Data storage and backup systems used to have a much higher profile in the industry. Prior to its acquisition by Dell in 2016, the annual EMC World event attracted around 14,000 people. That show is long gone along with other storage-focused events. As storage faded from the spotlight, it has to some degree been taken for granted. And that has opened a collection of cybersecurity issues.

“The backend role of storage and backup systems in supporting apps, containers, virtual and physical machines means that not enough attention is paid to the fact that they can be misconfigured and poorly patched, which creates a point of exposure that can be exploited,” said Greg Schulz, an analyst with StorageIO Group. “They need the same ongoing maintenance, remediation and exploit protection as any other server or computer.”

One of the best analysis of the problem was done by Continuity on more than 700 storage and backup devices used in more than 200 enterprise environments. They were from a mix of providers such as Dell, NetApp, Veritas, Hitachi Vantara, Pure and Commvault. The study highlighted a shocking number of potential security issues. According to Continuity CEO Gil Hecht, about 10,000 discrete security issues were unearthed.

“The average enterprise storage and backup device has 14 security risks, out of which three are of high or critical risk rating and could present significant compromise if exploited,” said Hecht.

Insecure network settings were among the top areas of risk. For example, failure to disable vulnerable legacy protocols such as SMBv1 and NFSv3 (or defaulting to their use), using obsolete cypher suites (TLS 1.0 and 1.1, and not disabling SSL 2.0 and 3.0), and lack of data encryption for critical data feeds related to storage and backup such as the transport of management, replication and backup traffic. Cybercriminals may be able to use such mistakes to retrieve configuration information and tamper with stored data including the copies used for backup protection.

Unaddressed common vulnerability and exposures (CVEs) also are high on the list of storage and backup system weak points. In this software-defined world, the operating systems of storage arrays, backup appliances and storage switches as well as the firmware in various storage controllers and adapters are subject to regular updates and fixes.

Unfortunately, the state of patching of these systems is poor. It has been found to be much worse than in other enterprise systems. Why? Most vulnerability and patch scanning tools are overly specialized on third-party applications and operating systems such as Windows. They catch a lot but can miss critical areas related to storage and backup.

“Unpatched vulnerabilities in storage and backup systems are the main points of attack for most ransomware,” said Hecht. “Users are unaware that traditional vulnerability management tools do not cover those systems well.”

Oversubscription of access rights, insecure user management and authentication, and insufficient logging and auditing also haunt many storage and backup systems. Those who have deployed immutable storage systems should take note. Unpatched, misconfigured or unauthenticated immutable systems that can be accessed by the janitor offer little peace of mind.

“Some enterprises may not lock down storage resources, retire older devices and review access logs,” said Andy Stone, CTO Americas, Pure Storage.

As many storage platforms use a form of integrated authentication for administrative accounts. That means that once an attacker elevates his/her access in an environment, the storage platforms are vulnerable to attack just like any other system.

It is time, then, that cybersecurity professionals reviewed the state of backup and storage security with fresh eyes. A good place to start is NIST SP-800-209 Security Guidelines for Storage Infrastructure. It offers a set of security recommendations to address storage-related threats in areas such as physical security, authentication and authorization, change management, configuration control, incident response and recovery, data protection, isolation, restoration assurance and encryption.

Continuity’s StorageGuard is another useful tool. It supplements other vulnerability and patching systems by scanning, detecting and fixing security misconfigurations and vulnerabilities specific to storage and backup devices.

“Determine if security gaps exist and build a plan to address them by proactively addressing risks using an automated solution that continually validates the security posture of your storage and backup systems,” said Hecht.

Stone recommends upgrading legacy storage systems to those with a modern storage solutions with built-in data protection, business continuity and ransomware capabilities. This includes immutable snapshots that can’t be encrypted, modified or deleted by bad actors (making sure they are properly maintained, patched and configured, of course).

“Keeping systems up-to-date and fully patched will make for a much harder target,” said Stone. “In addition, implementing a technology solution to vault admin credentials throughout the environment to restrict administrative access will greatly increase the cost of an attack by dramatically increasing the difficulty.”

Storage infrastructure security, then, lags behind compute and network security. With the growing sophistication of cyber-attacks, the bad guys have discovered that even if sensitive databases are completely locked down, a back door may exist via storage or backup systems. Once inside, it is often relatively easy for a threat actor to fabricate a message about backup, for example, and have the keys to the kingdom presented.

“Securing enterprise storage and backup systems has become a critical part of organizations’ cyber resiliency strategies,” said Dennis Hahn, principal analyst, Data Center Storage and Data Management for analyst firm, Omdia. “As important as rapid data recovery is to business continuity if data is lost or stolen, it is arguably even more important to protect data anywhere it lives and not let storage and backup systems themselves become an entry point for attack.”