Why storage security can no longer be left unattended

Part 1 in a series of 4: The what, why, and how of securing storage and backup

A fact: Vulnerabilities from within and without are plaguing data storage, but still, storage hardening  is a low priority even as infosec professionals are in high demand and low supply. Security managers task the talent they have with OS and network hardening, running data-protection while leaving storage technologies vulnerable. 

Why, you ask? Probably as security managers are under the assumption that central storage and backup systems are far too deep in their datacenter core to reach and far too obscure to pose a meaningful attack surface. 

Unfortunately, this assumption has recently been proven wrong more than once by cybercriminals and insider threats: Eversource, a Fortune 500 energy company, suffered a data breach, exposing the personal information of 11,000 customers. This was due to a misconfigured cloud data storage folder. One more recent example is the breach to Red Canary’s network. A client wrote that he had come across LNK files in his company’s network-attached storage (NAS) — a telltale sign of a rogue AutoIT worm. An AutoIT worm can spread across a company’s network and exploit network vulnerabilities. If it went unchecked, a hacker could use that program to get a hold of the company’s intellectual property and hold it for ransom. There are many other examples, but you get the idea. 

And so it’s time for CISOs and security teams to close the gap. Many of them are already in the process…

Each storage technology comes with its (visible) hazards:  “A quick Google search will show you the open Amazon S3 buckets; there are millions of them, and the risk is dramatic”, says Dick Wilkinson, Former CISO, New Mexico Supreme Court. 

Cloud storage misconfigurations like these are commonplace, regularly starring in stories of significant data exposures.

Storage arrays have Operating Systems (OS), and OS vulnerabilities are routine. SAN

technologies risk flaws in open-source software, vulnerable programming languages such as Java, and virtualization technologies such as software containers. Ransomware encrypts on-premise storage and backups, leaving enterprises with no alternative but to pay the ransom.

Complexity always increases vulnerabilities 

Data storage is more complicated than you think. According to NIST Special Publication 800-209, Security Guidelines for Storage Infrastructure, data storage management complexities have multiplied due to a blend of traditional storage services such as block, file, and object storage and advanced storage architectures such as storage virtualization, storage architectures for virtualized servers, and cloud storage. The greater the complexities, the more configuration errors and security threats.

Now, storage teams must return to fix errant configurations and manage realized risks from security threats. 

Managing it alone is not an option

You care about your organization’s most precious data, safeguarding it in transit and use. Networks, applications, and devices remain secure, because of you! 

But, all along the same data lives at rest, too, in largely undefended storage systems…

Storage may seem relatively minor in the IT stack, but there are other ways to consider its size. The world’s data reached about 59 zettabytes last year, according to Statista. Storage will grow to meet demand as data multiplies exponentially. To complete the picture, Statista expects global spending on data storage units to exceed 78 billion U.S. dollars this year. 

Speaking of measures, size as well isn’t the best measure of the criticality of storage. Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So, storage houses critical high-risk data that feeds your applications and devices. Just as shooters aim for the heart, so hackers target data where it lives, in your storage systems. If you let cybercriminals leak data from storage, they can sell it or give it away. Ransomware encrypts data in storage, cloud storage, and backups, which could kill an enterprise. 

In other words, storage security neglect will take its toll. Security pros must learn the ropes and must stop pushing it off as someone else’s responsibility.

“There are gaps in the roles and responsibilities between the security and storage/infrastructure teams. Storage has been a grey area; nobody owns it,” says Sunil Varkey, Former Global Head of Cyber Security Assessments, HSBC. Someone has to own storage. IT security can’t account for all security if no one on the team owns storage security.

Summary

With the rising threat of ransomware and other cybersecurity attacks, it has become paramount for enterprises to protect their data and storage – both on-premises and in the cloud. In this first chapter of the series we not only introduced the reasons for data storage security, but also explained the rising need to do so. Now.

In the next chapter we will define the risk, show how storage attacks can happen and hence attackers can enter your most precious asset (data), and discuss the lagging industry maturity.

NIST Special Publication on Securing Storage

The guide – co-authored by Continuity’s CTO – provides an overview of the evolution of storage technology, recent security threats, and the risks they pose.