I’m in the middle of writing a whitepaper on data protection for CSOs, and it occurred to me just how often storage systems are overlooked in security testing. The typical security assessment involves servers, workstations, mobile devices, databases, Web applications, WiFi, and network infrastructure systems. You rarely see/hear anyone scoping storage systems in particular. Why is this? Do people just assume that they’re secure because they’re on a hardware appliance or they paid a gagillion dollars for them and surely someone thought about security along the way?
The reality is, if it has an on/off switch and an IP address, it’s fair game on the network. Not only do high-end NAS and SAN storage systems meet these criteria, but they also have other attack surfaces – especially Web interfaces – that make them that much more susceptible to attack. Unfortunately, such IPs and URLs may or may not be tested during any given internal vulnerability assessment depending on the scope and how deep the tester looks.
Whether you do it yourself or hire an independent information security consultant, when it comes time to scope your next security assessment, be sure to include your storage environment. If you don’t find the weaknesses, surely a bored or malicious insider will. Better to be proactive for something so critical to your business.