Hack your storage to test your security

It used to be that storage systems existed on small, trusted networks with minimal access. Now, with the never-ending expansion of storage systems, multiple administrators, management software "feature bloat" and the co-mingling of non-sensitive and sensitive information on the same storage systems, storage systems have taken on complexities of their own and are proving to be more and more vulnerable to security breaches.

Related information You knew it had to happen sooner or later Data leaks and losses abound

When it comes to testing for vulnerabilities in storage systems (DAS, NAS, and SANs), it's easy to overlook weaknesses that may be obvious to a malicious insider or other attacker. From perimeter security weaknesses to insider advantages, such as knowing just where sensitive storage devices are located, these kinds of hit-or-miss issues will get you every time.

Any storage system that supports typical network protocols and file systems (HTTP, FTP, CIFS, NFS, etc.) will also inherit any vulnerabilities associated with those protocols; likewise for operating system configuration weaknesses, software exploits, password problems, Web applications and more. At a minimum, you should perform the following security tests (a.k.a. ethical hacks) on your storage system to find holes and fix them before someone exploits them. Keep in mind that certain tests will vary (or not apply) depending upon the type of storage system you have and its underlying operating system (OS), as well as the type of network and/or physical access obtained.

1. Scan the system to discover open ports, listening services, banner pages, missing patches, Web application and/or database concerns and exploitable weaknesses. Tools you can use for this include:
   • SuperScan
   • nmap

2. Enumerate the system to find available shares, exports, users, security policies and more. Tools and OS commands you can use for this include:
   • SuperScan (version 4)
   • GFI LANguard Network Security Scanner
   • QualysGuard
   • showmount for UNIX/NFS-based systems (i.e., showmount –e ip_address)
   • net view for Windows/CIFS-based systems (i.e., net view ip_address)
3. Attempt to exploit weaknesses discovered in steps 1 and 2 above. Metasploit and its commercial equivalents are great for this. For Web and database vulnerabilities, consider using a href=" http://www.spidynamics.com/products/webinspect/index.html">WebInspect and AppDetective, respectively -- two very powerful commercial tools you can use to dig in deep.
4. Go for anonymous access to see if a connection can be made (surprisingly this is all too common on network shares). Commands and tools you can use for this include:
   • mount for UNIX/NFS-based systems (i.e., mount –o anon IP:/volume k:)
   • net use for Windows/CIFS-based systems (i.e., net use k: \\ip_address\share_name "/u:""")
5. Test for ARP spoofing weaknesses to determine if the network switch can be "disabled" and full network visibility can be obtained. Ettercap is a great tool for this.
6. Sniff network traffic to discover clear-text usernames and passwords that can be used to further penetrate storage devices. For SAN environments, Fibre Channel, switch and management information can be discovered in clear-text traffic. Tools you can use for this include Ethereal and EtherPeek.
7. Modify the World Wide Name (WWN) using the host bus adapter's device driver configuration software to see if WWN zoning controls for SANs can be bypassed.

Given all the variables, the list of available storage hacks could go on and on indefinitely. These should be on your short list, though. Don't forget about physical security either; if you can justify it, it'll likely behoove you to hire someone to perform physical security penetration and social engineering tests to see how your data center can be compromised. It's important not to overlook these weaknesses because once an attacker has physical access to your storage systems, all bets are off.

Also, during your testing or at least once you're done, check the logs of your network and storage-centric security controls such as firewalls, IDSs and access logs to see if anything was discovered and highlighted as a possible security event. Look for port scans, malformed network traffic, intruder lockouts that were tripped, privilege escalations and other security-related issues. This is a time and a good way to verify your security controls are doing what they're supposed to be doing.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Data storage management,   Storage Security FAQ,   Related information,   Secure data storage,   Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Optimizing enterprise data storage capacity and performance to reduce your data footprint Is data deduplication right for your primary storage infrastructure? Fail-in-place systems: Avoiding hard disk drive failures Data storage resources needed to implement a virtual desktop infrastructure Storage encryption essentials Addressing storage performance bottlenecks in enterprise data storage Data archiving: Three key elements Archiving data to cloud storage: How to choose the right cloud storage provider How to buy a blade server Tips for an effective data deduplication implementation Related information New Seminar: Data Protection: Preventing Data Theft and Loss SAN security benefits NAS security The pros and cons of portable storage Five must-have storage security testing tools Risk management: Know your storage risks Secure data storage Throwing caution to the clouds Storage encryption essentials Vendors take steps to lock down cloud storage services Encryption Special Report: Key management stumbling block to securing data What you need to know about storage encryption products Isilon targets enterprise NAS with Backup Accelerator, N+2:1 parity Storage Decisions Chicago 2009 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (Chicago 2009) Storage Decisions Session Downloads: Data Retention & Retrieval Track (Chicago 2009) Data on the brink RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.