Storage Vulnerabilities: The Neglected Cybersecurity Frontier

A 2021 study by Continuity details the fact that lack of storage security is putting a great many organizations at risk. Based on an analysis of more than 400 high-end storage devices, over 6,000 discrete vulnerabilities, misconfigurations, and other security issues were detected. 

“On average, an enterprise storage device has around 15 security vulnerabilities, out of which three can be regarded as being at a high or critical risk rating that could present significant compromise if exploited,” said Doron Pinhas, CTO at Continuity. “This is evidence of the fact that storage and backup systems have a significantly weaker security posture than the compute and network infrastructure layers.” 

He laid out some of the common vulnerabilities in storage and backup systems such as: 

  • Not disabling legacy versions of storage protocols, or defaulting to their use (e.g., SMBv1, NFSv3).  
  • Using cypher suites that are no longer recommended, such as allowing TLS 1.0 and 1.1 and not disabling SSL 2.0 and 3.0. 
  • Not enforcing data encryption for critical data feeds such as management transport, replication transport, and backup transport). 
  • Allowing cleartext HTTP sessions.
  • Lack of central user management. 

CVEs Impacting Storage 

Common Vulnerability and Exposure (CVE) records are published regularly to alert the world of IT about the latest threats as well as well-known threats the bad guys keep exploiting. These records typically offer a solution in the form of a patch, a recommended upgrade, or a suggested configuration change. 

Unfortunately, a surprising number of organizations fall behind on patching. Cybercriminals are still finding, for example, Internet Explorer and Windows XP systems lurking in organizations that are riddled with vulnerabilities as they have been unsupported for years. 

Further, patches that have been issued to fix major bugs on critical systems can remain unpatched for months due to neglect, slow testing of patches, or lack of personnel resources. To make matters worse, vulnerability scanning tools often miss the CVEs that apply to storage and backup systems.

“Common vulnerability management tools used by enterprises do not detect many storage CVEs as they tend to focus on server OSes, traditional network gear, and software products,” said Pinhas. 

His research found that close to 20 percent of storage devices are badly exposed. Around 70 different CVEs were detected in the sampled storage environments that could be used to exfiltrate files, initiate denial-of-service attacks, take ownership of files, and block devices. 

Ransomware Weaknesses 

Perhaps the most shocking finding is the susceptibility of storage and backup to ransomware. In the fight against ransomware, IT is focused on the front door. They set up firewalls, website defenses, endpoint detection and response, and other tools to prevent direct incursion. Yet the back door may be wide open via storage or backup systems. 

“Although modern storage devices offer ransomware detection and prevention capabilities, as well as advanced capabilities for locking retained copies, protecting critical data from tampering and deletion, and certain forms of air-gapping, these features are often overlooked,” said Pinhas. “Even when used, many configurations did not meet vendor best practices and left the organization exposed to the threat of ransomware. 

Due to these threats, Continuity has pivoted from its traditional market of maintaining availability onto the scanning of data storage, storage management, and backup systems to look for vulnerabilities and security misconfigurations.

“Our StorageGuard product provides continuous scanning and analysis of data storage and backups, as well as automatic detection of security risks,” said Pinhas. 

The goal is to give enterprises complete visibility into storage and backup blind spots and to automatically prioritize the most urgent risks.

Drew Robb
Drew Robb
Drew Robb has been writing about IT and engineering for more than 25 years. Originally from Scotland, he now lives in Florida.

Latest Articles