Internal and External Vectors

In biology, a vector is the way that a disease agent accesses a host. Sneezing is a vector, as are the surfaces in a bathroom. The vector for the Black Death in the Middle Ages was fleas carried by rats, and mosquitoes are a vector for yellow fever.

The same is true of computer attacks. Several vectors can be employed to attack systems. Storage systems have some vectors in common with other parts of a computer infrastructure and a few unique ones as well.

Generally speaking, attacks come from either an inside source or an outside one. In a recent study by the Computer Security Institute and the Federal Bureau of Investigation, internal attacks against systems were listed as the second most common type of attacks reported.^[1] Because these attacks tend to be underreported or categorized as something other than computer intrusion, it is safe to say that internal threats are very dangerous and prevalent. Attacks against storage systems are more likely to be from internal vectors, owing to the difficulty of getting to the storage infrastructure from the outside. Many layers of network, host, and application security have to be breached before a typical SAN can be attacked. Fibre Channel networks in particular require an external source to have high degrees of access and uncommon skills to mount an effective attack.

^[1] 2003 CSI/FBI Computer Crime and Security Survey.

Besides the ability to mount attacks, insiders have the capability to do much more damage. They have superior knowledge of and access to sensitive information, such as passwords. Insiders can also cover their tracks better because they are knowledgeable of a company's security policies, practices, and capabilities.

That is not to say that external hackers aren't capable of attacking a storage network. iSCSI, being Internet based, is especially vulnerable to attack. The complete lack of authentication in a Fibre Channel network ensures that if a host is breached, the storage devices are wide open to attack. It is only a general lack of knowledge of FC SANs that keeps storage system hacking from becoming a more widespread problem.

To attack a system from the outside, the attacker first needs to penetrate the perimeter network defenses. The intruder then needs to gain access to a host with sufficient privileges to access the applications and tools used to manage and access the storage system. There are several methods for doing this, including making use of a flaw in a running system process or application.

Despite the difficulty of all this, it is possible to launch an attack from outside a storage network. It is also conceivable that an actual attack will emanate from a different computer on the network that is acting as a relay. This is old hat for many hackers.