Data storage deeply permeates our digital lives. It’s something each of us has to contend with. From people backing up their music collections or keeping personal tax records to businesses handling confidential client information, storing data is a challenge, especially security-wise.
That’s where Network Attached Storage has made things much easier. We will look at what NAS actually is, and, more importantly, how it functions. We’ll assess whether it’s a sufficient solution for safe data storage, as well as how NAS security should be ensured. This should result in safer data, fewer cybersecurity breaches, and less stress all around.
What is Network Attached Storage?
Network Attached Storage (NAS) is a common solution for handling shared files on business and academic networks.
In NAS systems, specialist storage drives are used as a simple alternative to standalone servers. This makes it very easy for businesses to distribute information between different teams and departments without needing to invest in costly IT systems. These drives sit at the heart of most NAS systems and tend to be pretty simple, comprising a hard disk and an OS intended purely to interface with local network users – and not much more.
Network Attached Storage is usually optimized to deliver the fastest possible speeds. User groups can connect to NAS devices and peruse the data they store, without having to use separate hard disks and server setups.
This also means that NAS systems tend to be much easier to create and maintain, so they will most likely be the most time-efficient and convenient networking solution available.
How secure is NAS?
The answer depends on many factors, such as your actual NAS model and the operating system. When it comes to security updates, NAS makers usually take more time to issue them than Windows or iOS developers. During that period, you should be extra careful and limit access to your NAS from outside.
But most importantly, the security of your NAS depends on your behavior and attitude. For example, opening too many ports can also give different ways for intruders to reach your information. Not changing default passwords is even a better way to risk your data.
Since it's a physical device that stores data offline, NAS depends on the actual storage drive to not malfunction. Also, a burglary or a fire probably has more chance to destroy it than some random hacker. That's why having a separate offline or cloud backup is of utmost importance.
NAS has several potential weaknesses which IT managers and companies need to be aware of. These weaknesses can be addressed and mitigated, so let’s assess how severe they are, and how to respond.
Most common NAS security issues
It is important to acknowledge that most NAS systems have in-built defenses, for example, password authentication. Which means they aren’t totally defenseless. With that being said, there are certain critical threats that NAS users should be aware of.
1. Password security
Sometimes, the authentication procedures incorporated into NAS security systems can be a threat in their own right. When we rely on password security or other forms of authentication, we can become complacent and neglect key risks.
For example, weak passwords can be simply guessed or brute-forced by using digital tools with relative ease. That's why the first thing you have to do is change default passwords. Because NAS servers are connected directly to your network (as well as the internet at large), they can be inherently exposed to possible password hacks.
Moreover, not all organizations operate watertight personal security practices. This can lead to the theft or betrayal of password details or the leaking of data via practices like using work applications on unsecured wifi networks.
So, while NAS security measures help, they can never be sufficient to ensure full data integrity.
2. Leakage from other network devices
NAS servers can be directly or indirectly connected to a vast array of other devices. Usually, this includes computers on the same network. However, smart devices that are connected to the IoT (Internet of Things) can sometimes also be involved.
Recently, security experts have been raising red flags about the IoT connected devices being possibly targeted by hackers, who then use those devices to spread malware across corporate networks.
It’s easy to imagine NAS connected drives becoming infected in this way, potentially handing cyber-attackers unrestricted access to the data those drives hold.
3. Malware and viruses
Concerns are also being raised regarding the possible exposure of NAS to malware and viruses. Perhaps surprisingly, this is not an academic issue. There have been well-documented cases of NAS devices being targeted by malware.
In 2017, an agent called SecureCrypt appeared, which utilized the SambaCry NAS loophole to take control of servers. After encrypting the data on victimized drives, SecureCrypt would demand a BitCoin “tax” to unlock the content, or the drive would be rendered unusable.
This followed the StuxNet attack on Iranian nuclear facilities, which ripped through poorly secured NAS and IoT-enabled devices, showing how even large industrial sites could be taken offline by determined attackers.
4. Command Injection
Another common weakness that NAS is prone to is Command Injection. More importantly, manufacturers increasingly struggle to counteract this vulnerability. Basically, Command Injection attacks allow unauthorized attackers to take control of Network Attached Storage drives, giving them root privileges that only network administrators should possess.
Hackers have reported relatively simple command injection techniques to take control of LG NAS servers, while drives from companies like Buffalo, Western Digital, and ZyXEL have all come under scrutiny.
Hardly any NAS devices have been found to be completely protected against Command Injection attacks.
NAS security guide
We know that Network Attached Storage isn’t 100% safe. However, it is still a very convenient and quick solution for businesses and individuals alike. And for many of us, the benefits of easily backing up our data and sharing files with colleagues outweighs the danger of hacking or viruses.
Still, that doesn’t mean we should ignore the risks associated with Network Attached Storage. There are actually some accessible, effective ways to lock down NAS equipment against malicious attackers.
1. Implement strong password security
If you haven’t hammered home the importance of employees regularly changing their passwords and choosing passwords that aren’t easy to guess, this should be the first thing you do.
All-too-often, NAS and other corporate attacks are facilitated by weak security among the people who use targeted networks. So be sure to assess the level of awareness among your staff, and regularly audit their security skills to ensure that standards remain high. Setting up password rules is also a good idea – this way nobody will be able to create short and weak passwords.
You should also protect all accounts with two-factor authentication (2FA). One of the most common methods is using an authenticator app on your phone. This way, even fi someone steals your password, the account will remain safe as long as you don't authenticate access by entering a PIN code or using Touch ID.
2. Ensure that NAS firmware is routinely updated
Cyber-attackers are always seeking ways to crack NAS firmware, and they tend to succeed eventually. After a few months, virtually no NAS operating system can be considered totally safe, resulting in the need for patches and wholesale overhauls.
As a user, you should receive notifications when patches are available, so don’t ignore them. Make a point of implementing any updates as soon as they become available.
This doesn’t just refer to NAS firmware, by the way. It’s equally important to update your antivirus software. And it helps to have a procedure in place to check that updates are being implemented so that problems can be addressed before they become critical threats.
3. Never use default admin accounts
This might sound self-evident, but it’s important. When NAS servers are installed, they usually provide the option of using the default username “admin.” It might seem like common sense to assign this particular username to the NAS manager. However, doing so would be a big mistake.
You need to make it as hard as possible to crack the login process for any given NAS drive and choosing an easily guessable identity like “admin” is always a poor option.
At the same time, a username like “admin” is like a red rag to every hacker, giving them proper encouragement to go further. Make sure not to tempt them and put as many layers of secure authentication your data and hackers as you can.
4. Secure your connection and ports
You should enable HTTPS instead of HTTP to secure incoming and outgoing traffic. You should also make sure that FTP connection is secure as well.
You should close all the ports that you won't be needing for the communication with outside. Another good idea is to change the default ports – this will reduce the number of attacks on your NAS. We recommend changing at least HTTP, HTTPS, and SSH ports.
5. Make use of your NAS firewall
Most NAS systems come with firewalls, and there’s no reason to turn them off. Firewalls work by registering legitimate users and denying access to anyone else. This makes them are a great first line of defense against possible attackers.
The problem is that many NAS systems don’t actually engage firewalls when they are configured, and users may need to manually set them up. It’s well worth doing so if you want to keep your data secure.
6. Enable DoS protection
Enabling denial-of-service (DoS) attack protection is another crucial setting in your NAS. It won't be enabled by default most of the time but there's a good reason for that. You might get false positives, where your NAS might think that a benign traffic is actually a DoS attack. The best way is to whitelist known traffic sources and keep the protection on.
7. Use a VPN whenever you use your NAS
A VPN can be an essential NAS security tool. Top-notch VPNs add a layer of encryption on all online traffic that passes between your network and the web. This means that would-be attackers can’t intercept and sniff out password details or the IP addresses of legitimate users.
VPNs also make it viable to access NAS servers remotely from outside the home or office. Normally, this would be unacceptably risky. But when full encryption and IP anonymization is in place, you can be fairly confident that your data will stay safe and sound.
NAS has found plenty of niches in today’s economy, and it can certainly be a handy data storage solution. But, as we’ve seen, the data held on NAS drives isn’t always as safe as it could be. Using a Virtual Private Network as an insurance policy can make your data that much safer. And in a world where data leaks can destroy business reputations, VPNs can be a vital part of an in-depth cyberdefence strategy.
How safe are the most popular NAS devices?
When it comes to security breaches, NAS devices are way behind cloud storage. That's not surprising, given that you can limit the access to your NAS device by closing ports or whitelisting only a few connections.
Most NAS devices have network backup, firewalls, DoS protection, and other security features. However, some models and makes are popular exactly because they walked that extra mile to make your data safe. So what are some of the technologies they implement?
One is the Self-encrypted Drive, or SED. It protects your data even when offline because it generates an authentication key. Of course, you loose some convenience because you have to enter the encryption key every time you start your NAS device.
Next, we mentioned above the possible dangers of fire and water destroying your data. That doesn't apply to all NAS as some are fireproof and waterproof. The best ones can sustain 1500°F for half an hour, which should be more than enough unless you're further from the fire station than most homes and offices. When it comes to combating liquids, you'd be happy to know that your NAS can also sustain the water from the firemen's hose. And in case of a flood, you can keep your data 10 feet under for three days.
However, it appears that software is always the least secure component when it comes to NAS or any other device. Not all makers do their best to patch known vulnerabilities, which means that your data might be left vulnerable for days if not weeks. For example, in July 2020, over 60,000 QNAP NAS devices got infected with malware. Back in 2018, Asustor's AS-602T turned out to have a whopping 15 vulnerabilities. And in 204, unpatched Synology's devices were hit by a ransomware attack.
As you can see, there are different hardware and software-based vulnerabilities that can impact your NAS device's security. However, if you minimize the chance of physical damage, keep your software up-to-date, and limit access from unknown sources, your NAS and your data should stay safe.