To sufficiently protect network-attached storage (NAS) systems against cyberattacks, companies must implement tightened access controls, strong network security, and regular software updates. NAS environments often store important business data at rest, including files that might hold business secrets and personal customer data. Just because NAS systems predate cloud storage infrastructure doesn’t mean they aren’t a major target for data thieves. Attackers have sought NAS data in the past and will again.
Businesses should be aware of all the vulnerabilities in their NAS systems and address security at all layers of their storage infrastructure. The following best practices for securing an enterprise NAS can help companies recognize their NAS storage protection needs and implement practical NAS cybersecurity strategies:
NAS security best practices
- Change admin passwords and default credentials
- Update NAS operating systems
- Secure routers
- Train storage employees on security
- Implement immutable backups
- Why should I secure my NAS?
Change admin passwords and other default credentials
Once a user configures their new NAS drive or array, they can navigate to the drive settings and select the option to change credentials. They should immediately change the password to something strong:
- At least eight characters, with one number and a special character
- Hard to guess — not tied to any recognizable characteristics of the user or organization, like a name
Storage and IT administrators should change all default usernames, too. The more credentials that attackers have to guess, the more safe the account will be.
Default passwords on network attached storage systems, like standard admin passwords, are preset by the manufacturer. These passwords are some of the easiest targets for an attacker to reach, because they are already known by the technology industry, have a predictable structure, or are easy to guess. Changing any default passwords, making them difficult to guess, and securely storing those passwords immediately should be one of the first steps for a business when implementing a NAS.
Learn more about implementing best practices for password security.
Use a password manager
Save all administrative credentials in a safe location, like a password manager. These password protection solutions use cryptographic technology to protect usernames and passwords. They also help employees organize their credentials by application.
Considering a password manager? Learn more about the best password management solutions for businesses.
Update NAS operating systems
The operating systems that manage NAS devices and arrays may offer regular software updates. IT teams should immediately make updates when they’re released. Not only do operating system updates improve NAS performance, but they also correct security problems that the vendor or other experts have discovered after the software’s initial release.
Ensure that IT teams have designated which employees are to patch security vulnerabilities whenever they’re announced. Information security teams should create policies that state the time frame in which employees are expected to patch existing weaknesses in their NAS devices or firmware.
NAS operating systems and any other firmware need to be updated consistently and immediately. Threat actors can take advantage of an unpatched system and gain access to the network. In recent years, attackers are quick to exploit vulnerabilities the moment they’re revealed, and these include weaknesses within storage firmware.
Popular NAS devices from leading vendors have recently revealed known vulnerabilities in their systems. Businesses cannot assume that top NAS arrays will be vulnerability-free. Continually monitor update logs and announcements from all device vendors in the company storage infrastructure. For example, if the business uses Synology and QNAP devices, watch their feeds for any information about versions or vulnerabilities. Then update software accordingly whenever a new version is announced.
IT teams should configure routers with appropriate secure routing protocols, like HTTPS. They should also immediately change passwords for all routers on the network from any default states; again, default or hardcoded admin passwords make it much easier for attackers to breach a network. Store all router credentials privately in a password manager or other secure platform.
Any NAS systems connected to the internet should also use routers with secure routing protocols, like HTTPS, rather than HTTP. Using router management software can also help: these programs help storage administrators inspect network activity closely and observe malicious trends. Ensure that all storage admins know how to use router management tools and understand what network abnormalities look like.
Train storage employees on security
Storage personnel and any other employees who will have access to a NAS system or files on the NAS should receive thorough cybersecurity training. Security training for storage personnel includes protecting NAS systems from the public internet, securing employee passwords, and training storage admins how to monitor NAS environments.
Learn more about the importance of security training for employees.
Know and discuss internet security practices
Teach basic internet security practices to employees on a regular cycle, like biannually or each quarter. This helps them avoid popular phishing attempts. Often, attackers will target company email addresses, hoping that lower-level employees and executives alike will fall prey to an email spoofed to look like it came from their coworker.
Ensure that all employees know what social engineering looks like, so they don’t click unknown or unexpected links in emails or respond to strange texts on a work device. If a NAS system is connected to the internet, it is subject to internet-based threats, like website malware. And if the NAS isn’t password protected, an attacker can breach it after hacking the company network.
Protect all passwords
Employees should use their own passwords to access a NAS system or borrow other users’ only through a safe, encrypted sharing system. Password manager software is a common method of storing and sharing credentials safely.
Additionally, employees should never post their passwords in plain sight in an office or data center space: if an attacker gains access to the physical location, they could use the credentials and access the system without ever having to find a backdoor. Again, teams should store all passwords cryptographically, and they should only be accessible by employees who are authorized to log into those platforms.
Train storage administrators to monitor NAS systems
Train all employees in administrative roles to use any existing management software for their organization’s NAS. This means they must understand how to monitor the network for anomalous behavior that could indicate a threat actor.
Train all storage admins to navigate their NAS system’s management portal and understand what a potential breach looks like. They should also know how to apply any patches and complete software updates for the NAS system. Training storage employees to use NAS management software may require a significant time investment. But it’s worthwhile in the long run for their experience in storage security and the overall strength of the organization’s storage systems.
Implement immutable backups
Ensure that the organization’s backup strategy includes immutable copies. These are much more difficult for attackers to compromise.
“Immutability is rapidly emerging as the last line of defense against ransomware — and NAS is no exception,” Siddiqui said.
“Cybercriminals are becoming more sophisticated and realize that companies rely on backups to recover from ransomware attacks. They attack the backup infrastructure first, deleting backup copies and then encrypting the primary production data.”
However, immutable backups provide a more secure method of protecting an enterprise’s storage infrastructure.
“Immutability means data is converted to a write-once, read many times format and can’t be deleted or altered — not by hackers or administrators,” Siddiqui said.
“Snapshots of the data will be taken every 90 seconds, and these snapshots make it possible for you to go back to specific points in time before an attack and recover entire file systems in a matter of minutes. As a result, even if a cyberattack is successful, your information will be quickly and easily recoverable to a very recent point in time.”
Secure backups are an important protective measure in case an attacker slips through the cracks of an organization’s infrastructure to breach its NAS systems. Although backups won’t stop some more advanced attacks, like double-extortion ransomware attacks, they’re still a critical part of an enterprise storage infrastructure. No business should neglect strong backup technology and plans; these may help them rebuild after multiple cyberattacks.
Learn more about the benefits of immutable backups.
Read more about network-attached storage security.
Why should I secure my NAS?
Securing data at rest is just as important as securing data in transit. NAS systems often hold older data, like company files, which may have confidential business details and personally identifiable customer information. Attackers might view business NAS systems as an easy target, because they’re often manufactured with default credentials that are easy to hack.
Although security may require enterprises to implement additional tools, like installing an identity and access management (IAM) solution, NAS security is always worthwhile. Companies that invest in a comprehensive NAS storage security infrastructure now will reap benefits in the future, including a strong reputation for protecting their customers’ data.
Learn more about the importance of securing NAS systems next.
Securing storage environments requires organizations to create a comprehensive security strategy for all their storage solutions, including NAS systems where files are stored long-term. Although developing a consistent, thorough security plan takes months or even years of commitment, it’s critical for businesses that want to cultivate trust with customers and design a broader culture of data protection.
NAS security includes creating strong passwords and protecting credentials, keeping all network components updated, and thoroughly training employees to recognize vulnerabilities. By preparing storage systems for both internal and external threats, businesses can more effectively develop a strong security infrastructure.