State of Storage and Backup Security Report 2023 reveals significant gap in the state of enterprise storage and backup security compared to other layers of IT and network security. Credit: Gorodenkoff / Shutterstock The average enterprise storage and backup device has 14 vulnerabilities, three of which are high or critical risk that could present a significant compromise if exploited. That’s according to Continuity’s State of Storage and Backup Security Report 2023, which revealed a significant gap in the state of enterprise storage and backup security compared to other layers of IT and network security. The findings are based on assessments of 245 environments with 8,589 storage and backup devices from leading providers including Dell, NetApp, Veritas, and Hitachi Vantara.Most organizations studied were from the banking sector, with companies from the healthcare, telecommunications, and IT services sectors also among those assessed. Given organizations’ increasing reliance on data backups as part of ransomware recovery plans, Continuity’s findings regarding the prevalence of vulnerabilities affecting storage and backup devices are significant.Organizations failing to address data backup security risksA total of 9,996 discrete security issues (vulnerabilities and security misconfigurations) were detected by Continuity, spanning more than 270 security principles that were not adequately followed, according to the report. The statistic that the average enterprise storage/backup device has 14 security risks – three with high or critical risk ratings – is almost identical to last year’s State of Storage and Backup Security Report, indicating little has been done to address this high-risk area. Unpatched vulnerabilities in storage and backup systems are the main points of attack for most ransomware but are not aware that traditional vulnerability management tools do not cover those systems well, Continuity said. “Securing enterprise storage and backup systems has become a critical part of organizations’ cyber resiliency strategies,” said Dennis Hahn, principal analyst at Omdia. “As important as rapid data recovery is to business continuity if data is lost or stolen, it is arguably even more important to protect data anywhere it lives and not let storage and backup systems themselves become an entry point for attack.” Top 5 data storage and backup device security risksThe top five storage and backup device security risks detected by Continuity in its latest analysis are:Insecure network settings (use of vulnerable protocols, encryption ciphers)Unaddressed Common Vulnerability and Exposures (CVEs)Access rights issues (over-exposure)Insecure user management and authenticationInsufficient logging and auditingOther less frequent but high priority risks detected include vulnerabilities in software supply-chain management, incorrect configuration or non-use of anti-ransomware features, and undocumented and insecure APIs/CLIs. Factors contributing to the risks organizations are facing include the cyber implications of the Russia-Ukraine conflict, compliance/insurance challenges, and divisions between IT infrastructure and security teams, Continuity said.How to address storage and backup device security risksThe report outlines the potential business impacts of the five most common storage and backup device security risks, along with recommendations for addressing them.Insecure network settings can be exploited by cybercriminals to retrieve and tamper with configuration information and stored data, the report read. To address the risks of insecure network settings, Continuity advised closing knowledge gaps about storage and backup network security concepts, risks, and best practices, defining internal requirements to adapt industry recommendations, identifying and remediating gaps between requirements and actual settings, and building effective, ongoing processes to continually evaluate storage and backup security posture.The business risks of unaddressed CVEs include the ability to exfiltrate files, initiate denial-of-service (DoS) attacks, and even take ownership of files and block devices, Continuity said. It advised businesses to improve proactive CVE identification with storage-specific tools to scan storage and backup environments for CVEs, and to reduce remediation time for important vulnerabilities, identifying and patching CVEs with critical and high CVSS scores as quickly as possible.Access rights issues endanger organizations to the exposure and comprise of data and its copies. In some cases, it can lead to compromise of the operating systems of the hosts that use the storage, Continuity warned. Teams should implement appropriate least-privilege access models for data access as well as management and control planes, and audit and correct exposures on a frequent basis.Incorrect and insecure configuration can allow cybercriminals to take full control over storage and backup systems, enabling them to exfiltrate and destroy the data – and its copies. Mitigative steps include locking and renaming or deleting factory default users (where possible), eliminating the use of local user accounts, separating responsibilities and access roles for primary data copies and secondary data copies, and enabling multi-factor authentication (MFA) Improper logging/auditing can help cybercriminals mask malicious activities and interfere with the ability of central security tools to detect anomalies, Continuity wrote. To limit the risks, businesses should log to external repositories – configuring redundant logging targets for each device, configure external timekeeping using at least two NTP source, and ensure granular logging at a minimum, logging all authentication failures, administrative/security configuration events, and storage access events for critical or sensitive data. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe