A recent security review of network-attached storage devices revealed that NAS devices were more vulnerable than...
even home routers, thanks to issues like command injection, buffer overflows and authentication bypasses. What are some of the best ways to combat these NAS security risks?
Plain and simple, you cannot secure what you don't acknowledge. These days, so much attention is given to core applications and external-facing network hosts (often merely in the name of PCI compliance) that many of these seemingly unimportant network hosts -- including network-attached storage devices -- aren't given the attention they deserve.
I first started seeing and writing about storage security flaws for TechTarget nearly a decade ago. It's a new year with the same old problems. NAS and other storage systems are just like any other network host or Web application; if it has a URL or an IP address, it needs to be tested eventually. In the case of NAS, there's no reason such critical systems should be overlooked -- and there's no reason NAS vendors should still be putting out vulnerable software.
However, the reality is that many storage systems are vulnerable at Layer 7 and below, which means you need to be sure you're at least running network and Web vulnerability scanners, such as Nexpose or Netsparker, to find flaws before hackers do.
In most instances, you'll likely discover you won't be able to resolve the issues on your own. Assuming that's the case, be sure to put the necessary pressure on your vendors so they can fix their own flaws. Otherwise, enterprises should segment these systems as best they can and, where possible, put them under the umbrella of security controls such as Web application firewalls, intrusion prevention systems and security information and event management systems.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Learn more about hidden NAS security risks
Check out security issues that arise with NAS implementations
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.