Storage security vulnerabilities abound. You likely know of many and likely haven't thought about others. What's causing the problem, and what should you be looking out for? It's just a matter of time before something on the network -- a router, a server, a Web application -- is exploited by an external attacker or malicious insider. With the increased visibility and avenues of attack, your storage systems are no different. I'm not speaking gloom and doom, just being realistic.
How storage got pulled into the problem
Like anything else IT-related, there are vulnerabilities that can lead to business risks within your storage environment. It's not the mere fact that storage systems are susceptible to attack that makes this a big deal; nor is it related to the fact that storage security easily falls within the scope of your organization's compliance initiatives. Instead, it involves things like having to secure multiple layers of systems that support your storage environment, such as physical access, network configuration and transport, authentication mechanisms, management tools and so on. There's also the fact that various business processes, such as information classification, legal discovery, user provisioning, system monitoring and ongoing auditing, apply directly to storage.
In the past, the complexities associated with storage systems, network isolation and lack of storage knowledge have kept most attackers at bay. The tides are turning, and now the bad guys understand what storage is about and how it works. They're discovering the multiple avenues for accessing the storage environment and utilizing storage-specific hacking tools to try and get to your systems. So, regardless of what storage technologies you use and how they're configured, there's near a 100% certainty that your systems are at risk and will continue to be.
Here's why and how your storage environment will be attacked.
Common misconceptions and oversights
Regardless of how your organization's data is created, handled or otherwise processed, it will inevitably end up in your storage environment. You're going to have to be prepared to keep it locked down and inaccessible from unauthorized people the best you can. Acknowledging this fact is half the battle, especially if you work closely with your information security team or any others that are responsible for protecting electronic assets.
There are other issues that aren't quite as simple. In fact, many are outright falsehoods based on "old-school" thinking and a general lack of information security knowledge. In no particular order, here are seven issues you, as a storage administrator or manager, will have to overcome in order to keep your storage systems secure and make improvements long term:
- Storage security does not equal redundant systems and good backups. These two elements are only part of what's going to keep your data safe and sound, so it's important not to solely rely on them as has been done in the past.
- The protocol doesn't matter. Both IP-based storage and Fibre Channel have their own unique issues and one is not necessarily any less susceptible to attack than the other.
- Storage encryption is not the silver bullet. Not for data at rest and not for data in transit. It does offer a nice last line of defense in your network security layers, but it cannot be relied upon by itself.
- It's not the storage team's responsibility to ultimately secure the storage environment. It's everyone's responsibility, including the information security team and other IT, audit and compliance staff. Good communication between different departments is critical to make this work.
- Your users can/should never be trusted to do what's right. Set your users and yourself up for success by keeping them out of what they don't need access to with network segmentation and proper authentication and access controls.
- Ability does not always equal permission. Just because a user or an attacker can access your storage systems doesn't mean they're supposed to have that access. Backdoors and users with unnecessary privileges are often overlooked and often lead to breaches. Be on the lookout for these holes.
- A user or external attacker will likely be able to get in far enough to do damage. Contrary to popular perception, there are ways to get into your storage environment -- often with ease. Do you know who has access that can lead to system compromise? The only way to know for sure is to test for storage security holes on a consistent basis.
How it will happen
When you combine the problems outlined above with your system complexities and difficulties of keeping everything within your sights at all times, this will inevitably lead to an unnecessary or unauthorized storage exposure. There are hundreds of ways for storage systems to be attacked. They'll come from within your own network and from the outside, but here are seven biggies:
- The network perimeter or DMZ will be breached. Separating IP-based storage systems into their own secured area is often overlooked, which is a sure-fire way to facilitate an attack.
- The internal network will be breached. Many internal LANs are configured without segmentation and proper access controls, allowing trusted insiders to poke and prod around to see what they can get to.
- Share and file permissions will allow for unauthorized access. More often than not, it's very easy to find misconfigured share and file permissions allowing anyone and everyone to browse, load and copy data they shouldn't have access to. This is an especially serious issue when it comes to users copying files to their local drives and other parts of the network "temporarily" for the sake of convenience.
- Management software will fall into the wrong hands. Or, your management stations will be compromised leading to unauthorized users connecting to and "managing" your storage systems.
- DNS servers will be hacked. This allows for name pollution and redirection, and eventually users storing sensitive data to the wrong place -- an attacker's system.
- Network traffic will be captured. This will happen on both wired and wireless networks allowing for man-in-the-middle attacks, session hijacking and both online and offline password attacks. This is much easier than it seems. Improperly secured wireless networks are a breeze to compromise. All it takes on the wired side is a good network analyzer and Address Resolution Protocol (ARP) poisoning via Cain & Abel or similar tool.
- Operating system and application weaknesses will be exploited. Compromising a server is no longer theoretical, or something that can only be carried out by an external attacker with tons of knowledge and time. In fact, a simple misconfiguration or missing patch on a storage device or supporting system can be easily discovered using Nessus Vulnerability Scanner, QualysGuard PCI or similar tool. These weaknesses can then be exploited by pretty much anyone in the real world, regardless of their technical abilities, in a matter of minutes using Metasploit, Core Impact or another similar tool.
Over the years, there has been a disconnect between storage administration and information security, which has helped facilitate these storage system attacks. There's a lot of payoff associated with doing something about the problem. If you start working on fixing the underlying issues that are contributing to this within your organization, you'll be well ahead of your peers and on the path toward improving your overall storage skill set and keeping your organization's storage security in check.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com.