By Gil Hecht, CEO of Continuity
CISOs rely on information from across the
organization about security, particularly from the various IT departments.
Unfortunately, the information being fed to CISOs about the state of cybersecurity
risk is incomplete. There is a blind spot present - a gaping hole. Data about
the security posture of their storage and backup systems is either woefully
deficient or missing entirely.
That is one of the reasons why CISOs set strategy
and approve the procurement of solutions to keep data and systems safe, yet the
organization continues to suffer from breaches and attacks. Despite
implementing vulnerability management, extended detection and response (XDR),
threat monitoring, security information and event management (SIEM), and other
technologies, they always seem to be one step behind the cybercriminal
fraternity. That state of affairs is likely to remain until the inherent risk
posed by vulnerable storage and backup systems is addressed.
False Sense of Security
Part of the problem is that storage and backup
systems are thought of as back-end and don't pose the same level of risk as
other layers of IT closer on the perimeter. This can lull storage admins,
infrastructure managers, and CISOs into a false sense of security.
Research from
Continuity makes it clear that this is a misconception,
and a dangerous one at that. The average enterprise storage device has around
15 vulnerabilities or security misconfigurations. Of these, three are
considered a high or critical risk. Therefore, it is vitally important that
CISOs understand the magnitude of the threat posed by insecure storage and
backup systems and what they need to do about it.
Using The Wrong Tools
There are scores of vulnerability scanners, patch
management, and configuration management systems in existence. Organizations
rely on them to locate areas of potential weakness, remediate them, and deploy
patches to resolve known vulnerabilities. These systems do a great job at
inventorying and scanning networks, operating systems (OSes) and enterprise
applications. But they are typically sketchy when it comes to inventorying and
assessing storage and backup issues.
Shockingly, they often miss security
misconfigurations and Common Vulnerability and Exposures (CVEs) on popular
storage systems from the likes of Dell EMC, NetApp, or Pure, and backup systems
from the likes of Veeam, Rubrik, and Veritas. Yet such systems host the crown
jewels of enterprise data.
Superficial scans of storage and backup
infrastructure can lead CISOs to believe that these systems lie outside the
reach of cybercriminals. Nothing could be further from the truth. Hackers are
notorious for finding ways to obtain privileges to user accounts and finding
their way into storage and backup systems. From there, they can wreak havoc.
Storage and Backup Risks
The fact is that hundreds of active security
misconfigurations and CVEs currently exist in various storage and backup
systems. Our research shows that on average, about 20% of storage devices are
currently exposed. That means they are wide open to attack from ransomware and
other forms of malware.
A study of
enterprise storage devices detected more than 6,000 discrete storage
vulnerabilities, backup misconfigurations, and other security issues. At the
device level, the average storage device is riddled with vulnerabilities, some
of them severe. In addition, there are currently about 70 CVEs in storage
environments that could be used to exfiltrate files, initiate denial-of-service
attacks, take ownership of files, and block devices. Many of these CVEs are
several months old. A few of them are a year or more old. This means that
approved patches exist but are not deployed.
Don't think the bad guys aren't aware of this.
They prefer the easiest possible route into the enterprise. Why come up with a
genius plan to breach defenses when all you need to do is scan for some common
vulnerabilities and mount an incursion from there?
Storage Security Features Not Implemented
Modern storage devices often include ransomware
detection and prevention capabilities. Some include the capability to lock
retained copies, protect critical data from tampering and deletion, and air gap
data. However, in breach after breach, such features were found to either be
misconfigured or not implemented at all - leaving the organization exposed.
Misconfigured backup and storage systems impacts
cybersecurity in other ways. Zoning and masking mistakes may leave LUNs
accessible to unintended hosts. Replicated copies and snapshots may not be
properly secured. Audit logging misconfigurations make it more difficult for
the organization to detect brute force attacks and spot anomalous behavior
patterns. They can also impede forensic investigation and curtail recovery
efforts. And a surprising number of storage and backup systems still operate
with their original default administrative passwords. These factory settings
can be easily exploited by unauthorized employees and malicious actors to
inflict serious damage.
These are just a few of the many security challenges
that are present within enterprise infrastructure. There are many other areas
to check. The bottom line is that storage and backup systems generally
have a significantly weaker security posture than the compute and network
infrastructure layers. It is a ticking time bomb ripe for exploitation by
criminal gangs.
How to Protect Storage and Backup Systems
Storage and backup systems must be fully secured to
protect data and ensure recoverability. StorageGuard finds
the security risks that other vulnerability management tools miss. Developed
specifically for storage and backup systems, its automated risk detection
engines check for thousands of possible security misconfigurations and
vulnerabilities at the storage system and backup system level that might pose a
security threat to enterprises data. It analyzes block, object, and IP storage
systems, SAN/NAS, storage management servers, storage appliances, virtual SAN,
storage networking switches, data protection appliances, storage virtualization
systems, and backup devices.
Continuity's StorageGuard ensures these systems will
never be the weakest link in cybersecurity. Its comprehensive approach to the
scanning of storage and backup systems offers complete visibility into blind
spots, automatically prioritizing the most urgent risks, and remediating them.
Discover how
secure your storage & backup systems are.
Earlier this year, we interviewed 8 CISOs to get
their insights on new data protection methods and the importance of securing
storage & backup, including: John Meakin, Former CISO at GlaxoSmithKline
and Deutsche Bank, Joel Fulton, Former CISO at Symantec and
Splunk, Endré
Jarraux Walls, CISO at Customers Bank, and George
Eapen, Group CIO (and former CISO) at Petrofac.
Download the Report: CISO Point of
View: The ever-changing role of data, and the implications for data protection
& storage security
##
ABOUT THE AUTHOR
Gil Hecht has been serving as CEO of Continuity since he
founded the company in 2005. He is responsible for building Continuity's leadership
in the Cyber Resiliency and Cyberstorage space and establishing the vision for
the company. Before founding Continuity, Gil was the Founder, Chairman and CEO
of Savantis Systems, a leading provider of database virtualization solutions.
Gil is an avid Storage and Backup security advocate, and
one of the main contributors to the recently published NIST special publication titled: ‘Security Guidelines for
Storage Infrastructure'.