Industry insights

Data storage security isn't working: Here are 5 ways to improve

Drew Robb
January 17, 2023 by
Drew Robb

For many years, data backup and storage technologies have been shrouded in an aura of stability, meaning they are often far removed from a real security threat. 

This is sadly not the case. Deep-seated insecurity and cybercriminals waiting to exploit existing vulnerabilities lie just beneath the veneer of invincibility. Only recently has the illusion of storage and backup security is beginning to evaporate. 

According to the State of Storage Security report, data storage and backup systems are far more insecure than other IT systems currently in use.

Hackers know that these systems are unsecured and are exploiting these weaknesses.

The current state of data storage security

There's an incredibly large information gap between cybersecurity and data storage. The chasm separating these two roles is that gaping holes in storage security that should have otherwise been addressed go unreconciled, allowing for exploitation by bad actors.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

“The state of enterprise storage security is significantly lagging behind that of computer and network security,” said Doron Pinhas, CTO at Continuity. “Lack of attention to storage security is putting a great many organizations at risk.” 

His analysis of more than 400 high-end storage devices unearthed thousands of potential vulnerabilities, misconfigurations and other security issues.

The average enterprise storage device, it turns out, has around 15 security vulnerabilities, of which three can be regarded as being high-risk. Common problems in storage and backup systems include: 

  • Not enforcing encryption for critical data feeds 
  • Allowing cleartext HTTP sessions 
  • Legacy versions of storage protocols not being disabled or some remaining as the default choice

Common Vulnerability and Exposure (CVE) records are another area of weakness. Not only are there many existing CVEs related to storage and backup systems, but many vulnerability scanning tools miss these CVEs completely. Why? They are designed to spot weaknesses and CVEs in operating systems, networking and applications. And by and large, they do a fine job of that, but not in storage. 

As a result, almost 20% of current storage and data backup devices are said to be badly exposed, according to Pinhas. They represent easy pickings regarding data exfiltration, denial-of-service attacks, taking ownership of files, holding them to ransom and blocking devices. 

Storage insecurity leads to data breaches

Bad actors make it their business to look for and exploit the vulnerabilities present in storage and backup systems, utilizing them as a sure entryway into enterprise organizations. These targets often result in the forms of data breaches and ransomware attacks.

Case in point: Many enterprises go to great lengths to lock down key databases and systems that contain sensitive customer information or intellectual property. They safeguard this information with firewalls, intrusion prevention, encryption, threat monitoring and many other layers of defense.

But bad actors are still gaining access. How? By finding unpatched CVEs or other vulnerabilities in backup systems.

Once inside, they can take control and exfiltrate a backup of even highly protected enterprise systems.

How did they manage such a feat? Other integrated systems within an organization are predisposed to trust backup systems and requests from storage devices. When back actors utilize this weakness to their advantage, they can gain access to high-value data through less secure storage systems.

5 ways to improve storage security now

What is to be done to improve storage security?

1. Constantly test, probe and assess your environment 

“To identify gaps in security and build resilience, organizations should be rigorous in their penetration testing and security assessments of cloud environments,” said Keith Novak, a managing director in the Cyber Risk practice at Kroll

2. Evaluate internal security processes

Pinhas strongly advises IT to carefully evaluate existing internal security processes to determine if they cover storage infrastructure to a sufficient degree. His organization has a tool that provides continuous scanning and analysis of data storage and backups and automatic detection of security risks. While other tools focus on operating systems and applications, StorageGuard addresses the backup and storage blindspot. 

3. Follow NIST best practices

The NIST Guide for Storage Security is a must-read for anyone wishing to shore up storage infrastructure and backup security. It offers a detailed rundown of many of the weaknesses that exist.

Read it. Learn from it. Follow its guidance.

4. Don’t rely only on automated tools

Until such times as automated tools are deployed that comprehensively search for storage and backup vulnerabilities, such bugs will have to be rooted out manually. Use the NIST Guide and the State of Storage Security report for guidance on where to look. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

5. Train your team on storage-related threats

Determine the knowledge gaps within your organization around storage and backup security. Then implement training and certification programs to help fill those knowledge gaps.

An educated cybersecurity workforce can help your organization implement other best practices to stay on top of evolving cyber threats and implement continuous data protection.

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.