Home > Storage Magazine > Columns > Hot Spots: Time to learn from Microsoft's mistakes
EMAIL THIS LICENSING & REPRINTS
Storage Magazine

  CURRENT ISSUE  
  FEATURES  
  TOOLS, TRENDS & ANALYSIS  
  COLUMNS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Hot Spots: Time to learn from Microsoft's mistakes
by Jon Oltsik
Issue: May 2007
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >

The frightening world of storage security
Given that no one was truly minding the storage security store, I found a scary situation full of holes the size of Volks-wagens. Storage vendors seemed to eschew security in the way they designed, built and managed their products. Few field engineers, developers or chief technology officers ever mentioned security in customer meetings or analyst briefings. I discovered that almost all storage technologies:

  • Were never tested for software-based security vulnerabilities. Storage software was filled with insecure interfaces, unnecessary functionality and buffer overflows. The code wasn't even a challenge for script kiddies, let alone sophisticated hackers.


  • Left management interfaces wide open. This was especially alarming because hackers often rely on scanning networks to map IP addresses, discover hosts and find open applications. Storage devices were "sitting ducks."


  • Had few processes for security bug tracking and patching. In the storage world, software updates were designed to repair software functionality glitches and came out a few times a year. Few vendors had anything in place to monitor, test, fix and distribute patches for addressing security vulnerabilities.


  • Relied on insecure channels for storage management. Many storage professionals logged onto storage management apps over insecure protocols like Telnet and HTTP, rather than HTTPS or SSH. Critical storage management data was transported willy-nilly around the network in cleartext.


  • Depended on basic authentication. Changing configurations on enterprise-class storage systems required only a user name and password combination. Even scarier, most users would simply log onto devices as "admin," gain root access to the systems and have the ability to change anything.


  • Didn't log events. Storage systems may have had some proprietary logging format, but few users knew about it, let alone turned it on.


  • Had insecure default configurations. Storage was insecure by default, meaning that if you configured an enterprise storage system the way the vendor recommended, it was wide open to the bad guys.
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   NEXT PAGE  >




TechTarget Storage Media
Storage Magazine View this month\\'s issue and subscribe today.
Storage Decisions Apply online for free conference admission.
SearchStorage.com
HomeNewsMagazineTopicsLearningMultimediaWhite PapersBlogsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2000 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts