Storage vulnerabilities you can't afford to miss

These vulnerabilities seem almost too obvious, but they're quite pervasive in today's networks -- especially given the complexity of the information systems that network managers are responsible for today. Some are technical in nature and others I've seen are business-related, but they're certainly items you can't afford to overlook.

1. Lack of share and file-level access controls. This is typically OS defaults or settings that allow everyone full, unaccountable access.

2. Too much reliance on data encryption. Contrary to my recent tip on how much more important it is to encrypt data at rest compared to data in transit, encryption is not the silver bullet. Your data can be encrypted down to the last file or database field, but it can still be compromised by a 'trusted' insider or poorly-coded application that can be tripped up just enough to grant an intruder system-level read/write access to the goods he's looking for.

3. Failure to implement storage security with defensive tactics in mind. In other words, create as many hoops for attackers to jump through as reasonably possible without negatively impacting system performance or carving into your budget. This includes utilizing network segmentation of storage systems where possible, hardening the system at the OS level if it's not already, implementing disk/file/database encryption where practical, and implementing disk, share and file access controls where appropriate.

4. Lack of protection for shared information. Random text, word processor and spreadsheet files containing sensitive information scattered around server shares -- local workstation drives for that matter -- all without one iota of access control, much less the file's creator or network administrator having any knowledge that they're even there.

   More Information View this presentation from Information Security Decisions and learn 3 options for safeguarding stored data. Have a storage security dilemma? Our resident expert is can tackle your toughest questions. Don't hesitate --submit your question today.

5. Absence of audit trails supporting who did what. This is still a large issue in most organizations. True, audit logging and monitoring can be a drain on both personnel and processors, especially if they're not deployed properly. Even the highest level of logging that takes place within the confines of your storage devices is not just an information security best practice -- it can be of great value when the time comes to investigate a security breach, and it's becoming a fundamental regulatory standard that affects practically every business.

6. Single administrator point of failure. This means if an employee with critical information is involved in an accident, is fired, or skips the country, the organization is left without passwords, encryption keys, network diagrams and the thousands of other things crammed into the typical network or storage administrator's head.

7. Technology driving security policies and business decisions. It should actually be the business needs determining technology and the associated security risks determining security policies.

8. Unnecessary administrator distractions. Network and storage administrators who are held responsible for (and being distracted by) the enforcement of organizational security policies when they should instead be working to implement and manage the technologies necessary to help a security committee and upper management enforce their policies.

If you're a network manager responsible for the administration and security of your organization's critical storage systems, it's time to find and fix these loopholes before they're exploited, leaving you caught in a jam. Network-based security controls aren't the answer; poor software development practices aren't going away and we all know that 'security awareness training' only goes so far. Root out these vulnerabilities in your storage systems and implement some reasonable controls at the lowest levels you can reach. It's an excellent way to layer security and batten down the hatches on the systems for which you're responsible. It's your last line of defense.

About the author:
Kevin Beaver is an independent information security consultant with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies,Hacking Wireless Networks For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach).

This tip originally appeared on SearchStorage.com

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Architecture Insider Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Identity management for financial firms in turbulent times Data classification methods and guidelines How to secure data backup Download presentations from Financial Information Security Decisions 2009 Data governance and classification Data encryption: Pre-implementation best practices Data encryption: Q&A with Eric Leighninger Protecting data in a merger and acquisition Event data analysis By addressing data privacy, companies avoid public scrutiny How to classify security for enterprise file folders Encryption best practices RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.