The CISOs Guide to Storage & Backup Cyber Resiliency
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. In this feature, Continuity‘s CTO Doron Pinhas offers
CISOs rely on information from across the organization about security, particularly from the various IT departments. Unfortunately, the information being fed to CISOs about the state of cybersecurity risk is incomplete. There is a blind spot present – a gaping hole. Data about the security posture of their storage and backup systems is either woefully deficient or missing entirely.
That is one of the reasons why CISOs set strategy and approve the procurement of solutions to keep data and systems safe, yet the organization continues to suffer from breaches and attacks. Despite implementing vulnerability management, extended detection and response (XDR), threat monitoring, security information and event management (SIEM), and other technologies, they always seem to be one step behind the cybercriminal fraternity. That state of affairs is likely to remain until the inherent risk posed by vulnerable storage and backup systems is addressed.
CISO Guide to Storage & Backup
False Sense of Security
Part of the problem is that storage and backup systems are thought of as back-end and don’t pose the same level of risk as other layers of IT closer on the perimeter. This can lull storage admins, infrastructure managers, and CISOs into a false sense of security.
This is a misconception, and a dangerous one at that. The average enterprise storage device has around 15 vulnerabilities or security misconfigurations. Of these, three are considered a high or critical risk. Therefore, it is vitally important that CISOs understand the magnitude of the threat posed by insecure storage and backup systems and what they need to do about it.
Earlier this year, we interviewed 8 CISOs to get their insights on new data protection methods and the importance of securing storage & backup, including: John Meakin, Former CISO at GlaxoSmithKline and Deutsche Bank, Joel Fulton, Former CISO at Symantec and Splunk, Endré Jarraux Walls, CISO at Customers Bank, and George Eapen, Group CIO (and former CISO) at Petrofac.
Using the Wrong Tools
There are scores of vulnerability scanners, patch management, and configuration management systems in existence. Organizations rely on them to locate areas of potential weakness, remediate them, and deploy patches to resolve known vulnerabilities. These systems do a great job at inventorying and scanning networks, operating systems (OSes) and enterprise applications. But they are typically sketchy when it comes to inventorying and assessing storage and backup issues.
Shockingly, they often miss security misconfigurations and Common Vulnerability and Exposures (CVEs) on popular storage systems from the likes of Dell EMC, NetApp, or Pure, and backup systems from the likes of Veeam, Rubrik, and Veritas. Yet such systems host the crown jewels of enterprise data.
Superficial scans of storage and backup infrastructure can lead CISOs to believe that these systems lie outside the reach of cybercriminals. Nothing could be further from the truth. Hackers are notorious for finding ways to obtain privileges to user accounts and finding their way into storage and backup systems. From there, they can wreak havoc.
The State of Storage and Backup Vulnerabilities
The fact is that hundreds of active security misconfigurations and CVEs currently exist in various storage and backup systems. Our research shows that on average, about 20% of storage devices are currently exposed. That means they are wide open to attack from ransomware and other forms of malware.
A study of enterprise storage devices detected more than 6,000 discrete storage vulnerabilities, backup misconfigurations, and other security issues. At the device level, the average storage device is riddled with vulnerabilities, some of them severe. In addition, there are currently about 70 CVEs in storage environments that could be used to exfiltrate files, initiate denial-of-service attacks, take ownership of files, and block devices. Many of these CVEs are several months old. A few of them are a year or more old. This means that approved patches exist but are not deployed.
Don’t think the bad guys aren’t awareness of this. They prefer the easiest possible route into the enterprise. Why come up with a genius plan to broach defenses when all you need to do is scan for some common vulnerabilities and mount an incursion from there?
Storage Security Features Not Implemented
Modern storage devices often include ransomware detection and prevention capabilities. Some include the capability to lock retained copies, protect critical data from tampering and deletion, and air gap data. However, in breach after breach, such features were found to either be misconfigured or not implemented at all – leaving the organization exposed.
Misconfigured backup and storage systems impacts cybersecurity in other ways. Zoning and masking mistakes may leave LUNs accessible to unintended hosts. Replicated copies and snapshots may not be properly secured. Audit logging misconfigurations make it more difficult for the organization to detect brute force attacks and spot anomalous behavior patterns. They can also impede forensic investigation and curtail recovery efforts. And a surprising number of storage and backup systems still operate with their original default administrative passwords. These factory settings can be easily exploited by unauthorized employees and malicious actors to inflict serious damage.
These are just a few of the many security challenges that are present within enterprise infrastructure. There are many other areas to check. The bottom line is that storage and backup systems generally have a significantly weaker security posture than the compute and network infrastructure layers. It is a ticking time bomb ripe for exploitation by criminal gangs.
How to Harden Storage and Backup Security
Storage and backup systems must be fully secured to protect data and ensure recoverability. StorageGuard finds the security risks that other vulnerability management tools miss. Developed specifically for storage and backup systems, its automated risk detection engines check for thousands of possible security misconfigurations and vulnerabilities at the storage system and backup system level that might pose a security threat to enterprises data. It analyzes block, object, and IP storage systems, SAN/NAS, storage management servers, storage appliances, virtual SAN, storage networking switches, data protection appliances, storage virtualization systems, and backup devices.
Continuity’s StorageGuard ensures these systems will never be the weakest link in cybersecurity. Its comprehensive approach to the scanning of storage and backup systems offers complete visibility into blind spots, automatically prioritizing the most urgent risks, and remediating them.