Internet of Things Security Issues: Your NAS May Be Vulnerable
When it comes to internet of things security issues, the FBI is getting serious. The FBI recently issued a warning that Internet-connected devices are particularly vulnerable to cybercrime. The alert explained that bad cyber actors are actively searching out and exploiting internet of things (IoT) devices (also called smart devices), especially those with weak authentication, unpatched firmware or other software vulnerabilities, or default usernames and passwords. They are then using the devices as proxies to send spam e-mails, muddle network traffic, mask internet browsing, generate click-fraud activities, and sell or lease IoT botnets to other cyber actors for financial gain, among other malicious activities.
Today, there are more and more types of Internet-connected devices—not only home appliances, but routers, IP cameras, DVRs and network-attached storage, or NAS, devices. While it might seem somewhat unlikely to include NAS devices in the category of potentially targeted systems, it actually makes a lot of sense, says Greg Schulz, senior advisory analyst with StorageIO.
“Even if the networked storage is on a separate network for data access than those used by IoT devices, infected data could get in from a compromised device if an IoT device is set up to access a NAS file, or object and blob storage,” he explained.
In addition, he added, the data, telemetry and metadata from the device can be compromised.
It gets even worse: If an infected file, video, image, object or other telemetry data were stored on a networked storage device, those files could then be spread to others.
To help ensure that NAS devices are safe, the FBI recommends rebooting devices regularly, changing default usernames and passwords, using anti-virus software, ensuring that devices are up to date and that all security patches applied, and ensuring that IoT devices are isolated from other network connections.
Laz Vekiarides, CTO of ClearSkyData, says IT professionals should be very careful about devices that need access to storage. “Make sure that permissions are locked down, and make sure they have credentials that allow access to be tracked,” he advised. And if the data these devices generate is valuable, make sure there are rigorous backup and protection policies in place.
It’s also important to use tools that inspect, analyze current configurations, and assess who and what has access to various folders. Schulz recommends looking for orphaned shares that aren’t supposed to be used anymore yet have unknown activity. And make sure that the management interfaces are secured, verify who has access to specific resources, and, where applicable, integrate with an Active Directory (AD) or similar technology.
As for the future of IoT security and storage, Schulz says vigilance will always be key.
“IoT relies on data, and some IoT devices generate large amounts of data from sensors. IoT devices also rely on getting new software updates that need to be protected and secured, which is where IoT gateways, edge and associated platforms that rely on storage come into play,” he said. “In other words, IoT is a converged server, storage, I/O networking, storage and data protection topic. And threat risks are going to get worse.”