In the past, we have discussed the five must-have data storage security testing tools for the general storage administrator. And these tools are still relevant and should be considered by any network or storage administrator.
Common data storage security problems
When seeking out storage-related vulnerabilities there are three main areas to focus on:
- Live storage hosts on your network
- The services, applications and shares on your storage systems
- Specific vulnerabilities that can be directly exploited or facilitate exploitation and ultimately lead to a security breach
- Unknown or forgotten systems that have fallen outside the typical patch management and system administration
- Unpatched software at the operating system and application levels
- Weak passwords and access control in Web management interfaces
- Unprotected file shares that provide unfettered access to sensitive files and databases to anyone on the network
LANguard and QualysGuard
To help avoid and solve some of these common data storage security problems, you can use the relatively low-cost vulnerability scanner LANguard as shown in Figure 1 below (click on image for full size).
Figure 1 -- Security scanning options in LANguard for finding OS/app-related vulnerabilities
LANguard is a great starter tool for finding live hosts, open ports and common vulnerabilities. It also has a share finder tool built into it that you can use to find open shares with weak permissions.
Another helpful tool is QualysGuard, which is the one scanner tool that comes closest to being a general all-in-one vulnerability scanner. It finds security vulnerabilities in operating systems and applications you would never think existed.
Pricing for these tools varies based on the license you buy, the number of systems you scan, etc. You can expect to pay anywhere from a few hundred dollars to as much as a couple thousand dollars depending on what you need. Regardless, the investment will be worth every penny. But before you buy any data storage security tools, be sure to test them and see how they can benefit your company.
Acunetix Web Vulnerability Scanner and N-Stalker Web Application Security Scanner
For the Web, a great vulnerability scanner is Acunetix Web Vulnerability Scanner as shown in Figure 2 below (click on image for full size).
Figure 2 -- Security scanning options in Acunetix for finding Web-related vulnerabilities
Acunetix Web Vulnerability Scanner can find a lot of common Web-related weaknesses in your storage environment including default/blank passwords, login mechanism flaws, and even input validation flaws such as cross-site scripting and SQL injection.
Another tool that seeks out Web vulnerabilities is the N-Stalker Web Application Security Scanner. You simply point the scanner tools to the Web URL or IP address of the system(s) you wish to test, select the defaults and off it goes. The scans will finish and it will produce a roadmap on what needs to be addressed.
Finally, after you've uncovered share and file permission weaknesses using a tool such as LANguard or QualysGuard, you'll want to search for sensitive information that shouldn't be accessible to just anyone on your network. This is arguably one of the greatest information risks your business faces right now. A great tool for seeking out sensitive files is with Identity Finder as shown in Figure 3 below (click on image for full size).
Figure 3 -- Search options in Identity Finder for finding sensitive information
Identity Finder comes in both a standalone product as well as an enterprise version you can use for searching network drives. Another great low-cost search alternative that you may want to consider is FileLocator Network.
Overall, your SMB will benefit from these data storage security, especially when you need to seek out important storage vulnerabilities in your SMB environment.
About this author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic LLC. He has more than 20 years experience in the industry and specializes in performing independent information security assessments revolving around compliance and information risk management. Kevin has authored/co-authored seven books on information security including the ethical hacking books "Hacking For Dummies" and "Hacking Wireless Networks For Dummies" (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in October 2009