easily circumvent or disable protection mechanisms.|
There is a surprising number of ways storage devices can be manipulated and managed:
Most of those control methods can be further managed to define what access level in can provide (e.g., which actions are allowed -including creation, destruction, mapping, copying, and more), what components could be controlled, filtering as to which IPs, devices and objects can connect and more.
It is of an utmost importance to approve and document all allowed connections, limit their access level and scope to the minimum, and to actively block any other connection.
In around 10% of the environments (!) undocumented API entry points were found, whose purpose could not be accounted for, and in around 20% of the environment approved mechanisms were not properly hardened and limited.
|Significance of the risk: undocumented and insecure API and CLI access paths can provide a cybercriminal with a backdoor to control storage devices, exfiltrate data, and tamper with storage content and its backups.|
As already discussed, storage device updates are regularly issued. In certain organizations these updates, as well as transfer of support information is performed with designated vendor support environments outside of the customer premises. In other organizations, even though it’s an established policy to not allow connection to vendor support environments – such connections were still found enabled and active.
In any case, there’s a set of minimal safeguards that need to be observed in regards to software updates (manual or automated) – including proper signing, proper end-to-end encryption when obtaining binaries, proper authentication and IP filtering, etc.
In several of the environments, configuration issues were detected that can allow unapproved images to be deployed, or can allow a cybercriminal to intercept and tamper with data transfer and support sessions.
|Significance of the risk: improper control and enforcement of software supply-chain paths can allow cybercriminals to tamper with the storage OS, and thereby gain full control over the devices, the data, and its protective copies.|
There are great resources and tools out there, to help you identify and remediate storage & backup security risks.
One good place to start is The State of Storage Security Report. Click here to download the report.