How to Secure NAS: Best Practices & Practical Guide

To sufficiently protect network-attached storage (NAS) systems against cyberattacks, companies must implement tightened access controls, strong network security, and regular software updates. NAS environments often store important business data at rest, including files that might hold business secrets or personal customer data. Just because NAS systems are older technology than cloud storage infrastructure doesn’t mean they aren’t a major target for data thieves. Attackers have sought NAS data in the past and will again. 

Businesses should be aware of all the vulnerabilities in their NAS systems and tighten controls at all layers of their storage infrastructure. The following best practices for securing an enterprise NAS can help companies recognize their NAS storage protection needs and implement practical cybersecurity strategies:

NAS security best practices

Change admin passwords and other default credentials 

Default passwords on network attached storage systems, like standard admin passwords, are preset by the manufacturer. These passwords are some of the easiest targets for an attacker to reach, because they are already known by the technology industry, have a predictable structure, or are easy to guess. Changing any default passwords, making them difficult to guess, and securely storing those passwords immediately should be one of the first steps for a business when implementing a NAS. 

Once a user configures their new NAS drive or array, they can navigate to the drive settings and select the option to change credentials. Storage and IT administrators should change all default usernames, too. The more credentials that attackers have to guess, the more safe the account will be. 

Save all administrative credentials in a safe location, like a password manager. These password protection solutions use cryptographic technology to protect usernames and passwords. 

Secure routers

IT teams should configure routers with appropriate secure routing protocols, like HTTPS. They should also immediately change passwords for all routers on the network from any default states; default or hardcoded admin passwords make it much easier for attackers to breach a network. Store all access credentials privately in a password manager or other secure platform.

Any NAS systems connected to the internet should also use routers with secure routing protocols, like HTTPS, rather than HTTP. Using router management software can also help: these programs help storage administrators inspect network activity closely and observe malicious trends. Ensure that all storage admins know how to use router management tools and understand what network abnormalities look like. 

Update NAS operating systems 

The operating systems that manage NAS devices and arrays may offer regular software updates. IT teams should immediately make updates when they’re released. Not only do operating system updates improve NAS performance, but they also correct security problems that the vendor or other experts have discovered after the software’s initial release. 

Ensure that IT teams have designated which employees are to patch security vulnerabilities whenever they’re announced. Information security teams should create policies that state the time frame in which employees are expected to patch existing weaknesses in their NAS devices or firmware. 

NAS operating systems and any other firmware need to be updated consistently and immediately. Threat actors can take advantage of an unpatched system and gain access to the network. In recent years, attackers are quick to exploit vulnerabilities the moment they’re revealed, and these include weaknesses within storage firmware.  

Popular NAS devices from leading vendors have recently revealed known vulnerabilities in their systems. Businesses cannot assume that top NAS arrays will be vulnerability-free. Continually monitor update logs and announcements from all device vendors in the company storage infrastructure (for example, if the business uses Synology and QNAP devices). Then update software accordingly whenever a new version is announced.    

Train storage employees

Storage personnel and any other employees who will have access to a NAS system or files on the NAS should receive thorough cybersecurity training. Security training for storage personnel includes protecting NAS systems from the public internet, securing employee passwords, and training storage admins how to monitor NAS environments. 

Internet security practices

Teach basic internet security practices to employees on a regular cycle, like biannually or each quarter. This helps them avoid popular phishing attempts. Often, attackers will target company email addresses, hoping that lower-level employees and executives alike will fall prey to an email spoofed to look like it came from their coworker. 

Ensure that all employees know what social engineering looks like, so they don’t click unknown or unexpected links in emails or respond to strange texts on a work device. If a NAS system is connected to the internet, it is subject to internet-based threats, like website malware. And if the NAS isn’t password protected, an attacker can breach it after hacking the company network. 

Protecting all passwords

Employees should use their own passwords to access a NAS system or borrow other users’ only through a safe, encrypted sharing system. Password manager software is a common method of storing and sharing credentials safely.

Additionally, employees should never post their passwords in plain sight in an office or data center space: if an attacker gains access to the physical location, they could use the credentials and access the system without ever having to find a backdoor. Again, teams should store all passwords cryptographically, and they should only be accessible by employees who are authorized to log into those platforms. 

Monitoring training for storage administrators 

Train all employees in administrative roles to use any existing management software for their organization’s NAS. This means they must understand how to monitor the network for anomalous behavior that could indicate a threat actor. 

Storage admins should receive thorough training so they can navigate their NAS system’s management portal and understand what a potential breach looks like. They should also know how to apply any patches and complete software updates for the NAS system. Although training storage employees to use NAS management software may require a large time investment, it’s worthwhile.  

Implement immutable backups

Ensure that the organization’s backup strategy includes immutable copies. These are much more difficult for attackers to compromise.

Implementing immutable backups of data is important for NAS environments, according to Ahsan Siddiqui, director of product management at Arcserve

“Immutability is rapidly emerging as the last line of defense against ransomware — and NAS is no exception,” Siddiqui said. “Cybercriminals are becoming more sophisticated and realize that companies rely on backups to recover from ransomware attacks. They attack the backup infrastructure first, deleting backup copies and then encrypting the primary production data.” 

However, immutable backups provide a more secure method of protecting an enterprise’s storage infrastructure. 

“Immutability means data is converted to a write-once, read many times format and can’t be deleted or altered — not by hackers or administrators,” Siddiqui said. “Snapshots of the data will be taken every 90 seconds, and these snapshots make it possible for you to go back to specific points in time before an attack and recover entire file systems in a matter of minutes. As a result, even if a cyberattack is successful, your information will be quickly and easily recoverable to a very recent point in time.”

Secure backups are an important protective measure in case an attacker slips through the cracks of an organization’s infrastructure to breach its NAS systems. Although backups won’t stop some more advanced attacks, like double-extortion ransomware attacks, they’re still a critical part of an enterprise storage infrastructure. No business should neglect strong backup technology and plans; these may help them rebuild after multiple cyberattacks. 

Why should I secure my NAS?

Securing data at rest is just as important as securing data in transit. NAS systems often hold older data like company files, which may have confidential business details or personally identifiable customer information. Attackers might view business NAS systems as an easy target, because they’re often manufactured with default credentials that are easy to hack. 

Although security may require enterprises to implement additional tools, like installing an identity and access management (IAM) solution, NAS security is always worthwhile. Businesses that invest in a comprehensive storage security infrastructure now will be rewarded in the future. 

Learn more about the importance of securing NAS systems next.

Jenna Phipps
Jenna Phipps
Jenna Phipps is a contributor for Enterprise Mobile Today, Webopedia.com, and Enterprise Storage Forum. She writes about information technology security, networking, and data storage. Jenna lives in Nashville, TN.

Latest Articles

5 Top Security Assessment Trends in 2022

Think about the amount of information that is available today. It amounts to hundreds of zettabytes.  Yet, the bulk of security attention is aimed at...

5 Top Network Segmentation Trends in 2022

Storage has always used architectures that split large amounts of something into smaller segments.  There are disks, drives, partitions, physical and logical volumes, and logical...

Top Penetration Testing Trends in 2022

Penetration testing is growing in prominence.  Instead of defend, defend, defend against unseen attacks that could come from anywhere, a different view is needed: Look...