These vulnerabilities seem almost too obvious, but they're quite pervasive in today's networks -- especially given the complexity of the information systems that network managers are responsible for today. Some are technical in nature and others I've seen are business-related, but they're certainly items you can't afford to overlook.
Lack of share and file-level access controls. This is typically OS defaults or settings that allow everyone full, unaccountable access.
Too much reliance on data encryption. Contrary to my recent tip on how much more important it is to encrypt data at rest compared to data in transit, encryption is not the silver bullet. Your data can be encrypted down to the last file or database field, but it can still be compromised by a 'trusted' insider or poorly-coded application that can be tripped up just enough to grant an intruder system-level read/write access to the goods he's looking for.
Failure to implement storage security with defensive tactics in mind. In other words, create as many hoops for attackers to jump through as reasonably possible without negatively impacting system performance or carving into your budget. This includes utilizing network segmentation of storage systems where possible, hardening the system at the OS level if it's not already, implementing disk/file/database encryption where practical, and implementing disk, share and file access controls where appropriate.
Lack of protection for shared information. Random text, word processor and spreadsheet files containing sensitive information scattered around server shares -- local workstation drives for that matter -- all without one iota of access control, much less the file's creator or network administrator having any knowledge that they're even there.
View this presentation from Information Security Decisions and learn 3 options for safeguarding stored data.
Have a storage security dilemma? Our resident expert is can tackle your toughest questions. Don't hesitate --submit your question today.
Absence of audit trails supporting who did what. This is still a large issue in most organizations. True, audit logging and monitoring can be a drain on both personnel and processors, especially if they're not deployed properly. Even the highest level of logging that takes place within the confines of your storage devices is not just an information security best practice -- it can be of great value when the time comes to investigate a security breach, and it's becoming a fundamental regulatory standard that affects practically every business.
Single administrator point of failure. This means if an employee with critical information is involved in an accident, is fired, or skips the country, the organization is left without passwords, encryption keys, network diagrams and the thousands of other things crammed into the typical network or storage administrator's head.
Technology driving security policies and business decisions. It should actually be the business needs determining technology and the associated security risks determining security policies.
Unnecessary administrator distractions. Network and storage administrators who are held responsible for (and being distracted by) the enforcement of organizational security policies when they should instead be working to implement and manage the technologies necessary to help a security committee and upper management enforce their policies.
If you're a network manager responsible for the administration and security of your organization's critical storage systems, it's time to find and fix these loopholes before they're exploited, leaving you caught in a jam. Network-based security controls aren't the answer; poor software development practices aren't going away and we all know that 'security awareness training' only goes so far. Root out these vulnerabilities in your storage systems and implement some reasonable controls at the lowest levels you can reach. It's an excellent way to layer security and batten down the hatches on the systems for which you're responsible. It's your last line of defense.
About the author:
Kevin Beaver is an independent information security consultant with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies,Hacking Wireless Networks For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach).
This tip originally appeared on SearchStorage.com
This was first published in January 2008