Despite a dramatic increase in ransomware attacks, enterprise storage and backup environments have a dangerously weaker security posture than the compute and network layers of the IT infrastructure, new research shows.
Continuity recently analyzed data gathered from 423 storage systems belonging to customers in the banking, financial services, transportation, healthcare, and other sectors. Systems that were analyzed included storage area network/network-attached storage (SAN/NAS) systems, storage management servers, virtual SANs, virtual storage systems, and data protection appliances.
The analysis shows that many storage environments are infested with vulnerabilities that put organizations at heightened risk of a major disruption in the event of a ransomware attack or attacks seeking to steal, clone, modify, or sabotage data.
"While it’s natural to expect gaps to be found, we did not expect so many," says Doron Pinhas, CTO at Continuity. The study shows that security gaps in storage and backup systems are widespread, he says. "Gaps are systemic and appear in multiple domains — awareness, planning, implementation, and control."
Continuity's researchers found more than 6,300 unique security issues across the 423 storage systems that were analyzed for the study. An average of 15 vulnerabilities were present on each device, three of which were critical and presented the risk of significant compromise if exploited. The most common security risks included vulnerable or poorly configured protocols, unpatched vulnerabilities, overly permissive access rights, insecure user management and authentication controls, and insufficient logging of administrative, security and access activity.
Some of the vulnerabilities are likely the result of lack of awareness and knowledge. Others simply "fall in between the cracks," Pinhas says. The infosec team, for instance, might know them well, but the IT infrastructure team doesn't, and vice versa.
"Collaboration is lacking, and clear ownership is not defined," he says.
With storage protocols, Continuity found many of the organizations in the study had either not disabled legacy versions of various protocols, such as SMBv1 and NFSv3, or were defaulting to them. Also common was the continued use of older (and no longer recommended) encryption suites, such as TLS 1.0 and TLS 1.1, and a failure to disable SSL 2.0 and SSL 3.0 in violation of regulations such as PCI DSS. In addition, Continuity found companies frequently did not enforce encryption for critical data feeds.
A large percentage of the 423 devices in Continuity's study also were configured in such a manner that they provided unrestricted access to shared storage or were accessible from external networks. Continuity found that organizations did not apply the same rigor to authentication and role-based access control as they did in other IT environments. In many instances, organizations used default system accounts for routine tasks, or they had shared administrator passwords.
Basic principles for segregation of roles were often not followed, as well. For example, the same roles that were used for data management were also used for data backups and for snapshots. Similarly, 15%, or more than 60 of the storage systems in Continuity's study, did not log any activity at all. A substantial percentage of systems that had at least some logging turned on were configured in a way that made them susceptible to manipulation.
Though new storage systems offer specific protections against ransomware attacks — such as locking retained data copies and preventing data from being tampered with or deleted — the features are often overlooked, Continuity says. When used, their configurations do not meet vendor-recommended best practices.
The cumulative effect of such issues is significantly heightened risk for enterprise organizations, Pinhas says.
"Successful ransomware is just the tip of the iceberg," he says. Attackers who succeed in accessing the storage environment can destroy all available recovery options, including replicas, backups, immutable copies, storage-based snapshots, and recovery keys.
Other risks included adversaries using their access to storage environments to clone or alter sensitive data without leaving a trace.
"Existing threat intelligence solutions do not cover storage well. IDS systems do not notice data flows performed directly on the storage of backup planes," Pinhas notes.
Technically speaking, storage administrators should have little difficulty detecting known security vulnerabilities (CVEs) in the environment. However, most organizations don’t have this aspect automated at least partly because existing vulnerability management tools do not cover storage and backup well.
"Some provide no coverage, while other vendors just scratch the surface," Pinhas says.
Significantly, vulnerabilities in enterprise storage environments are often more a people and process issue than a technology problem. Organizations typically own most of what they need to properly secure storage systems. The bigger problems have to do with awareness, education, informed planning, and control, Pinhas says.
He recommends that organizations begin with a clear understanding of the environment, including the technologies and vendors they use. They should establish security baselines for storage and backup and ensure that storage systems are part of the overall enterprise incident response plan. Also vital: the need to establish whether it's the information security team or the infrastructure team that has ownership of storage security.
"You need to start paying much more attention to the security of your storage and backup environments," Pinhas says. "Failing to do so will leave you much more exposed to data-centered attacks, like ransomware, and will cripple your ability to recover."