igor - Fotolia
A recent security review of network-attached storage devices revealed that NAS devices were more vulnerable than even home routers, thanks to issues like command injection, buffer overflows and authentication bypasses. What are some of the best ways to combat these NAS security risks?
Plain and simple, you cannot secure what you don't acknowledge. These days, so much attention is given to core applications and external-facing network hosts (often merely in the name of PCI compliance) that many of these seemingly unimportant network hosts -- including network-attached storage devices -- aren't given the attention they deserve.
I first started seeing and writing about storage security flaws for TechTarget nearly a decade ago. It's a new year with the same old problems. NAS and other storage systems are just like any other network host or Web application; if it has a URL or an IP address, it needs to be tested eventually. In the case of NAS, there's no reason such critical systems should be overlooked -- and there's no reason NAS vendors should still be putting out vulnerable software.
However, the reality is that many storage systems are vulnerable at Layer 7 and below, which means you need to be sure you're at least running network and Web vulnerability scanners, such as Nexpose or Netsparker, to find flaws before hackers do.
In most instances, you'll likely discover you won't be able to resolve the issues on your own. Assuming that's the case, be sure to put the necessary pressure on your vendors so they can fix their own flaws. Otherwise, enterprises should segment these systems as best they can and, where possible, put them under the umbrella of security controls such as Web application firewalls, intrusion prevention systems and security information and event management systems.
Ask the Expert!
SearchSecurity expert Kevin Beaver is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Learn more about hidden NAS security risks
Check out security issues that arise with NAS implementations
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading