High-Profile User Talks Secure Storage

Financial firm's storage security chief talks iSCSI, NAS, and vendor hyperbole

October 16, 2007

3 Min Read
Network Computing logo

DALLAS -- Storage Networking World -- CIOs and IT managers need to get back to basics when it comes to fighting hackers, warns Alan Lustiger, information security architect of financial firm TD Ameritrade.

Speaking during a presentation here today, Lustiger explained that the threat landscape is constantly changing, making the task of storage security much harder. "Until a few years ago the main worries were joy-riders and script-kiddies," he said, alluding to the recent surge in cyber-crime.

"Over the years, the threat has morphed into more professional-type hacking -- it's getting worse by the day," added Luster, explaining that a new form of "cyber-mafia" is forcing firms to rethink their storage security strategies.

Despite facing more serious threats to their data, the exec urged users to take vendors' security pitches with a dose of salt. "They tend to want to be alarmist -- I very much dislike that," he said. "You don't want to be running [around], doing the 'Chicken Little' thing, every time a vendor comes in."

Encryption is a perfect example of this, according to Lustiger. "If the bad guys are getting [into your storage] the same way the good guys are, then what good does it do you?" he asked his audience of CIOs and IT managers. "Generally, to get to the point of hacking storage, the attacker must already have broken into your network."Storage vendors have certainly latched onto users' paranoia about data breaches, with a slew of announcements timed to coincide with this week's SNW event.

But Lustiger explained that users may need to concentrate their energies elsewhere, highlighting, in particular, the Web servers used to access back-end storage systems. "If you do nothing else, lock the front door," he said. "Web server application security needs to be reviewed often."

Another potential target for hackers are the operating systems for storage devices, which are typically left out of users' security strategies. "The chances are that you already have [security processes] for servers [but] do you have the same for storage appliances?" asked Lustiger.

"If there is an exploit for Linux that comes out, do you even know what versions of Linux your storage devices are running?" he said. "Most people don't."

Of the main storage technologies in use today, Lustiger feels that NAS is probably the easiest to hack into, thanks largely to vulnerabilities in protocols such as CIFS and NFS. "Hundreds of hackers have these tools," he says, highlighting in particular protocol downgrade attacks by rogue servers.The fact that CIFS and NFS traffic is typically in cleartext can also open the door to other problems. "Even if you have wonderful database security, people could run a sniffer on your operating system," said Lustiger.

Another technology that relies heavily on cleartext is iSCSI, which Lustiger identified as another possible Achilles heel. Hackers can sniff iSCSI traffic and can even spoof the iSCSI name service (ISNS) to gain information about devices, according to the exec.

"It is possible to secure iSCSI if you do a combination of IPSec and making sure that you have authentication," he added.

iSCSI, which is being touted by vendors as an alternative to Fibre Channel has been gaining momentum over recent months. Increasingly, the technology is being pushed as a way for users to reap the benefits of emerging technologies such as 10-Gbit/s Ethernet.

Another speaker at today's event also urged users to revisit their security strategies, although he warned CIOs and IT managers to make portable devices their top priority. "The number one security vulnerability that companies have is laptops," said Craig Edland, global product manager at EDS, pointing to FBI research which says a laptop is stolen every 53 seconds in the U.S."Do full encryption," he explained, adding that EDS has already encrypted all its laptops.Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.

  • Electronic Data Systems Corp. (EDS)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights