ARN

Average enterprise storage/backup device has 14 vulnerabilities, three high or critical risks

State of Storage and Backup Security Report 2023 reveals significant gap in the state of enterprise storage and backup security compared to other layers of IT and network security.

The average enterprise storage and backup device has 14 vulnerabilities, three of which are high or critical risk that could present a significant compromise if exploited. That’s according to Continuity’s State of Storage and Backup Security Report 2023, which revealed a significant gap in the state of enterprise storage and backup security compared to other layers of IT and network security. The findings are based on assessments of 245 environments with 8,589 storage and backup devices from leading providers including Dell, NetApp, Veritas, and Hitachi Vantara.

Most organisations studied were from the banking sector, with companies from the healthcare, telecommunications, and IT services sectors also among those assessed. Given organisations’ increasing reliance on data backups as part of ransomware recovery plans, Continuity’s findings regarding the prevalence of vulnerabilities affecting storage and backup devices are significant.

Organisations failing to address data backup security risks

A total of 9,996 discrete security issues (vulnerabilities and security misconfigurations) were detected by Continuity, spanning more than 270 security principles that were not adequately followed, according to the report. The statistic that the average enterprise storage/backup device has 14 security risks – three with high or critical risk ratings – is almost identical to last year’s State of Storage and Backup Security Report, indicating little has been done to address this high-risk area. Unpatched vulnerabilities in storage and backup systems are the main points of attack for most ransomware but are not aware that traditional vulnerability management tools do not cover those systems well, Continuity said.

“Securing enterprise storage and backup systems has become a critical part of organisations’ cyber resiliency strategies,” said Dennis Hahn, principal analyst at Omdia. “As important as rapid data recovery is to business continuity if data is lost or stolen, it is arguably even more important to protect data anywhere it lives and not let storage and backup systems themselves become an entry point for attack.”

Top 5 data storage and backup device security risks

The top five storage and backup device security risks detected by Continuity in its latest analysis are:

  1. Insecure network settings (use of vulnerable protocols, encryption ciphers)
  2. Unaddressed Common Vulnerability and Exposures (CVEs)
  3. Access rights issues (over-exposure)
  4. Insecure user management and authentication
  5. Insufficient logging and auditing

Other less frequent but high priority risks detected include vulnerabilities in software supply-chain management, incorrect configuration or non-use of anti-ransomware features, and undocumented and insecure APIs/CLIs.

Factors contributing to the risks organisations are facing include the cyber implications of the Russia-Ukraine conflict, compliance/insurance challenges, and divisions between IT infrastructure and security teams, Continuity said.

How to address storage and backup device security risks

The report outlines the potential business impacts of the five most common storage and backup device security risks, along with recommendations for addressing them.

Insecure network settings can be exploited by cybercriminals to retrieve and tamper with configuration information and stored data, the report read. To address the risks of insecure network settings, Continuity advised closing knowledge gaps about storage and backup network security concepts, risks, and best practices, defining internal requirements to adapt industry recommendations, identifying and remediating gaps between requirements and actual settings, and building effective, ongoing processes to continually evaluate storage and backup security posture.

The business risks of unaddressed CVEs include the ability to exfiltrate files, initiate denial-of-service (DoS) attacks, and even take ownership of files and block devices, Continuity said. It advised businesses to improve proactive CVE identification with storage-specific tools to scan storage and backup environments for CVEs, and to reduce remediation time for important vulnerabilities, identifying and patching CVEs with critical and high CVSS scores as quickly as possible.

Access rights issues endanger organisations from exposure and comprise data and its copies. In some cases, it can lead to compromise of the operating systems of the hosts that use the storage, Continuity warned. Teams should implement appropriate least-privilege access models for data access as well as management and control plans, and audit and correct exposures on a frequent basis.

Incorrect and insecure configuration can allow cybercriminals to take full control over storage and backup systems, enabling them to exfiltrate and destroy the data – and its copies. Mitigative steps include locking and renaming or deleting factory default users (where possible), eliminating the use of local user accounts, separating responsibilities and access roles for primary data copies and secondary data copies, and enabling multi-factor authentication (MFA)

Improper logging/auditing can help cybercriminals mask malicious activities and interfere with the ability of central security tools to detect anomalies, Continuity wrote. To limit the risks, businesses should log to external repositories – configuring redundant logging targets for each device, configure external timekeeping using at least two NTP source, and ensure granular logging at a minimum, logging all authentication failures, administrative/security configuration events, and storage access events for critical or sensitive data.