Enterprise storage and data protection devices are the poor relation when it comes to infosecurity, research by Continuity Software has revealed, leaving companies’ data dangerously exposed.
The blind spot means the very devices companies rely on as their last line of defense against attacks such as ransomware or data exfiltration can be an easy target for attackers.
The vendor surveyed over 10,000 storage and backup devices across 300 environments, and found that on average, enterprise storage and data protection devices showed 10 vulnerabilities, half of which are high risk, meaning they could allow a significant compromise. This was a slight rise on the previous year’s research.
The most common vulnerabilities relate to authentication and identity management, and unaddressed CVEs. Other key vulnerabilities were linked to network and protocol issues, encryption and key management, and access control and authorization.
Less common, but perhaps even scarier, the survey found instances of ransomware protection and other security features going unused or being incorrectly configured.
“Even when enabled and in use, critical vendor best practices were frequently not followed—for example, retained immutable copies were not locked, time services were not hardened (potentially allowing attackers to manipulate retention expiration), and dual authorization for delete operations was improperly configured or entirely absent.”
And it spotted a “notable” percentage of systems that had reached end-of-support, but which were still used in production.
Continuity’s CTO, Doron Pinhas, said across the entire sample, it identified around 6000 security misconfigurations.
“I think what’s alarming but somewhat consistent with previous years is that the number of incidents per storage and data protection devices is very, very high,” he said. “Much higher than in other areas of IT.”
Misconceptions mean misconfigurations
There appeared to be a misconception that existing vulnerability management and risk posture tools covered storage and data protection devices, but this was not necessarily the case.
Many of the issues are painfully basic, such as devices being left with factory default passwords or configurations. Data devices are often missed out when it comes to implementing multi factor authentication policies.
Likewise, Pinhas suggested, while storage and backup vendors might be actively publishing CVEs, these might not be ingested by enterprises’ existing scanning and update tools.
“The result is that as we analyze an environment, we’ll typically find a ton of CVEs. Some of them are pretty dated,” he said.
“That’s kind of frightening,” he continued, “Because those exploits are there and once you’re in you can delete snapshots, you can delete backups.”
Pinhas said, “There are rootkits that attack all the major backup vendors, block devices, NAS devices, and the vulnerabilities are out there, and the misconfigurations are not hardened. So, [they’re] ripe for an attack.”
