How Organisations Can Secure Their Network Attached Storage (NAS) Systems

There have been increasing instances of attackers targeting organisations' Network Attached Storage (NAS) systems. Upon gaining access, the attackers will either encrypt the files within the network by injecting malware into the compromised network, or delete data stored on the NAS system before leaving a ransom note in the system. Therefore, securing your NAS systems is crucial as it safeguards sensitive data from unauthorised access, ensuring confidentiality and integrity.

Network Attached Storage (NAS) systems are dedicated file storage devices that are connected to a network and provide centralised data storage and retrieval services to clients or other network devices. NAS systems are typically accessed over a local area network (LAN) or a wide area network (WAN) and offer file-based data storage, allowing users to store, manage, and share files and data across the network. These systems are commonly used in both home and business environments to store and manage large volumes of data, such as documents, multimedia files, backups, and other critical information.

NAS devices are often equipped with their own operating systems and file systems. Users can connect to a NAS system using client devices such as computers, laptops, smartphones, or tablets, and access files stored on the NAS over the network, providing convenient centralised storage and access to data for multiple users or devices.

Despite their usefulness, NAS systems are vulnerable to various security threats and attacks that can compromise the confidentiality, integrity, and availability of stored data. Attackers may target NAS systems through various means, including:

a. Exploiting known vulnerabilities: Attackers may exploit vulnerabilities in the NAS system's firmware, operating system, or applications to gain unauthorised access or execute malicious code on the device.

b. Brute-force attacks: Attackers may attempt to guess or crack weak passwords used to access the NAS system, either through remote login interfaces or web-based management consoles.

c. Phishing attacks: Attackers may use social engineering tactics, such as phishing emails or malicious links, to trick users into revealing their login credentials or downloading malware onto their systems, which can then be used to compromise NAS devices.

d. Using default configurations: Attackers may exploit default or misconfigured settings on NAS systems, such as using default login credentials or leaving unnecessary services or ports open to gain unauthorised access or conduct attacks.

Once attackers gain access to a NAS system, they may carry out various malicious activities, including encrypting files with ransomware, deleting or modifying data, stealing sensitive information, or using the device as a platform for launching further attacks on other systems connected to the network.

To mitigate the risks associated with NAS systems and prevent unauthorised access or compromise, organisations can implement a range of security measures and best practices. These measures are: 

a. Keep software up-to-date: Install security patches and updates regularly to address known vulnerabilities and protect your NAS system against known threats.

b. Avoid using default port numbers: Avoid opening default port numbers to the internet to minimise the risk of unauthorised access and potential security breaches, as default ports are commonly targeted by attackers scanning for vulnerabilities.

c. Use strong credentials: Avoid using the default login credentials, implement strong authentication methods, such as a strong password policy (i.e. set expiration for passwords and use passwords of at least 12 characters in length, uppercase, lowercase, numbers and special characters) and enable multi-factor authentication (MFA) whenever possible to enhance the security of NAS system access and prevent unauthorised logins.

d. Implement strict access control policies: Implement granular access controls and restrict user permissions based on roles and responsibilities to limit the scope of potential compromises.

e. Disable unnecessary applications: Uninstall apps or services, such as FTP and SSH, that are not required to reduce the attack surface and minimise the potential for exploitation by malicious actors, as each additional service represents a potential entry point for unauthorised access and security breaches.

f. Implement network segmentation: Segment the network to isolate NAS systems from other critical infrastructure to reduce the attack surface available to attackers.

g. Encrypt sensitive data: Enable encryption for data both in transit and at rest on NAS systems to protect against unauthorised access and data breaches.

h. Institute regular backups: Maintain regular backups of data stored on NAS systems and test backup procedures to ensure data can be recovered in the event of a compromise or data loss incident.

i. Constantly monitoring and logging: Enable logging and monitoring features on NAS systems to track user activity, file access, and other events and detect and respond to suspicious or unauthorised activities promptly.

j. Leverage security applications: Deploy IDS/IPS solutions to detect and prevent unauthorised access attempts, malware infections, and other security threats targeting the NAS system.

k. Raise cybersecurity awareness: Educate users and employees about best practices for NAS system security, including how to recognise and avoid phishing attempts, and encourage them to report any suspicious activities or security incidents promptly.

l. Conduct regular security audits: Conduct regular security audits and vulnerability assessments of the NAS system to identify and remediate potential security weaknesses before they can be exploited by attackers.

By implementing these security measures and adopting a proactive approach to NAS system security, organisations can enhance the resilience of their network storage infrastructure and protect sensitive data from cyber threats and attacks.

If your NAS system was compromised, you are advised to perform the following:

a) Lodge a report with the Singapore Cyber Emergency Response Team (SingCERT) immediately. A report can be made via SingCERT's Incident Reporting Form at https://go.gov.sg/singcert-incident-reporting-form.

b) If you believe your employees’/customers’ PII was compromised, report the incident to PDPC at https://eservice.pdpc.gov.sg/case/db. PDPC has also developed a guide to help organisations manage data breaches.

 

c) Take a screenshot of the ransom note and save the screenshot to keep a record of the information (e.g., Bitcoin address) within for reporting purposes.

 

d) Prevent further unauthorised access to the system by disabling or resetting all the credentials of compromised accounts. If unsure, implement an organisation wide credential reset.

e) Contact your company’s IT department and inform them of the incident. Follow the company’s cyber-incident response plan, if any.

f) If your NAS data was encrypted by ransomware, visit https://www.nomoreransom.org to check if there is a decrpytor for the ransomware variant.

g) Conduct an internal investigation to determine how the incident occurred. Organisations may wish to consider engaging professional services from a cybersecurity provider if the incident occurred because of an intrusion into the company’s system, to properly clean up and remediate the incident.

CSA does not recommend paying any ransom as paying the ransom does not guarantee that compromised data will be recovered. It also encourages the threat actors to continue their criminal activities and target more victims. Threat actors may also see your organisation or you as a soft target and may strike again in the future. 

More information is available here: