Storage systems have a significantly weaker security posture than the other two layers of IT infrastructure — compute and network equipment — according to a report from cyber security company Continuity Software.
By analysing data from more than 400 enterprise storage devices, the research revealed 6,300 discrete security issues related to 15 vulnerabilities that, on average, every enterprise security device is exposed to. The study examined equipment from vendors including Brocade, Cisco, Dell EMC, IBM, Hitachi Data Systems, and NetApp.
“Of the three main IT infrastructure categories — compute, network, and storage — the latter often holds the greatest value, from both security and business perspectives,” said Gil Hecht, founder and CEO of Continuity, in a statement.
“Security vulnerabilities and misconfigurations of storage devices present a significant threat, especially as ransomware attacks have taken hold of businesses over the past few years. Yet based on our analysis, the security posture of most enterprise storage systems is strikingly weak."
Organisations need to act immediately to better protect their storage as well as backup systems to ensure their data is secure against ransomware and other cyberattacks, Hecht said.
Of the 15 major vulnerabilities detected in the research, three were designated as particularly critical, carrying very high security risks. The report also outlined 170 security principles that weren’t adequately followed by the enterprise teams.
Top security risks include vulnerable protocols
The top three vulnerabilities spelled out by the report include use of vulnerable protocols or protocol settings, unaddressed CVE (common vulnerabilities and exposure) vulnerabilities, and access rights issues. Other significant vulnerabilities related to insecure user management and authentication, and insufficient logging.
The report pointed out vulnerable protocols/protocol settings often relate to the failure to disable —or allowing the default to the use of legacy versions — of storage protocols such as SMB (Server Message Block) version 1 and NFS (Network File System) version 3. Vulnerable protocols/protocol settings also come from the use of suites such as TLS (transport layer security) 1.0 and 1.1, SSL (secure sockets layer) 2.0 and 3.0, which security experts no longer recommend.
The report also said that common vulnerability management tools used by organisations do not detect many storage CVEs (Common Vulnerabilities and Exposures), but rather focus on server OS, traditional network gear, and software products. This leaves a large percentage of storage devices (close to 20 per cent) that are exposed. More than 70 different CVEs were detected in the environments covered in the research.
Major access rights issues include a large number of devices affected by improper configuration, including unrestricted access to shared storage, unrecommended zoning and masking configuration, ability to reach storage elements from external networks, and more.
Insecure user management and authentication refers to a range of issues including unrecommended use of local users, use of non-individual admin accounts, not enforcing session management restrictions, and improper separation of duties/roles.
Vulnerabilities found in range of storage tech
Continuity compiled anonymised inputs from more than 20 customer environments covering banking and financial services, transportation, healthcare, telecommunications, and other industry sectors.
The analysis covered the configuration of block, object and IP storage systems, SAN / NAS, storage management servers, storage appliances, virtual SANs, storage network switches, data protection appliances, storage virtualisation systems, and other storage devices.
Continuity Software’s automated risk detection engine was used in the research to gauge multiple misconfigurations and vulnerabilities at the storage level that could pose a security threat to enterprise data.
“We utilised data scientists, but basically we used the collection of the raw information. It was done with our own proprietary data mapping tools," says Doron Pinhas, CTO at Continuity.
"So, part of the problem enterprises have, in any aspect of managing IT, not just around data and storage, is to have visibility — to find out all of their assets, figure out how they are configured, to capture the configuration data, to track it overtime."
Part of Continuity’s methodology was to use a large knowledge base that describes possible vulnerabilities, according to Pinhas. Continuity also used their technology to review the data collected and figure out what vulnerabilities existed. It then input the information into a database to analyse it using various metrics.
Other, less significant issues detected by the study included incorrect use of ransomware protection features, undocumented and insecure API/CLI, and vulnerability and lack of oversight in storage software supply chain management.
The report also noted that there was a weak correlation in the geographic location and storage security maturity, meaning the frequency and severity of the threats observed remained unchanged with change of location.
How companies can protect themselves
Some of the recommendations the report made included evaluating existing internal security regimes for sufficient inclusion of storage infrastructure, identifying possible knowledge gaps in storage security and building/improving security programs to address these gaps. The report also encourages the use of automation to continually evaluate the status of storage infrastructure security.
“One of the things we recommend the customers to do is to quickly map data classifications. CISOs admit that they are not good at that,” says Pinhas.
“I think organisations should really form a really clear view of their security baselines: 'What assets do we have?' Understand how they can be attacked. Have a really good picture of the attack surface. The good news is that we have resources and technology.”
In a similar report released by Gartner last month, the research firm said that most ransomware attacks target unstructured datasets on network shares, making centralised file storage solutions an attractive target for encryption and/or data exfiltration of large amounts of data.