igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

NAS security: How to combat network-attached storage device risks

Network-attached storage devices can present a plethora of security issues to an enterprise. Expert Kevin Beaver explains how to detect and mitigate the risks.

A recent security review of network-attached storage devices revealed that NAS devices were more vulnerable than even home routers, thanks to issues like command injection, buffer overflows and authentication bypasses. What are some of the best ways to combat these NAS security risks?

Plain and simple, you cannot secure what you don't acknowledge. These days, so much attention is given to core applications and external-facing network hosts (often merely in the name of PCI compliance) that many of these seemingly unimportant network hosts -- including network-attached storage devices -- aren't given the attention they deserve.

I first started seeing and writing about storage security flaws for TechTarget nearly a decade ago. It's a new year with the same old problems. NAS and other storage systems are just like any other network host or Web application; if it has a URL or an IP address, it needs to be tested eventually. In the case of NAS, there's no reason such critical systems should be overlooked -- and there's no reason NAS vendors should still be putting out vulnerable software.

However, the reality is that many storage systems are vulnerable at Layer 7 and below, which means you need to be sure you're at least running network and Web vulnerability scanners, such as Nexpose or Netsparker, to find flaws before hackers do.

In most instances, you'll likely discover you won't be able to resolve the issues on your own. Assuming that's the case, be sure to put the necessary pressure on your vendors so they can fix their own flaws. Otherwise, enterprises should segment these systems as best they can and, where possible, put them under the umbrella of security controls such as Web application firewalls, intrusion prevention systems and security information and event management systems.

Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

Next Steps

Learn more about hidden NAS security risks

Check out security issues that arise with NAS implementations

This was last published in March 2015

Dig Deeper on Network device security: Appliances, firewalls and switches