CISOs rely on information about security from across the organization, particularly from the various IT departments. Unfortunately, the information being fed to CISOs about cybersecurity risk is incomplete.
There is a blind spot present—a gaping hole. Data about the security posture of their storage and backup systems is either woefully deficient or missing entirely.
That is one of the reasons why CISOs set strategies and approve the procurement of solutions to keep data and systems safe. Yet, the organization continues to suffer from breaches and attacks.
Despite implementing vulnerability management, extended detection and response (XDR), threat monitoring, security information and event management (SIEM), and other technologies, they seem to be one step behind the cybercriminal fraternity.
That state of affairs will likely remain until the risk of vulnerable storage and backup systems is addressed.
False Sense Of Security
Part of the problem is that storage and backup systems are thought of as back-end and don’t pose the same level of risk as other layers of IT closer on the perimeter.
This can lull storage admins, infrastructure managers, and CISOs into a false sense of security.
This is a misconception, and a dangerous one at that. The average enterprise storage device has around 15 vulnerabilities or security misconfigurations.
Of these, three are considered a high or critical risk. Therefore, CISOS must comprehend the seriousness of the threat that insecure storage and backup systems pose and what they must do to address it.
Earlier this year, we interviewed 8 CISOs to get their insights on new data protection methods and the importance of securing storage & backup, including: John Meakin, Former CISO at GlaxoSmithKline and Deutsche Bank, Joel Fulton, Former CISO at Symantec and Splunk, Endré Jarraux Walls, CISO at Customers Bank, and George Eapen, Group CIO (and former CISO) at Petrofac.
Using The Wrong Tools
Scores of vulnerability scanners, patch management, and configuration management systems exist. Organizations rely on them to locate areas of potential weakness, remediate them, and deploy patches to resolve known vulnerabilities.
These systems do great at inventorying and scanning networks, operating systems (OSes), and enterprise applications. However, they are typically sketchy regarding inventorying and assessing storage and backup issues.
Shockingly, they often miss security misconfigurations and Common Vulnerability and Exposures (CVEs) on popular storage systems from the likes of Dell EMC, NetApp, or Pure, and backup systems from the likes of Veeam, Rubrik, and Veritas. Yet, such systems host the crown jewels of enterprise data.
Superficial scans of storage and backup infrastructure can lead CISOs to believe that these systems lie outside the reach of cybercriminals. Nothing could be further from the truth.
Hackers are notorious for finding ways to obtain privileges to user accounts and finding their way into storage and backup systems. From there, they can wreak havoc.
The State Of Storage And Backup Vulnerabilities
The fact is that hundreds of active security misconfigurations and CVEs currently exist in various storage and backup systems. Our research shows that about 20% of storage devices are exposed on average.
That means they are wide open to attacks from ransomware and other forms of malware.
A study of enterprise storage and backup systems detected over 6,000 discrete storage vulnerabilities, backup misconfigurations, and other security issues.
At the device level, the average storage device is riddled with vulnerabilities, some of them severe. In addition, about 70 CVEs in storage environments could be used to exfiltrate files, initiate denial-of-service attacks, take ownership of files, and block devices. Many of these CVEs are several months old.
A few of them are a year or more old. This means that approved patches exist but are not deployed. Don’t think the bad guys aren’t aware of this.
They prefer the easiest possible route into the enterprise. Why devise a genius plan to broach defenses when you only need to scan for some common vulnerabilities and mount an incursion from there?
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Storage Security Features Not Implemented
Modern storage devices often include ransomware detection and prevention capabilities. Some include locking retained copies, protecting critical data from tampering and deletion, and air gap data.
However, in breach after breach, such features were found to be either misconfigured or not implemented, leaving the organization exposed.
Misconfigured backup and storage systems impact cybersecurity in other ways. Zoning and masking mistakes may leave LUNs accessible to unintended hosts.
Replicated copies and snapshots may not be properly secured. Audit logging misconfigurations make it more difficult for the organization to detect brute-force attacks and spot anomalous behavior patterns.
They can also impede forensic investigations and curtail recovery efforts. And a surprising number of storage and backup systems still operate with their original default administrative passwords.
Unauthorized employees and malicious actors can easily exploit these factory settings to inflict serious damage. These are just a few of the many security challenges that are present within the enterprise infrastructure.
There are many other areas to check. The bottom line is that storage and backup systems generally have a significantly weaker security posture than the compute and network infrastructure layers. It is a ticking time bomb ripe for exploitation by criminal gangs.
How To Harden Storage And Backup Security
Storage and backup systems must be fully secured to protect data and ensure recoverability. StorageGuard finds the security risks that other vulnerability management tools miss.
Developed specifically for storage and backup systems, its automated risk detection engines check for thousands of possible security misconfigurations and vulnerabilities at the storage and backup system levels that might pose a security threat to enterprise data.
It analyzes block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SAN, storage networking switches, data protection appliances, storage virtualization systems, and backup devices.
Continuity’s StorageGuard ensures these systems will never be the weakest link in cybersecurity. Its comprehensive approach to the scanning of storage and backup systems offers complete visibility into blind spots, automatically prioritizing the most urgent risks, and remediating them.
The report’s findings underscore a significant gap in the state of enterprise storage and backup security and shows how much it lags behind the security of other layers of IT.
With the growing sophistication of data-centric attacks, the high volumes of data at risk and tightened regulations, enterprise storage and backup security clearly require urgent attention.
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.