As the core asset of modern enterprises, Data's business value continues to rise. However, data security also faces unprecedented challenges. Network attacks, especially blackmail viruses, have become one of the most significant threats to enterprises, directly targeting their data storage and backup systems.

Regulators, insurance companies and audit institutions are increasingly paying attention to the data integrity, resilience and recoverability of enterprises, as well as the security of underlying IT infrastructure. This shows that data protection has become the core topic of enterprise risk management.

In 2024, a survey conducted by Continuity Software Ltd on Fortune 500 enterprises showed that enterprise leaders attached great importance to the security of storage and backup environments. They are actively deploying new network recovery capabilities and seeking solutions to meet increasingly stringent compliance requirements.

Key discovery

the storage team wants to improve the configuration areas:

• detects the end-of-life status of hardware or software (65%)

• detection of deviation from Blackmail virus protection best practices and supplier reinforcement guidelines (53%)

• provide on-demand configuration compliance evidence report (53%)

• comparison of security rating benchmarks with industry peers (44%)

• backup and Recovery of system configurations (77%)
• classify data at the storage volume, storage pool, or backup policy level (63%)
• detect devices exposed to security announcements and alerts (58%)

• check for configuration errors (42%) that are not mutable and isolated.

• NIST 800-53 (49%)
• PCI DSS (44%)
• CIS (33%)

• ISO/IEC 27000 series (30%)

configuration Management

• detect the end-of-life status of hardware or software: active detection and resolution of system problems caused by Lifecycle termination can ensure continuous security situation and data protection, and improve system reliability.
• Detection of deviation from best practices for ransomware protection and supplier reinforcement guidelines: key policies include immutable backup, secure snapshot, exception detection, user behavior analysis, multi-factor authentication (MFA), double integrity control, and secure time synchronization.
• Configure compliance evidence report on demand: automated evidence collection tasks enable enterprises to efficiently manage diversified systems, reduce dependence on individual team members, and improve the accuracy and consistency of compliance work.
• Compare with industry peers in terms of security status scoring benchmarks: this helps to clarify the current situation of enterprises in terms of security maturity.

Security and recoverability

• backup and Recovery of system configurations: as important as data backup is to regularly back up device and system configurations. System configuration includes settings, policies, and operating parameters, which play a key role in the normal operation and performance of the storage and backup infrastructure.
• Implementation of data classification at the storage volume, storage pool, or backup policy level: enterprises can classify according to data sensitivity (such as personal identifiable information (PII), protected health information (PHI), or social insurance number), therefore, access control, encryption, and monitoring measures are implemented for data at different risk levels.
• Identify devices affected by security announcements and alerts: recently, many vulnerabilities discovered and actively exploited in storage and backup solutions have attracted wide attention. These include CVE-2022-26500 and CVE-2022-26501 vulnerabilities of Veeam Backup & Replication, allowing remote unauthorized attackers to execute arbitrary code, and CVE-2021-27876 vulnerabilities of Veritas Backup Exec, allows attackers to access files without authorization through the Backup Exec proxy.
• Malicious actors are bound to continue to actively exploit emerging vulnerabilities, posing a threat to production data and backup data, with potential impacts up to PB.

Summary of recent security incidents

• the use of the default password causes a remote code execution vulnerability, which may cause serious consequences.
• CSO reports that Lockbit variants attack backup software and endanger the recovery capability of ransomware.
• EstateRansomware, an emerging Blackmail virus group, exploited the vulnerability fixed by Veeam a year ago to spread LockBit-variant encryption malware and blackmail victims.
• Brocade has detected 18 vulnerabilities, including high-risk vulnerabilities that allow remote attackers to log on without authentication with root privileges.

1. set the non-variable retention period
2. use secure time synchronization
3. implement double control for non-variable related settings
4. consider enabling exception detection
5. protect underlying hardware components (such as iDRAC, IPMI, BMC, and iLO)
6. enable MFA for local users
7. limit the number of concurrent sessions
8. set Account logon threshold
9. restrict administrative access
10. appointed security officer
11. disable inactive user accounts
12. reinforce backup directories/repositories

1. select a weaker immutable mode (allow you to change, disable, or delete immutable options)
2. use the same credentials to manage the primary storage and backup systems
3. enable unrestricted remote access
4. enable unsafe protocols (such as FTP, Telnet, or plaintext HTTP)
5. use unrestricted or vulnerable file sharing
6. allow untrusted hosts to join the backup domain
7. use the default password

industry and Security Standards

in early 2024, ISO issued ISO/IEC 27040:2024, providing authoritative suggestions for the security of storage and backup systems.

The NIST SP 800-209 Storage Infrastructure Security Guide is one of the most influential guidelines in the industry and provides comprehensive suggestions on the secure deployment, configuration, and operation of storage and data protection systems.

The latest eu digital operational resilience act (DORA, eu regulation 2022/2554) requires financial institutions to build stable and resilient storage and backup systems to prevent unauthorized access to data, lost or damaged.

The Payment Card Industry Data Security Standard (PCI DSS) provides comprehensive requirements for protecting cardholder data, including guidelines related to storage and backup systems, such as periodic vulnerability scanning and testing, and implement multi-factor authentication (MFA) for storage system access control.

Internet security center (CIS) control emphasizes several key aspects of storage and backup system security, including ensuring backup data encryption and secure storage, and implementing control measures to prevent unauthorized access.

References: standards and frameworks

integrated Information security management standards and control framework

NIST 800-53

title: NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations

NIST 800-53 is a set of security control and privacy control guidelines issued by the national institute of standards and technology (NIST) to help organizations manage the security risks of information systems. The standard provides multiple control categories, including access control, auditing and accountability, and risk assessment. It is applicable to federal information systems and other organizations that need to protect sensitive data.

Official link:[NIST 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)

ISO/IEC 27000 series

title: ISO/IEC 27000 series of standards

ISO/IEC 27000 series is an information security management standard jointly formulated by the international organization for standardization (ISO) and the international electrotechnical commission (IEC). This series of standards provide a framework for the establishment, implementation and maintenance of information security management systems (ISMS) to help organizations identify and manage information security risks and ensure the security of information assets.

Official link:[ISO/IEC 27000 family](https://www.iso.org/standard/iso-iec-27000-family)

PCI DSS

title: Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a standard formulated by the Payment Card Industry Security Standards Committee to protect the security of payment account data. This standard specifies the security requirements to be followed in the environment for processing, storing, or transmitting payment account data, and helps merchants and service providers implement security practices to prevent data leakage and fraud.

Official link:[PCI DSS](https://www.pcisecuritystandards.org/standards/)

storage security standards and guidelines

ISO/IEC 27040:2024

title: ISO/IEC 27040:2024 - Information technology - Security techniques - Storage security

ISO/IEC 27040:2024 is a standard jointly formulated by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), aiming to provide guidance for the safety of storage systems. This standard provides organizations with recommendations on storage security control to ensure data confidentiality, integrity, and availability. It covers storage security architecture, risk management, and implementation of control measures. It supports organizations to establish effective security policies in storage and backup solutions.

Official link:[ISO/IEC 27040:2024](https://www.iso.org/standard/80194.html)

NIST SP 800-209

title: NIST Special Publication 800-209 - Security Guidelines for Storage Infrastructure

NIST SP 800-209 is a security guide issued by the national institute of standards and technology (NIST), which provides comprehensive suggestions for the secure deployment, configuration, and operation of storage infrastructure. This guide is designed to help organizations effectively manage the security risks of storage and data protection systems.

Official link:[NIST SP 800-209](https://csrc.nist.gov/publications/detail/sp/800-209/final)

digital operation toughness method (DORA)

title: Digital Operational Resilience Act (Regulation (EU) 2022/2554)

DORA is a new EU regulation that requires financial institutions to establish strong and resilient storage and backup systems to protect data from unauthorized access, loss or damage. The regulation aims to enhance the digital resilience of financial markets and ensure that financial institutions can resist various network threats.

Official link:[DORA](https://www.digital-operational-resilience-act.com)

security benchmarks and control recommendations

CIS benchmark

title: CIS Benchmarks

CIS benchmark is a series of security best practices developed by the Internet Security Center (CIS) to help organizations securely configure their IT systems. CIS benchmark provides security configuration suggestions for a variety of technologies, including operating systems, network devices, and cloud services, to help organizations improve security and achieve compliance.

Official link:[CIS benchmark](https://www.cisecurity.org/cis-benchmarks)

CIS control

title: CIS Controls

CIS control is a series of best practices developed by the Internet Security Center (CIS), emphasizing several key aspects in protecting storage and backup systems, including ensuring encryption and secure storage of backup data, and implement control measures to prevent unauthorized access.

Official link:[CIS Controls](https://www.cisecurity.org/controls/)

reference: security events

CVE-2022-26500 and CVE-2022-26501

vulnerability description: These two vulnerabilities exist in Veeam Backup & Replication software, allowing unauthenticated remote attackers to execute arbitrary code through Veeam Distribution Service (default TCP port 9380). Attackers can exploit these vulnerabilities to access internal API functions to upload and execute malicious code.

Affected versions: the affected versions include Veeam Backup & Replication 9.5, 10, and 11.

Severity Rating: The CVSS score of both vulnerabilities is 9.8, which belongs to the "critical" level. CISA has listed them in the known exploited vulnerabilities (KEV) directory, indicating that these vulnerabilities are being actively exploited.

Fix: Veeam has released a patch. We recommend that you update it to a supported version as soon as possible. If the Veeam Distribution Service cannot be updated immediately, you can temporarily stop and disable the Veeam Distribution Service to reduce the risk.

CVE-2021-27876

vulnerability description: This vulnerability exists in Veritas Backup Exec and allows unauthorized remote attackers to access files through SHA authentication. Attackers can exploit this vulnerability to obtain unauthorized access to affected endpoints.

Affected versions: this vulnerability affects multiple versions of Veritas Backup Exec. The affected versions are not listed in detail.

Severity Rating: The CVSS rating of CVE-2021-27876 is 8.1, which belongs to the "high" level. This vulnerability has been exploited by the ALPHV(BlackCat) BlackCat virus as an initial means of accessing the target network.

Fix: Veritas released a patch in March 2021. We recommend that you update it to version 21.2 or later as soon as possible. However, many systems have not been updated and still face risks.

---[This article is finished]] ---

article reprinted from: Andy730