With storage and backup devices often representing the last line of defense against ransomware attacks and outages, they should be as secure as possible so organizations can restore their data in a critical time of need.
However, new research from cyber resilience company Continuity shows that the average enterprise storage and backup device has 14 vulnerabilities, three of which are rated as high or critical. With backups such a crucial part of an organization’s infrastructure, a compromise could lead to a much more significant cyber incident.
The New York City-based company analyzed more than 700 enterprise storage and backup devices as well as nearly 10,000 security issues and found that the average backup and storage device had more than a dozen vulnerabilities. Those security flaws include insecure network settings, unaddressed vulnerabilities, access rights issues, insecure user management and authentication, and insufficient logging and auditing.
According to Continuity, unpatched vulnerabilities in storage and backup systems are main attack points for ransomware actors to cripple an organization’s restoration plans and force the victim to pay a ransom.
The company’s study, The State of Storage & Backup Security Report, finds several reasons why those security issues exist in backup and storage environments, including a growing divide between IT infrastructure and security teams.
The report suggests that security teams are developing policies and procedures that infrastructure teams are tasked with implementing, sometimes with minimal direction.
In addition, security teams may be unaware of the cyber resiliency capabilities offered by storage and backup systems, while infrastructure teams are more focused on day-to-day operations and less concerned with defending against cyberattacks.
In addition to leveraging automated security posture assessment tools, the report recommends that organizations identify storage and backup security knowledge gaps and develop a plan that puts it on par with that of compute and network security.
Continuity also offers these questions that organizations should ask themselves to help clarify their level of storage security maturity:
- Do our security policies cover specific storage, storage networking and backup risks?
- Are we evaluating the security of our storage & backup infrastructure on an ongoing basis?
- Do we have detailed plans and procedures for recovery from a successful attack on a storage or backup system? Do we test such procedures?
- How confident are we that the key findings highlighted in this report, and similar ones do not, and cannot occur in our environment?
Organizations should also read the NIST SP-800-209 Security Guidelines for Storage Infrastructure, which were co-authored by Continuity.
