NAS: What are the potential risks to data security caused by cyber attacks?

Foreword:

This article has nothing to do with any interests, and this article does not carry any academic evaluation, conclusion, or opinion.

The data cited in this article are from third parties, and the source will be indicated when citing.

The views presented in this article are not directed at any manufacturer, organization or individual.

The methods and opinions presented in this article are only based on personal and family environments and may not be applicable to all environments.

Please look at it objectively and rationally.

For people who buy NAS, the most important feature of NAS is that it can store our data safely and stably.

But professional NAS is different from mobile hard disk or independent disk array .

A professional NAS is a set of simple computers with a special system, so as long as it is a computer device exposed to the public network, there is a possibility of data loss due to network attacks.

So today we are talking about what are the security issues with our NAS devices?

How can we avoid or reduce the frequency of attacks?

Source of security problems

There are two main aspects to the security problems of NAS exposed on the public network.

The first aspect is the security problems caused by the design loopholes of our system itself.

The second category is the security issues that arise due to improper use by our users.

Vulnerability of NAS system itself

As long as it is a system, there are more or less loopholes.

These system vulnerabilities can allow malware or network attackers to bypass the identification permissions set by our users and directly damage our NAS.

For example, there are no problems with our gate keys, locks and users, but there is a big loophole in our fence, so the thief bypasses our main gate and destroys our digital assets in a fair and open manner.

The existence of system vulnerabilities is a common problem in currently known systems, rather than a specific problem for a certain system.

You can do some research to find about system vulnerability from the two giants of NAS” Synology and QNAP.

There are also system vulnerabilities for some NAS based on Windows system or Windows Server system.

Windows System Vulnerabilities

Then there are security factors in the NAS system itself, and there are the following two characteristics.

It is difficult for us to find out in time, or to detect the existence of this system loophole (only for ordinary users).

The second is the security risks caused by our system vulnerabilities.

It is difficult to completely avoid the loss of our data through personal security habits.

Recommendations for System Vulnerabilities

1. Try to open the system firmware automatic update, and update the system to the latest version in time.

2. Turn on the automatic update of the system APP to ensure that the software in the system is also the latest version.

3. Enable data cold backup, and save important data in a completely independent copy.

4. Try to avoid opening unnecessary public network services, and try not to download apps that are not used.

5. Try to avoid exposing the system to the public network and use virtual private encrypted network access.

6. Install anti-virus software, update the anti-virus software in time, and enable scheduled scans.

7. Regularly take hard disk snapshots for the storage pool.

8. Important data can be backed up to the cloud or other NAS through the hybrid backup workstation .

It should be noted that our system will grant certain permissions to some APPs, and once these APPs have system vulnerabilities.

Then the permissions possessed by these APPs can be exploited by hackers.

For example, the Q locker incident that broke out recently was escalated through the loopholes in QNAP’s HBS backup component.

Personal usage

It should be noted that as long as it has a public network IP, whether it is DMZ or port forwarding, as long as there are ports exposed to the public network. Then it means that all objects that can access this public IP have the possibility (is possible) to log in to our NAS.

Then our best policy is to try not to let suspicious visitors open our login interface without knowing the existence of our NAS. And our last policy is to try our best to ensure that our username and password are not guessed by suspicious persons.

Secure the login screen

1. Try not to use common ports, or the default ports of the NAS. The number of ports should be as high as possible, and it is best to take random ports.

2. Use enterprise-class routers to prevent port scanning and prevent external network devices from pinging our routers.

3. Open the firewall of the NAS itself, and blacklist all areas that are not commonly used.

Block unauthorized logins

1. Enable strong passwords, weak passwords are forever gods. This strong password not only requires high number of digits, but also requires uppercase and lowercase letters and special symbols as much as possible.

2. Close the default admin or root account.

3. Turn on automatic IP blocking to block suspicious IPs.

4. Turn on account protection, and the account will be temporarily closed due to frequent login failures.

5. Turn on the login failure notification, and take measures as soon as possible when an abnormal situation occurs.

6. Turn on 2-step verification

Good Internet Security Habits

This cybersecurity habit is not just for our NAS but can be used for other security too.

1. Do not use open public WiFi from unknown sources. When we do not use a virtual private encrypted network, or do not turn on https encryption, the information we transmit on the public Internet, even the security key, may be leaked.

2. Don’t enter our passwords on public devices, there is also an eternal god in stealing passwords, and that is keylogging. Although major security manufacturers have launched similar virtual keyboards, or scrambled letters to input, it is naturally the safest to not input.

3. Try not to reuse a set of passwords, many less security conscious, or more niche sites, do not use hash storage (or hash encryption). Once these sites are compromised and our usernames and our passwords are compromised, it’s all in plaintext. We are vulnerable to unauthorized logins by using the same set of passwords.

4. The password should not be related to the ID number or mobile phone number or date of birth. Because we often use this personal information, there are some websites with inadequate security measures, once the information is leaked. Easy to get credential stuffed by hackers

Expert Suggestion:

The NAS manufacturer should add some security functions for consumer-class NAS.

1. No DDOS attack defense switch

This does not mean that QNAP does not have the ability to resist DDOS attacks, but still hopes to add this function switch to the security of the system.

The author himself adopts TP link enterprise-level routing to undertake the anti-DDOS attack function.

Of course, ordinary families are unlikely to suffer from DDOS attacks, this is only for reference and discussion.

2. No password-free login function

In an unsecured public network environment, manually entering a password is obviously unreliable.

3. Too little third-party antivirus software

The system itself comes with free anti-virus software.

The free and open-source anti-virus software does not have real-time protection/real-time scanning.

There is a McAfee security software built into the system, with real-time protection capabilities, and the cost is slightly higher ($25 a year).

Hopefully, vendors can introduce other cheap or free Linux antivirus software, or add built-in real-time defenses.

Data protection should not be underestimated

For each of us/each family. Every bit of our life, every photo, every article, every video. If you look back after many years, you will find that the ta in the photo may have quietly left and returned to the sea of people.