In The State of Storage Security Report, researchers from Continuity exposed the dangerous predicament organizations with enterprise storage systems find themselves in. Across more than 6,000 systems analyzed, nearly all were found to be rife with vulnerabilities, leaving organizations vulnerable to data tampering, theft, or loss from ransomware and threat actors alike.
As Doron Pinhas, Chief Technology Officer of Continuity, sums it up, “While it’s natural to expect gaps to be found, we did not expect so many.”
And, with the average data breach costing enterprises $4.24 million, it’s a problem that can no longer be ignored.
A lack of clear leadership, as well as the knowledge, awareness, and policies to address these vulnerabilities and affect cybersecurity resilience, were found to be key contributors to the state of affairs.
LIFARS’ CISO as a Service is designed to address an organizations’ information security leadership needs. Our CISOs are highly skilled at establishing, improving, and transforming Cybersecurity Programs. We focus on maximizing business values by minimizing risks and optimizing opportunities. Our CISO as a Service can help executives and their organization by providing the professional security oversight needed to ensure the best security practices.
These findings are not a one-off fluke but a continuation of a disturbing trend. Another recent study found that more than 50% of servers have not been duly patched long after a security patch has been released, while a study by Imperva Research Labs found that 46% of Databases globally contained vulnerabilities.
Utilizing an automated risk detection engine, Continuity analyzed data from more than 400 enterprise storage devices. Vendors included Brocade, Cisco, Dell EMC, IBM, Hitachi Data Systems, NetApp, etc.
Some of the report’s key findings were:
- A total of 6,300 discrete security issues were detected
- The average enterprise storage device has 15 vulnerabilities
- Out of 15 vulnerabilities, 3 are high or critical risk
- The most common types of vulnerabilities discovered included use of vulnerable protocols, unaddressed CVEs, access rights issues, insecure user management, and insufficient logging
While the results are clear, tracing the root cause of the issue is murkier.
Many modern storage systems have built-in ransomware protections, such as locking retained data copies and preventing data from being tampered with or deleted. However, Continuity found that many of these features have either not been utilized or did not meet the best practices recommended by the vendor.
In general, the vulnerable state of storage systems does not seem to originate from issues with the technology itself but from insufficient processes, policies, and practices.
“Collaboration is lacking, and clear ownership is not defined,” says Pinhas. This leads to a lack of decision-making and everyday guidance in instilling proper security hygiene and best practices, as well as establishing a culture of maintaining secure storage systems. “Gaps are systemic and appear in multiple domains — awareness, planning, implementation, and control.”
One of the keyways this is manifested is in the lack of rigorous authentication and role-based access control. Organizations often used the same default system accounts for routine tasks and shared administrator passwords.
Another issue exasperating the problematic situation is the absence of robust logging practices. Upwards of 15% of the storage systems analyzed in the study did not log any activity, while another large share’s logging configurations were highly susceptible to manipulation.
This makes incident tracing and digital forensics difficult and leaves organizations in the dark about how to plug holes in their security perimeter.
Other common vulnerabilities detected were:
- Not disabling legacy versions of protocols, such as SMBv1 and NFSv3, or defaulting to them.
- Using older encryption suites, such as TLS 1.0 and TLS 1.1 as well as not disabling SSL 2.0 and SSL 3.0 in violation of regulations such as PCI DSS.
- Not encrypting critical data feeds
However, Pinhas notes that “Existing threat intelligence solutions do not cover storage well. IDS systems do not notice data flows performed directly on the storage of backup planes.”
Surprisingly, organizations seemed to do a much more thorough job eliminating similar vulnerabilities in their network and computing systems.
As Pinhas urges everyone utilizing enterprise storage technology, “You need to start paying much more attention to the security of your storage and backup environments. Failing to do so will leave you much more exposed to data-centered attacks, like ransomware, and will cripple your ability to recover.”