T 5.130 Manipulation of the configuration of a storage system
Storage systems are the last line of defence for the IT systems of an organisation since a large amount of important data of an organisation is concentrated at this one location. For this reason, there are special security requirements for these systems.
The security-relevant settings of a storage system can be viewed and modified using manufacturer-specific programs running on a normal PC or using standard interfaces such as a web browser.
If an attacker is able to obtain passwords allowing access to the configuration program of the storage system and then changes the settings there, the attacker can bypass a number of security and control safeguards.
If a separate administration network for administration purposes was not set up and protocols are used for administration of the storage system in which passwords are sent as clear text, an attacker may very easily read these passwords.
This would enable an attacker who has broken in from the outside into one of the computers in the organisation or who (when the attacker is an insider) is permitted to access the intranet regularly to expand his/her privileges.
Even if no unencrypted information is sent through the normal intranet to administer the storage system, there is still a risk that one of the computers containing configuration information for the storage system or suitable for configuration of the storage system can be compromised. This would render all security safeguards implemented throughout the entire storage system useless.