Opening the Treasure Chest: Attacking Network Attached Storage on a Pen Test

Russell Butturini

Thu, 21st August 2014

Speaker Bio 1:
Russell Butturini is the senior enterprise security architect for an international health care company based in Nashville, TN.

He holds multiple industry certifications is the creator of the U3 incident response switchblade and has authored multiple published papers on advanced denial of service techniques. Russell's new life goal is to teach his 5 year old how to program in Python before she leaves kindergarten.

Learning Objectives:

Russell will explain:

  • Where the typical network attached storage security model falls short.
  • How to audit their network attached storage configuration.
  • Why software included with storage devices can introduce risk into the network.

Resources and materials:

Questions and answers

Henry, Concise Courses:
@29.12 Could you advise on a back-up plan?

Russell Butturini:
Pretty much all backup software has inline encryption enabled now, so what you can do is if your agent has inline encryption and you are moving data into storage and it’s encrypted, they don’t have the keys, so there is no real risk attached. The best thing I can say is to look at vendor’s info. I have worked with Symnatec and Veritas in the past [and you can contact them] if you have concerns with this. Definitely work through vendors because they have a lot of options [regarding] security that are not switched on by default, but can be.

Henry, Concise Courses:
@30.22 What are the best places to find information on patching hardware?

Russell Butturini:
Vendors almost always release their patching through CVE. I like full disclosure and security focus mailing lists. A lot of businesses participate in security focus. I know that ESET does, HP does; they release vulnerabilities onto those mailing lists the day they come out. These lists are loosely moderated and a lot of people contribute to them. You will see things that are from vendors and things that are not from vendors, so that’s a really good resource.

Henry, Concise Courses:
@31.44 Does a server log show if a subnet has been infected or has been compromised?

Russell Butturini:
I like to aggregate all that data and look for anomalous behavior and particular data in a data storage subnets. One of the things we look for is the Cisco netflow, so if you are a Cisco shop and you can explore data from your Subnet and maybe you see a web server connecting back to a database, or a domain control connecting to financial data, we’ll now we now that is anomalous, we now need to go and check it out. I am huge proponent on centralized logging and analyzing logging data at a network traffic level, even outside of just what audit law is considered [appropriate]. Traffic and logging aggregators like Netflow will show you things like anomalous protocols in use and network traffic that you wouldn’t expect, so yes those are the kind of ways that I like to track those things!