By
Doron Pinhas, CTO at Continuity and Co-author
of NIST
Special Publication Security Guidelines for Storage Infrastructure
Background
Ransomware attacks have been in the public eye for quite a while now. Growth
is propelled not only by the surge in the number of cybercrime groups
specializing in ransomware, but to a large extent, also by the continual
increase in attack sophistication.
Ransomware has evolved into a fully-fledged industry, with competing
groups that continually introduce new capabilities and techniques.
Some of the new trends in data crimes, such as data leak, threat of data
exposure and shaming techniques have ignited the media attention, though other,
potentially even more devastating are still not widely discussed, which we'll attempt
to correct here.
Breaking The Myths: Storage, Backup, And
Data Recoverability
A few
years ago, very few CISOs thought that storage & backups were important.
That's no longer the case today.
In a security research study published by Continuity
and CISO Mag, more
than two-thirds of respondents believed an attack on their
storage environment would have ‘significant' or ‘catastrophic' impact,
and almost 60% of respondents were not confident in their
ability to recover from a ransomware attack.
Ransomware
has pushed backup and recovery back onto the agenda.
Cybercriminals
like Conti, Hive and REvil have been actively targeting storage and backup systems,
to prevent recovery.
Regulators are starting to pay attention to backup systems and data
recovery. Industry awareness is also steadily growing. NIST released a Special
Publication 800-209, titled Security Guidelines for Storage Infrastructure, that places significant emphasis on securing and protecting data
against attacks.
This
has driven CISOs to look again at potential holes
in their safety nets, by reviewing their storage, backup and recovery
strategies.
"In my experience CISOs have not given the storage
layer enough attention in the past in protecting their businesses (including
myself)." -- John Meakin, Former CISO at GlaxoSmithKline
The Current Threat Landscape For
Storage, Backup And Data Recovery
NIST SP 800-209 provides a detailed overview of storage & backup system
threats, risks, attack surfaces and security recommendations.
Some of the more sophisticated ransomware tactics include:
-
Compromising storage
operating systems, firmwares and drivers. These attacks will rarely be detected by
existing vulnerability detection tools, which offer no support for storage
systems and networks
-
Exploiting overlooked attack
surfaces. from the most obvious storage array factory accounts
that are sometimes not removed during installation, to more elusive ones
including: servers that can send storage arrays commands through Fibre Channel
devices
-
Poisoning snapshots and
backups. Even when a
ransomware attack does not succeed in corrupting existing storage and backup
systems (e.g., when immutable storage is used), it may still find a way to
suspend of corrupt future snapshots or backups.
It's then just a matter of waiting long enough before locking production
data. By that time, the only remaining
valid copies may be too old for any practical use. Most organizations do not test recoverability
frequently - so such attacks are likely to go unnoticed
By
successfully infiltrating these new targets, ransomware gangs can:
- Prevent recovery efforts
by destroying or tampering with backups (including offsite cloud-based
copies and immutable storage)
- Steal or encrypt petabytes of data
easily stored on a single storage or backup system
- Evade detection
by existing Data Loss Prevention (DLP), Intrusion Detection Systems (IDS),
and most modern threat intelligence solutions. Some hackers actually take
advantage of cloud-based offsite backup solutions which, if not secured
properly, can provide access to copies of huge datasets without
introducing any visible load on production systems
"You need to have governance and an active program to
secure your storage layer." -- Marc Ashworth, CISO at First Bank
Recommendations
Data is a major part of the role of
any CISO. And in today's digitized, data-everywhere world, an organization must make significant investments in
data protection, and storage and backup hardening.
CISOs have the skill to do it; many simply lack a clear view
of the problem. The problem needs to be reframed in the minds of security
experts, and fast. Analyzing data storage
and backup security posture is a new skill that security teams must adopt in
order to deal with emerging cyber-security threats.
Organizations report
that they are now starting to pay much more attention to their storage and
backup security than ever before. In a recent
study we conducted among CISOs, more than
two-thirds confirmed that auditors were recently hired to review their storage
and backup systems.
I'm expecting to see
much stricter national guidance to organizations to tighten their data
protection solutions and to avoid negotiating with criminals.
I highly
recommend evaluating your internal security processes to determine if they
cover storage and backup infrastructure to a sufficient degree. Some of the questions that could help clarify
the level of maturity are:
-
Are you evaluating the resiliency of your storage
and backup systems on an ongoing basis?
-
Do you have detailed plans and procedures for
recovery from a successful ransomware attack on a storage or backup system?
-
How confident are you that you can recover from
a successful ransomware attack?
Storage
vulnerability management would significantly help
security teams get a full view of security risks in your storage & backup
systems. It does this by continuously scanning these systems, to automatically
detect security misconfigurations and vulnerabilities, and then prioritizing
those risks in order of urgency.
Finally, I
encourage you to learn more about ransomware resiliency for storage and backups. A good start could be the NIST
Guide for Storage Security - a report I co-authored along with NIST.
This guide provides CISOs with an
overview of the evolution of the storage and backup technology landscape,
current security threats, and a set of practical recommendations.
##
ABOUT THE
AUTHOR
Doron
Pinhas, Chief Technology Officer, Continuity
Doron
is an avid Storage and Backup security advocate, and one of the two authors of
the recently published NIST special publication titled: "Security Guidelines
for Storage Infrastructure". Alongside continuous research of storage
security, threat landscape, and market maturity analysis, he is also engaged in
writing, public speaking and information exchanged with leading organizations.
Doron
has over 20 years of experience in data and storage management, mission
critical computing, operating system design and development, cloud computing,
and networking architecture.