Data storage is something that all of us have to contend with. From individuals keeping confidential tax records or backing up their movie collection to businesses handling complex client information, storing data is a huge challenge.
That’s where Network Attached Storage has made things much easier. This article will look at what NAS is, and how it functions. We’ll assess whether it is a safe data storage solution, and how to ensure good NAS security. The result should be safer data, fewer cybersecurity breaches, and less stress all around.
What is Network Attached Storage?
Network Attached Storage (NAS) is a common solution for handling shared files on business and academic networks.
In NAS systems, specialist storage drives are used as a simple alternative to standalone servers, making it easy for companies to distribute information between departments and teams without the need for costly IT systems.
These drives sit at the heart of most NAS systems and tend to be pretty simple, comprising a hard disk and an OS intended purely to interface with local network users – and not much more.
What are the pros and cons of NAS?
Why would organizations choose NAS over traditional servers? Generally speaking, there are two major advantages.
Firstly, NAS is usually optimized to deliver the fastest possible speeds. Groups of users can simply connect to NAS devices and use the data they contain, without the need for separate hard disks and server setups.
This also means that NAS systems tend to be much easier to create and maintain, so they will most likely be the most time efficient and convenient networking solution available.
But this doesn’t necessarily make Network Attached Storage the correct choice for any given network.
NAS has several potential weaknesses which IT managers and companies need to be aware of. These weaknesses can be addressed and mitigated, so let’s assess how severe they are, and how to respond.
What are the most common NAS security issues?
Firstly, it’s important to acknowledge that most NAS systems have in-built protections, such as authentication by passwords. So they aren’t totally defenseless. That being said, there are some critical threats that NAS operators need to be aware of.
- Password security
Sometimes, the authentication procedures incorporated into NAS security systems can be a threat in their own right. When we rely on password security or other forms of authentication, we can become complacent and neglect key risks.
For example, weak passwords can be guessed or brute forced with relative ease. As NAS servers are connected directly to your network (and hence, generally to the wider internet), they are inherently exposed to password hacks.
Moreover, not all organizations operate watertight personal security practices. This can lead to the theft or betrayal of password details or the leaking of data via practices like using work applications on unsecured wifi networks.
So while NAS security measures help, they can never be sufficient to ensure full data integrity.
- Leakage from other network devices
NAS servers can be directly or indirectly connected to a vast array of other devices. This includes computers on the same network, but can also include “smart” devices connected to the Internet of Things.
Security experts have been raising red flags about the possibility of attackers targeting IoT connected devices, then using those devices to spread malicious code across corporate networks.
It’s easy to imagine NAS connected drives becoming infected in this way, potentially handing cyberattackers unrestricted access to the data those drives hold.
- Malware and viruses
Concerns are also rising regarding the exposure of Network Attached Storage to viruses and malware. This isn’t an academic issue. There have been well-documented cases of malware targeting NAS devices.
In 2017, an agent called SecureCrypt appeared, which utilized the SambaCry NAS loophole to take control of servers. After encrypting the data on victimized drives, SecureCrypt would demand a BitCoin “tax” to unlock the content, or the drive would be rendered unusable.
This followed the StuxNet attack on Iranian nuclear facilities, which ripped through poorly secured NAS and IoT-enabled devices, showing how even large industrial sites could be taken offline by determined attackers.
- Command Injection
Command Injection is a common NAS weakness and one that manufacturers really struggle to counteract. Basically, these attacks allow completely unauthorized intruders to take control of NAS drives, giving them root privileges that only admin should possess.
Hackers have reported relatively simple command injection techniques to take control of LG NAS servers, while drives from companies like Buffalo, Western Digital, and ZyXEL have all come under scrutiny.
Hardly any have been found to be completely immune to command injection attacks.
What can you do to secure your Network Attached Storage systems?
We know that NAS isn’t 100% safe. But it’s still a very convenient, fast solution for homes and businesses. And for many of us, the benefits of easily backing up our data and sharing files with colleagues outweighs the danger of hacking or viruses.
But that doesn’t mean we should ignore the risks. There are actually some accessible, effective ways to lock down NAS equipment against malicious attackers.
- Implement strong password security
If you haven’t hammered home the importance of employees regularly changing their passwords and choosing passwords that aren’t easy to guess, this should be the first thing you do.
All-too-often, NAS and other corporate attacks are facilitated by weak security among the people who use targeted networks. So be sure to assess the level of awareness among your staff, and regularly audit their security skills to ensure that standards remain high.
Read our guide on How to create a strong password
- Ensure that NAS firmware is routinely updated
Cyber-attackers are always seeking ways to crack NAS firmware, and they tend to succeed eventually. After a few months, virtually no NAS operating system can be considered totally safe, resulting in the need for patches and wholesale overhauls.
As a user, you should receive notifications when patches are available, so don’t ignore them. Make a point of implementing any updates as soon as they become available.
This doesn’t just refer to NAS firmware, by the way. It’s equally important to update your antivirus software. And it helps to have a procedure in place to check that updates are being implemented so that problems can be addressed before they become critical threats.
- Never use default admin accounts
This might sound obvious, but it’s important. When NAS servers are installed, they usually provide the option of using the default user name “admin”. It might sound reasonable to assign this username to the NAS manager, but it’s a big mistake.
You need to make it as hard as possible to crack the login process for any given NAS drive, and choosing an easily guessable identity like “admin” is always a poor option.
At the same time, a username like “admin” is like a red rag to some hackers, giving them encouragement to go further. Don’t tempt them. Put as many layers of authentication between attackers and your data as possible.
- Make use of your NAS firewall
Most NAS systems come with firewalls, and there should be no reason to turn them off. Firewalls work by registering legitimate users and denying access to illegitimate intruders. So they are a good first line of protection against speculative attackers.
The problem is that many NAS systems don’t actually engage firewalls when they are configured, and users may need to manually set them up. It’s well worth doing so if you want to keep your data secure.
- Use a VPN whenever you use your NAS
Virtual Private Networks are another essential NAS security tool. Why? It’s pretty simple. Top-notch VPNs add a layer of encryption on all of the traffic which passes over and out of your network. So attackers won’t have a sniff of password details or the IP addresses of legitimate users.
VPNs also make it viable to access NAS servers remotely from outside the home or office. Normally, this would be unacceptably risky. But when full encryption and IP anonymization is in place, you can be fairly confident that your data will stay safe and sound.
Create a secure NAS setup for your home or business
Network Attached Storage has found plenty of niches in today’s economy, and it can certainly be a handy data storage solution. But, as we’ve seen, the data held on NAS drives isn’t always as safe as it could be.
If you rely on NAS, applying security audits, policing password security, checking antivirus updates, and using VPNs as an insurance policy should make your data much safer. And in a world where data leaks can destroy the reputation of businesses, that’s a very reassuring situation to be in.