Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network settings and unaddressed CVEs, affecting the average device. That leaves these repositories — often the first line of protection in the event of a ransomware attack — as sitting ducks for cybercriminals.
That's according to a data analysis published on March 22 by storage security firm Continuity Software, which found that the average device had 14 security risks, including three critical issues, which are considered those capable of allowing a significant compromise. The top three risks affecting companies' storage systems are insecure network settings, unaddressed vulnerabilities, and lax access privileges.
Overall, the data suggests that even companies with significant security maturity may not give their backup systems as much scrutiny as other systems, the Continuity report stated. The statistics are concerning given that network-attached storage, cloud storage, and backup devices are increasingly coming under attack. In 2021, threat groups targeted a flaw in certain network-attached storage systems made by Western Digital, such as the MyBook and other devices common in smaller businesses, taking advantage of the devices lack of support due to the products reaching their end of life. Attackers have also targeted large enterprises with a ransomware attack known as Deadbolt, which targets QNAP network-attacked storage, as well as other ransomware campaigns over the last few years.
Continuity's "2023 State of Storage and Backup Security Report" also found that the lack of security surrounding storage networks and backup servers affects most companies, across all industries.
"Although it is commonly accepted that certain industries, like financial services, tend to have more mature security strategies, this report shows that the entire field of storage [and] backup security across all industries is still overlooked," the report stated. "While this was similar to the last report, it is still very surprising, given the severity of recent-years data-targeted attacks, and the amount of time the industry had to develop more robust security measures."
Gil Hecht, CEO of Continuity, says that certain industry segments have surprisingly lax cyber defenses for these corporate assets.
"In more than half of the banks in the US, you will find devices that still have factory default passwords — which is unbelievable, unacceptable, makes no sense whatsoever," he says. "But the reason it happens is because storage and backup are considered to be ... back-office devices that don't need security."
With Ransomware Comes More Risk
The study shows that large organizations and enterprises are still catching up with the change in perspective that came along with the rise in ransomware over the past decade. In the past, storage systems and backup servers were considered protected because they were behind the firewall and often did not play a role in daily operations.
Yet ransomware is increasingly targeting backup systems so that victims have fewer recovery options, and companies that do not check the defensive posture of their storage and backup devices run serious risks, Continuity's Hecht says.
"The most terrifying thing is if you lose all the data and you cannot recover it — that is 'game over' for most companies," he says. "The second worst thing is to have all your data made public."
Recovering data from backup systems is a time intensive process, but not having the data from which to recover is worse, so companies should make sure to take defensive steps, GigaOm stated in a report on primary storage ransomware protection.
"Ransomware does not discriminate among infrastructure layers; once in, it will attempt to encrypt all of an organization’s assets within reach, which is why proper segmentation of access and networks is important," GigaOm analysts Max Mortillaro and Arjan Timmerman stated. "Losing primary data and having to restore it from data protection platforms is a time-intensive process, limited by the throughput of the backup media and network bandwidth, especially if protected data resides on the cloud."
Patching Storage Gives Pause to IT Teams
A major problem affecting data storage and backup devices is that they are difficult to patch — a problem that companies need to work around in their business planning, Continuity's Hecht says.
"A typical storage array in an enterprise will support, let's say, 1,000 servers," he says. "Patching a server requires downtime for the server being patched, but patching a storage array requires downtime for all 1,000 servers, and ... if there is a problem during the upgrade, you just cause a failure of all 1,000 servers."
While the need to patch can cause downtime that can broadly affect the business, having up-to-date devices is critical to a strong defensive posture, he says.
A number of technologies have been positioned as strong defenses against ransomware, such as immutable data storage, but Continuity stressed that the technologies still need to be regularly scanned to make sure they are functional and properly configured.
"This [immutable data copy] is an important capability," the report stated. "However, it can lead to a false sense of security if not implemented properly, and unfortunately, we did detect a significant number of misconfiguration issues specific to these features."
The Continuity report used scans from actual networks and devices to determine the subjects' defensive posture, whether the devices were properly configured and if their access controls were appropriately limited.