A recent security review of network-attached storage devices revealed that NAS devices were more vulnerable than...
even home routers, thanks to issues like command injection, buffer overflows and authentication bypasses. What are some of the best ways to combat these NAS security risks?
Plain and simple, you cannot secure what you don't acknowledge. These days, so much attention is given to core applications and external-facing network hosts (often merely in the name of PCI compliance) that many of these seemingly unimportant network hosts -- including network-attached storage devices -- aren't given the attention they deserve.
I first started seeing and writing about storage security flaws for TechTarget nearly a decade ago. It's a new year with the same old problems. NAS and other storage systems are just like any other network host or Web application; if it has a URL or an IP address, it needs to be tested eventually. In the case of NAS, there's no reason such critical systems should be overlooked -- and there's no reason NAS vendors should still be putting out vulnerable software.
However, the reality is that many storage systems are vulnerable at Layer 7 and below, which means you need to be sure you're at least running network and Web vulnerability scanners, such as Nexpose or Netsparker, to find flaws before hackers do.
In most instances, you'll likely discover you won't be able to resolve the issues on your own. Assuming that's the case, be sure to put the necessary pressure on your vendors so they can fix their own flaws. Otherwise, enterprises should segment these systems as best they can and, where possible, put them under the umbrella of security controls such as Web application firewalls, intrusion prevention systems and security information and event management systems.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Learn more about hidden NAS security risks
Check out security issues that arise with NAS implementations
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Kevin Beaver
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains ...continue reading
Enterprise network security expert Kevin Beaver compares and contrasts the roles of an inbound firewall and an outbound firewall. Find out what the ...continue reading
Knowing how to test for security flaws is vital, but it's a complicated and changing field. Expert Kevin Beaver offers security testing basics.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.