It was only a matter of time before ransomware attackers started targeting NAS devices, popular edge appliances used by enterprises and consumers alike for critical file and backup storage.
The NAS attacks began in June and focused mostly on QNAP devices, and then shifted gears toward Synology appliances in July, targeting a flaw in the company’s Linux-based management platform.
But no matter if you’re using QNAP, Synology, or any other NAS, there are a few ways to ensure your device isn’t the next one held for ransom.
What to Know About NAS and Ransomware
First, some background on NAS. Not all NAS devices are created with the same focus on security. Consumer-oriented NAS brands such as the recently attacked QNAP and Synology have the reputation of being less security minded than enterprise NAS vendors such as NetApp, Dell EMC and CTERA.
Enterprise NAS vendors obviously charge a premium, but this reflects the higher engineering costs that come from following strict and methodical development processes. Selling products to the enterprise and government markets involves going through strict security requirements, including specific regulations on the software development lifecycle and operating practices of the vendor, which allow you as a buyer to be more confident that your NAS vendor has security high on its list of priorities.
As the leading provider of cloud-enabled NAS devices, CTERA is very familiar with building secure and compliant edge appliances for enterprises. Based on our experiences working with the world’s most security-conscious organizations, here are some questions you should ask your NAS vendor as you evaluate your current security model:
- Are you performing periodical security assessment by a 3rd party penetration testing lab? And if so, can I see your latest report?
- Do you have FIPS certification?
- Do you have reference customers in the U.S. federal and defense branches, or other government agencies?
- Do you have reference customers in financial sector, such as banks and insurance companies?
- Do you offer an SLA for time from a vulnerability is discovered until a security patch is provided?
If your vendor answers “Yes” to all of these questions, you can be much more confident they security was indeed a design goal rather than an afterthought in engineering of this product.
Additional NAS Protection Tips
- Ensure your NAS device is regularly updated with the latest firmware. If your NAS vendor offers an automatic updates service, use it.
- Ensure your users choose strong passwords, and require them to rotate their passwords regularly. We recommend using Active Directory, and to avoid using local users on the NAS device as much as possible. In Active Directory it is easy to enforce password complexity and require password rotations.
- Ensure your NAS device is configured to automatically block users trying to guess password using “brute force” – the means of attack on Synology devices – after several attempts.
Ransomware protection is a vital component of IT operations. Keep your NAS systems up-to-date and hold your vendors accountable.