Why and how your storage environment will be attacked

Storage security vulnerabilities abound. You likely know of many and likely haven't thought about others. What's causing the problem, and what should you be looking out for? It's just a matter of time before something on the network -- a router, a server, a Web application -- is exploited by an external attacker or malicious insider. With the increased visibility and avenues of attack, your storage systems are no different. I'm not speaking gloom and doom, just being realistic.

How storage got pulled into the problem

Like anything else IT-related, there are vulnerabilities that can lead to business risks within your storage environment. It's not the mere fact that storage systems are susceptible to attack that makes this a big deal; nor is it related to the fact that storage security easily falls within the scope of your organization's compliance initiatives. Instead, it involves things like having to secure multiple layers of systems that support your storage environment, such as physical access, network configuration and transport, authentication mechanisms, management tools and so on. There's also the fact that various business processes, such as information classification, legal discovery, user provisioning, system monitoring and ongoing auditing, apply directly to storage.

In the past, the complexities associated with storage systems, network isolation and lack of storage knowledge have kept most attackers at bay. The tides are turning, and now the bad guys understand what storage is about and how it works. They're discovering the multiple avenues for accessing the storage environment and utilizing storage-specific hacking tools to try and get to your systems. So, regardless of what storage technologies you use and how they're configured, there's near a 100% certainty that your systems are at risk and will continue to be.

Here's why and how your storage environment will be attacked.

Common misconceptions and oversights

Regardless of how your organization's data is created, handled or otherwise processed, it will inevitably end up in your storage environment. You're going to have to be prepared to keep it locked down and inaccessible from unauthorized people the best you can. Acknowledging this fact is half the battle, especially if you work closely with your information security team or any others that are responsible for protecting electronic assets.

There are other issues that aren't quite as simple. In fact, many are outright falsehoods based on "old-school" thinking and a general lack of information security knowledge. In no particular order, here are seven issues you, as a storage administrator or manager, will have to overcome in order to keep your storage systems secure and make improvements long term:

1. Storage security does not equal redundant systems and good backups. These two elements are only part of what's going to keep your data safe and sound, so it's important not to solely rely on them as has been done in the past.
2. The protocol doesn't matter. Both IP-based storage and Fibre Channel have their own unique issues and one is not necessarily any less susceptible to attack than the other.
3. Storage encryption is not the silver bullet. Not for data at rest and not for data in transit. It does offer a nice last line of defense in your network security layers, but it cannot be relied upon by itself.
4. It's not the storage team's responsibility to ultimately secure the storage environment. It's everyone's responsibility, including the information security team and other IT, audit and compliance staff. Good communication between different departments is critical to make this work.
5. Your users can/should never be trusted to do what's right. Set your users and yourself up for success by keeping them out of what they don't need access to with network segmentation and proper authentication and access controls.
6. Ability does not always equal permission. Just because a user or an attacker can access your storage systems doesn't mean they're supposed to have that access. Backdoors and users with unnecessary privileges are often overlooked and often lead to breaches. Be on the lookout for these holes.
7. A user or external attacker will likely be able to get in far enough to do damage. Contrary to popular perception, there are ways to get into your storage environment -- often with ease. Do you know who has access that can lead to system compromise? The only way to know for sure is to test for storage security holes on a consistent basis.

How it will happen

When you combine the problems outlined above with your system complexities and difficulties of keeping everything within your sights at all times, this will inevitably lead to an unnecessary or unauthorized storage exposure. There are hundreds of ways for storage systems to be attacked. They'll come from within your own network and from the outside, but here are seven biggies:

1. The network perimeter or DMZ will be breached. Separating IP-based storage systems into their own secured area is often overlooked, which is a sure-fire way to facilitate an attack.
2. The internal network will be breached. Many internal LANs are configured without segmentation and proper access controls, allowing trusted insiders to poke and prod around to see what they can get to.
3. Share and file permissions will allow for unauthorized access. More often than not, it's very easy to find misconfigured share and file permissions allowing anyone and everyone to browse, load and copy data they shouldn't have access to. This is an especially serious issue when it comes to users copying files to their local drives and other parts of the network "temporarily" for the sake of convenience.
4. Management software will fall into the wrong hands. Or, your management stations will be compromised leading to unauthorized users connecting to and "managing" your storage systems.
5. DNS servers will be hacked. This allows for name pollution and redirection, and eventually users storing sensitive data to the wrong place -- an attacker's system.
6. Network traffic will be captured. This will happen on both wired and wireless networks allowing for man-in-the-middle attacks, session hijacking and both online and offline password attacks. This is much easier than it seems. Improperly secured wireless networks are a breeze to compromise. All it takes on the wired side is a good network analyzer and Address Resolution Protocol (ARP) poisoning via Cain & Abel or similar tool.
7. Operating system and application weaknesses will be exploited. Compromising a server is no longer theoretical, or something that can only be carried out by an external attacker with tons of knowledge and time. In fact, a simple misconfiguration or missing patch on a storage device or supporting system can be easily discovered using Nessus Vulnerability Scanner, QualysGuard PCI or similar tool. These weaknesses can then be exploited by pretty much anyone in the real world, regardless of their technical abilities, in a matter of minutes using Metasploit, Core Impact or another similar tool.

Over the years, there has been a disconnect between storage administration and information security, which has helped facilitate these storage system attacks. There's a lot of payoff associated with doing something about the problem. If you start working on fixing the underlying issues that are contributing to this within your organization, you'll be well ahead of your peers and on the path toward improving your overall storage skill set and keeping your organization's storage security in check.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Server virtualisation may have big disaster recovery payoff How to mitigate the performance penalties of data encryption software Avoiding storage-related bottlenecks in virtualized environments How to resolve storage issues in virtualized server environments How to choose an e-discovery tool Ten reasons storage security is critical How to reduce risk with storage security policies How to increase your storage energy efficiency Why you should perform data classification What to expect from a storage audit Disaster recovery and planning Users say Compellent's SAN data reduction features make DR planning easier A good backup horror story can make you a better backup administrator Business continuity means more than just securing your data Unified NAS storage plugs business continuity leaks for water company Only one way to know how restores will perform: Complete them VMware ships Site Recovery Manager DR software SunGard plans cloud-based disaster recovery for VMware Users face buy-in challenge with disaster recovery Archiving can complicate backups if you're not careful Almost a third of businesses unprepared for disaster Secure data storage CommVault, McAfee partner to integrate storage and security management solution Storage news in brief Notes from SNW: Encryption shifts to disk drives 8 steps to better data security Policy and technology: the belt and braces of data protection Iron Mountain digitizes documents to bolster security Disclosure becomes a fact of life in leaky Britain nCipher grabs NeoScale for $1.9M How to mitigate the performance penalties of data encryption software Users: Storage security becoming a priority RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BS 25999  (SearchStorageUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.