As a video editor or other post-production professional, you probably couldn’t function without your connected storage device. And that’s exactly why it’s so important to secure your storage connection.
After all, connected storage devices such as network attached storage (NAS) are considered especially juicy targets by cybercriminals. That’s because:
- They often contain very valuable (ie. professional and business) data, which gives victims much more motivation to pay a ransom.
- They’re often not backed up.
- They’re generally easier to compromise than a server managed by IT.
There are many different types of connected digital storage out there, from cloud storage (such as Amazon S3, Azure Blob Storage, and Google Cloud Storage), to storage area networks (SANs) and on-prem network attached storage (NAS) devices.
This article focuses on a NAS storage connection behind a consumer office/home network router that can be accessed from outside the office/home network. But most of these points around securing your storage connection could apply to any on-prem connected storage.
Table of Contents
More Collaboration, Less Configuration
MASV simplifies data ingest by acting as a secure, unified entry point to shared storage destinations.
The Storage Connection Threat Landscape
Security researcher Jacob Holcomb audited NAS devices from 10 different manufacturers back in 2014. The result? All of them contained potentially devastating vulnerabilities.
While connected storage security has undoubtedly improved since then, connected storage devices continue to suffer widespread attacks:
- Synology NAS devices faced attacks back in 2021 and within the past year.
- QNAP devices were targeted in the 2021 Qlocker ransomware attack.
- Western Digital NAS devices were attacked via a remote code execution vulnerability in 2021.
- More recently, it was reported in April that nearly 100,000 D-Link NAS devices contain a backdoor vulnerability.
The dangers of leaving ports open
Hackers don’t necessarily need to exploit a vulnerability to get into your system or storage account if you don’t take the right precautions.
Opening or forwarding ports on your router to allow remote access to connected storage can be a big risk, for example.
Botnet attacks on NAS storage devices are very common. And if those botnets find an open port used by your NAS or other connected storage, they’ll almost certainly try to brute force their way in to steal your admin credentials (and then either steal or encrypt your data for ransom).
And if you leave a port open while using your storage device’s default “admin” account, it’s much easier for attackers to conduct a successful brute force attack since they don’t have to guess you account username (more on this later).
Connected storage experts say there has been a noticeable uptick in these kinds of attacks on NAS devices over the past few years. That’s why it’s imperative to check and update your NAS security at least once a year.
How to Secure Your Storage Connection
Along with standard cybersecurity stuff such as using complex passwords (passphrases are better) and keeping systems patched and up to date, what else can you do to secure your storage connection and keep your file uploads safe?
After all, securing and maintaining your own connected device involves a lot more responsibility than a Google Cloud Storage connection, for example.
Before you do anything else, you should:
- Configure your storage device to use an HTTPS connection, which encrypts network traffic between it and other devices.
- Ensure you have a valid SSL/TSL certificate installed (you can usually obtain and install a certificate via the device’s admin interface).
- Implement backup storage, just in case something bad happens to your data.
Here’s a list of other measures you can take to lock down your storage connection as part of your data management best practices.
Keep your network secure
Let’s start with the basics: Keeping your home or office network secure is imperative, since that’s where your connected storage probably resides. Always keep your router, firewall, and other network devices relatively new, up to date, and configured with fresh passwords.
To secure your router, first find your router’s IP address. Type it into your browser’s address bar. From there you can login to your router and add all kinds of useful security configurations, such as:
- Disabling WPS.
- Enabling HTTPS logins.
- Disabling remote access.
- Enabling WPA2 encryption.
- Updating the firmware.
- Enabling logging just in case something happens.
You can also update your password (and change the current user name on your router from the default “admin”) while you’re logged in.
Speaking of changing usernames…
Disable your storage device’s admin account
Most connected storage devices default to the username “admin” out of the box. You should change this immediately. That’s because hackers know that admin is a common default username, and try to take advantage of that with brute force attacks.
Watch this video for an example of what can happen when a Synology NAS user leaves ports 5000 or 5001 open: Thousands of login attempts from unknown entities within a short timeframe, all using the username “admin”.
To disable the admin account, simply create a new account with admin privileges that isn’t called admin. Then, deactivate the original admin account. This will help weather a large number of brute force attacks.
Enable IP and username blocking
Many connected storage devices, such as those from Synology or QNAP, come with auto block functionality that block a specific IP if the NAS detects too many failed login attempts at once.
Most devices also allow the customization of auto block rules. For example, you can configure it to block an IP address after 10 failed attempts within five minutes.
💡 Note: To ensure you don’t accidentally lock yourself out of your own NAS, you can configure auto blocking to unblock an IP address after a specific amount of time.
Synology and QNAP NAS devices also offer account protection functionality to monitor (and eventually block) repeated login attempts from the same username. Or companies can use Fail2Ban, an intrusion prevention daemon that guards against brute force attacks by banning IPs that generate multiple failed attempts.
Blocking a username can be more effective in mitigating botnet attacks than IP blocking. That’s because botnets are able to cycle through thousands of IP addresses from infected machines.
Use 2FA or adaptive MFA
It should go without saying that if you have the option to enable two-factor (2FA) or multi-factor authentication (MFA) on your device, you should (this goes for pretty much everything). Most NAS devices with 2FA or MFA require a secure USB key or authenticator app to generate a unique code upon login.
That means that even if a hacker somehow gains access to your username and password, they’ll also need to break into your email or phone to access your connected storage. Most hackers won’t bother to do this (unless they have specifically targeted you).
Indeed, enabling 2FA can be particularly effective because many hackers focus on soft targets that don’t require much work to penetrate.
On top of enabling 2FA, some devices allow for adaptive multi-factor authentication—which means anyone trying to log in from an unusual IP address will be automatically asked to provide additional credentials. If you have this option, you should enable it, too.
Enable NAS firewall and DoS protection
NAS and other connected storage devices often come with built-in firewalls, which you absolutely should take advantage of. But some NAS devices don’t proactively turn on their firewalls. Users have to do it manually.
That said, it’s always a good idea to set up and turn on your NAS firewall.
If you’re a video editor or post-production professional who only does business with collaborators in certain countries, you can also enable firewall geo-blocking to block anyone from any region you don’t work with. Geo-blocking is typically done by country.
Because many cyberattacks in the U.S. originate offshore, implementing geo-blocking can reduce the volume of attacks against your storage connection by orders of magnitude.
Just like setting up your device’s firewall, you should also manually engage denial-of-service (DoS) attack protection on your device.
Secure your ports
Port scanning to detect open ports is the cybersecurity equivalent of jiggling a car door handle to see if the door is open: It’s easy to do, it goes on all the time, and can lead to disaster. One Reddit commenter who monitors port scans on their firewall reported as many as 10 per second.
That’s why it’s important to:
- Leave your ports closed unless absolutely necessary. A basic security practice for secure connections is to close all ports you don’t need for outside communication.
- Take care around which port number you leave open. We already mentioned ports 5000 and 5001; port 22, as well, is popular among attackers because it is associated with the Secure Shell protocol (SSH) and is a default port for remote device connections. That means that like many of the port numbers we’ve already mentioned, it’s subject to more unauthorized login attempts than less popular port numbers.
Either way, keeping ports open or allowing port forwarding (which allows remote servers to access devices on your private local area network (LAN), which can then lead to attackers taking control of your devices) is inherently dangerous.
But there are ways you can connect your storage to the web without doing this. When it comes to Synology NAS devices, some security experts recommend using QuickConnect instead of the device’s DDNS connection method, since QuickConnect doesn’t require port forwarding.
The downside of QuickConnect, though, is that it’s considered extremely slow when exporting a large file or folder to collaborators or clients over the internet.
Use a VPN
One of the most effective ways to secure your storage connections is to use a virtual private network (VPN) to add a layer of encryption to all of your network traffic, making it much more difficult for attackers to get their hooks into your system.
Most NAS devices even allow users to set up their own VPN server.
The main downside to using a VPN, however, is that they can be cumbersome to use when working with clients or partners. You probably don’t want to give a client access to your VPN so they can download a large file or folder from your NAS, for example.
VPNs also aren’t a panacea when it comes to security. They can’t enforce authentication policies or user permissions, and allow remote users to connect from corrupted devices (leaving your network exposed).
Change the default port number
“Security by obscurity” has a bad reputation in cybersecurity circles because it isn’t all that effective and can lead to a false sense of security. It is certainly not a strong standalone security technique, but it can have some value when used alongside other more substantial and effective security safeguards.
That’s why some advise changing the default port number used by your connected storage:
- A Synology NAS, for example, defaults to ports 5000 (for HTTP connections) and 5001 (HTTPS connections). Because of that, hackers looking to breach a NAS often sniff around these ports looking for easy targets.
- If you’re so inclined, you can also change the default port numbers on your router for HTTP (80), HTTPS (443), and SSH (22) connections. You can change your ports to any number between one and 65,535.
The main downside to to changing port numbers is that users must be aware of any updates or they won’t be able to access the NAS.
And while attackers can scan and find any port number in use pretty easily, it’s likely they’ll only do that if they’ve targeted you specifically and aren’t just trying the most popular port numbers on a fishing expedition.
Collect Data Without Opening Ports With MASV Centralized Ingest
Securing your storage connection isn’t difficult, but does take a bit of effort and diligence. To secure your connected NAS or other storage devices you should consider:
- Keeping your network secure.
- Disabling your storage device’s admin account.
- Enabling IP and username blocking.
- Using 2FA or adaptive MFA.
- Changing the default port number.
- Enabling your NAS firewall and DoS protection.
- Securing your ports.
- Using a VPN.
Most of the measures above are low-friction and easy to implement, but unfortunately can still leave you at risk to a determined attacker.
Other techniques, such as using Synology QuickConnect or a VPN, can cause headaches around performance and other variables when sending or receiving large files or datasets.
MASV Centralized Ingest, on the other hand, allows users to centralize their data ingestion process through a single entry point to any connected storage, either on-premises or in the cloud. It’s a secure, unified entry point to shared storage destinations, helping to lessen the IT and security burden around configuring and managing multiple storage platforms and remote users.
Connecting your on-premises connected storage to MASV doesn’t require any port forwarding—or the opening of any ports at all. Users can collect files from collaborators using a MASV Portal secure web uploader without granting direct storage or network access. MASV is a Trusted Partner Network (TPN)-verified file transfer service with strong encryption and access management controls, and that’s compliant with ISO 27001, SOC 2, and other data protection regulations.
With Centralized Ingest you or your IT team can easily define the ingest path and restrict upload access to a single bucket or folder, rather than the entire storage system.
Sign up for MASV and give Centralized Ingest a try today and get 20GB for free.
Connect to NAS Without Opening Ports
Use MASV Centralized Ingest to store data in cloud or connected on-prem storage without opening ports or port forwarding.