[et_pb_section fb_built=”1″ custom_padding_last_edited=”on|desktop” _builder_version=”4.14.7″ _module_preset=”default” background_color=”#FFFFFF” custom_margin=”||||false|false” custom_padding=”2%|20%|2%|20%|false|true” custom_padding_tablet=”4%|0%|4%|0%|true|true” custom_padding_phone=”6%|0%|6%|0%|true|true” border_color_top=”#e1e1e1″ locked=”off” global_colors_info=”{}”][et_pb_row _builder_version=”4.14.7″ _module_preset=”7b1bf5ad-cc2a-4448-981c-4963d88bd6e8″ custom_margin=”||||false|false” custom_padding=”0px||0px||false|true” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.9.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n
As a video editor or other post-production professional, you probably couldn\u2019t function without your connected storage device. And that\u2019s exactly why it\u2019s so important to secure your storage connection<\/strong>.<\/p>\n After all, connected storage devices such as network attached storage (NAS) are considered especially juicy targets by cybercriminals. That’s because:<\/p>\n There are many different types of connected digital storage out there, from cloud storage (such as Amazon S3, Azure Blob Storage, and Google Cloud Storage), to storage area networks<\/a> (SANs) and on-prem network attached storage (NAS) devices.<\/p>\n This article focuses on a NAS storage connection<\/a> behind a consumer office\/home network router that can be accessed from outside the office\/home network. But most of these points around securing your storage connection could apply to any on-prem connected storage.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.14.7″ _module_preset=”2514b1ee-af07-4bc3-a96b-c9aaa32f4a18″ text_text_color=”#000000″ text_font_size=”26px” width=”100%” width_tablet=”100%” width_phone=”100%” width_last_edited=”on|tablet” max_width=”100%” custom_margin=”|-54px|0px||false|false” custom_padding=”0px|||0px|false|false” global_colors_info=”{}”]<\/p>\n Table of Contents<\/strong><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][et_pb_text _builder_version=”4.14.7″ _module_preset=”2514b1ee-af07-4bc3-a96b-c9aaa32f4a18″ text_text_color=”#000000″ text_line_height=”1.8em” global_colors_info=”{}”]<\/p>\n [\/et_pb_text][et_pb_cta title=”More Collaboration, Less Configuration” button_url=”https:\/\/app.massive.io\/en\/signup” button_text=”Try MASV for free” module_class=”starttrial” _builder_version=”4.14.7″ _module_preset=”default” header_level=”h5″ header_font=”||||||||” header_font_size=”26px” header_line_height=”1.3em” body_line_height=”1.8em” background_color=”#202332″ use_background_color_gradient=”on” background_color_gradient_start=”#072231″ background_color_gradient_end=”#031119″ custom_button=”on” button_text_size=”18px” button_text_color=”#FFFFFF” button_bg_color=”#0472ef” button_bg_color_gradient_start=”#0472ef” button_bg_color_gradient_end=”#005dc6″ button_bg_color_gradient_direction=”90deg” button_border_width=”0px” button_font=”Roboto|700|||||||” button_custom_padding=”10px|42px|10px|42px|true|true” custom_margin=”||20px||false|false” link_option_url=”https:\/\/app.massive.io\/en\/signup” border_radii=”on|10px|10px|10px|10px” border_color_top=”#3d72e7″ border_color_left=”#3d72e7″ box_shadow_style=”preset2″ box_shadow_horizontal=”-13px” box_shadow_style_button=”preset1″ locked=”off” global_colors_info=”{}” button_border_width__hover_enabled=”on|hover” button_custom_padding__hover_enabled=”on|hover” button_custom_padding__hover=”|2em|||false|false” button_border_width__hover=”0px” button_bg_color__hover=”#005dc6″ button_bg_color__hover_enabled=”on|desktop”]<\/p>\n MASV simplifies data ingest by acting as a secure, unified entry point to shared storage destinations. [\/et_pb_cta][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ custom_padding_last_edited=”on|desktop” _builder_version=”4.14.7″ _module_preset=”default” background_color=”#FFFFFF” custom_margin=”||||false|false” custom_padding=”2%|20%|2%|20%|false|true” custom_padding_tablet=”4%|0%|4%|0%|true|true” custom_padding_phone=”6%|0%|6%|0%|true|true” border_width_top=”1px” border_color_top=”#e1e1e1″ locked=”off” global_colors_info=”{}”][et_pb_row _builder_version=”4.14.7″ _module_preset=”7b1bf5ad-cc2a-4448-981c-4963d88bd6e8″ custom_margin=”||||false|false” custom_padding=”0px||0px||true|true” locked=”off” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.9.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text module_id=”The-Storage-Connection-Threat-Landscape” _builder_version=”4.14.7″ _module_preset=”2514b1ee-af07-4bc3-a96b-c9aaa32f4a18″ text_text_color=”#000000″ text_line_height=”1.8em” header_2_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Security researcher Jacob Holcomb audited NAS devices<\/a> from 10 different manufacturers back in 2014. The result? All of them contained potentially devastating vulnerabilities.<\/p>\n While connected storage security has undoubtedly improved since then, connected storage devices continue to suffer widespread attacks:<\/p>\n [\/et_pb_text][et_pb_image src=”https:\/\/massive.io\/wp-content\/uploads\/2024\/07\/The-Storage-Connection-Threat-Landscape.png” alt=”Placeholder image” title_text=”The Storage Connection Threat Landscape” _builder_version=”4.14.7″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text module_id=”The-dangers-of-leaving-ports-open” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Hackers don\u2019t necessarily need to exploit a vulnerability to get into your system or storage account if you don\u2019t take the right precautions.<\/p>\n Opening or forwarding ports<\/a> on your router to allow remote access to connected storage can be a big risk, for example.<\/p>\n Botnet attacks on NAS storage devices<\/a> are very common. And if those botnets find an open port used by your NAS or other connected storage, they\u2019ll almost certainly try to brute force their way in to steal your admin credentials (and then either steal or encrypt your data for ransom).<\/p>\n And if you leave a port open while using your storage device\u2019s default \u201cadmin\u201d account, it\u2019s much easier for attackers to conduct a successful brute force attack since they don\u2019t have to guess you account username (more on this later).<\/p>\n Connected storage experts say there has been a noticeable uptick in these kinds of attacks on NAS devices over the past few years. That\u2019s why it\u2019s imperative to check and update your NAS security at least once a year.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ custom_padding_last_edited=”on|desktop” _builder_version=”4.14.7″ _module_preset=”default” background_color=”#FFFFFF” custom_margin=”||||false|false” custom_padding=”2%|20%|2%|20%|false|true” custom_padding_tablet=”4%|0%|4%|0%|true|true” custom_padding_phone=”6%|0%|6%|0%|true|true” border_width_top=”1px” border_color_top=”#e1e1e1″ locked=”off” global_colors_info=”{}”][et_pb_row _builder_version=”4.14.7″ _module_preset=”7b1bf5ad-cc2a-4448-981c-4963d88bd6e8″ custom_margin=”||||false|false” custom_padding=”0px||0px||true|true” locked=”off” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.9.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text module_id=”How-to-Secure-Your-Storage-Connection” _builder_version=”4.14.7″ _module_preset=”2514b1ee-af07-4bc3-a96b-c9aaa32f4a18″ text_text_color=”#000000″ text_line_height=”1.8em” header_2_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Along with standard cybersecurity stuff such as using complex passwords (passphrases are better) and keeping systems patched and up to date, what else can you do to secure your storage connection and keep your file uploads safe<\/a>?<\/p>\n After all, securing and maintaining your own connected device involves a lot more responsibility than a Google Cloud Storage connection, for example.<\/p>\n Before you do anything else, you should:<\/p>\n Here\u2019s a list of other measures you can take to lock down your storage connection as part of your data management best practices.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Keep-your-network-secure” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Let\u2019s start with the basics: Keeping your home or office network secure<\/a> is imperative, since that\u2019s where your connected storage probably resides. Always keep your router, firewall, and other network devices relatively new, up to date, and configured with fresh passwords.<\/p>\n To secure your router, first find your router\u2019s IP address<\/a>. Type it into your browser\u2019s address bar. From there you can login to your router and add all kinds of useful security configurations, such as:<\/p>\n You can also update your password (and change the current user name on your router from the default \u201cadmin\u201d) while you\u2019re logged in.<\/p>\n Speaking of changing usernames\u2026<\/p>\n [\/et_pb_text][et_pb_text module_id=”Disable-your-storage-device\u2019s-admin-account” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Most connected storage devices default to the username \u201cadmin\u201d out of the box. You should change this immediately. That\u2019s because hackers know that admin is a common default username, and try to take advantage of that with brute force attacks.<\/p>\n Watch this video<\/a> for an example of what can happen when a Synology NAS user leaves ports 5000 or 5001 open: Thousands of login attempts from unknown entities within a short timeframe, all using the username \u201cadmin\u201d.<\/strong><\/p>\n To disable the admin account, simply create a new account with admin privileges that isn\u2019t called admin. Then, deactivate the original admin account. This will help weather a large number of brute force attacks.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Enable-IP-and-username-blocking” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Many connected storage devices, such as those from Synology or QNAP, come with auto block functionality that block a specific IP if the NAS detects too many failed login attempts at once.<\/p>\n Most devices also allow the customization of auto block rules. For example, you can configure it to block an IP address after 10 failed attempts within five minutes.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ background_color=”#f2f4f9″ custom_padding=”3%|3%|3%|3%|true|true” global_colors_info=”{}”]<\/p>\n \ud83d\udca1 Note<\/strong>: To ensure you don\u2019t accidentally lock yourself out of your own NAS, you can configure auto blocking to unblock an IP address after a specific amount of time.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Synology and QNAP NAS devices also offer account protection functionality to monitor (and eventually block) repeated login attempts from the same username. Or companies can use Fail2Ban<\/a>, an intrusion prevention daemon that guards against brute force attacks by banning IPs that generate multiple failed attempts.<\/p>\n Blocking a username can be more effective in mitigating botnet attacks than IP blocking. That\u2019s because botnets are able to cycle through thousands of IP addresses from infected machines.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Use-2FA-or-adaptive-MFA” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n It should go without saying that if you have the option to enable two-factor (2FA) or multi-factor authentication<\/a> (MFA) on your device, you should (this goes for pretty much everything). Most NAS devices with 2FA or MFA require a secure USB key or authenticator app to generate a unique code upon login.<\/p>\n That means that even if a hacker somehow gains access to your username and password, they\u2019ll also need to break into your email or phone to access your connected storage. Most hackers won\u2019t bother to do this (unless they have specifically targeted you).<\/p>\n Indeed, enabling 2FA can be particularly effective because many hackers focus on soft targets that don\u2019t require much work to penetrate.<\/p>\n On top of enabling 2FA, some devices allow for adaptive multi-factor authentication\u2014which means anyone trying to log in from an unusual IP address will be automatically asked to provide additional credentials. If you have this option, you should enable it, too.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Enable-NAS-firewall-and-DoS-protection” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n NAS and other connected storage devices often come with built-in firewalls, which you absolutely should take advantage of. But some NAS devices don\u2019t proactively turn on their firewalls. Users have to do it manually.<\/p>\n That said, it\u2019s always a good idea to set up and turn on your NAS firewall.<\/p>\n If you\u2019re a video editor or post-production professional who only does business with collaborators in certain countries, you can also enable firewall geo-blocking<\/a> to block anyone from any region you don\u2019t work with. Geo-blocking is typically done by country.<\/p>\n Because many cyberattacks in the U.S. originate offshore, implementing geo-blocking can reduce the volume of attacks against your storage connection by orders of magnitude.<\/p>\n Just like setting up your device\u2019s firewall, you should also manually engage denial-of-service (DoS) attack protection on your device.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Secure-your-ports” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Port scanning to detect open ports is the cybersecurity equivalent of jiggling a car door handle to see if the door is open: It\u2019s easy to do, it goes on all the time, and can lead to disaster. One Reddit commenter<\/a> who monitors port scans on their firewall reported as many as 10 per second.<\/p>\n That\u2019s why it\u2019s important to:<\/p>\n Either way, keeping ports open or allowing port forwarding (which allows remote servers to access devices on your private local area network (LAN), which can then lead to attackers taking control of your devices) is inherently dangerous.<\/p>\n But there are ways you can connect your storage to the web without doing this. When it comes to Synology NAS devices, some security experts recommend using QuickConnect<\/a> instead of the device\u2019s DDNS connection method, since QuickConnect doesn\u2019t require port forwarding.<\/p>\n The downside of QuickConnect, though, is that it\u2019s considered extremely slow when exporting a large file or folder to collaborators or clients over the internet.<\/p>\n [\/et_pb_text][et_pb_text module_id=”Use-a-VPN” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n One of the most effective ways to secure your storage connections is to use a virtual private network (VPN) to add a layer of encryption to all of your network traffic, making it much more difficult for attackers to get their hooks into your system.<\/p>\n Most NAS devices even allow users to set up their own VPN server<\/a>.<\/p>\n The main downside to using a VPN, however, is that they can be cumbersome to use when working with clients or partners. You probably don\u2019t want to give a client access to your VPN so they can download a large file or folder from your NAS, for example.<\/p>\n VPNs also aren\u2019t a panacea when it comes to security. They can\u2019t enforce authentication policies or user permissions, and allow remote users to connect from corrupted devices (leaving your network exposed).<\/p>\n [\/et_pb_text][et_pb_text module_id=”Change-the-default-port-number” _builder_version=”4.14.7″ _module_preset=”default” text_text_color=”#000000″ text_line_height=”1.8em” header_3_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n \u201cSecurity by obscurity\u201d has a bad reputation in cybersecurity circles because it isn\u2019t all that effective and can lead to a false sense of security. It is certainly not a strong standalone security technique, but it can have some value when used alongside other more substantial and effective security safeguards.<\/p>\n That\u2019s why some advise changing the default port number<\/a> used by your connected storage:<\/p>\n The main downside to to changing port numbers is that users must be aware of any updates or they won\u2019t be able to access the NAS.<\/p>\n And while attackers can scan and find any port number in use pretty easily, it\u2019s likely they\u2019ll only do that if they\u2019ve targeted you specifically<\/strong> and aren\u2019t just trying the most popular port numbers on a fishing expedition.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=”1″ custom_padding_last_edited=”on|phone” _builder_version=”4.14.7″ background_color=”#f5f5f5″ custom_margin=”||||false|false” custom_padding=”2%|20%|2%|20%|true|true” custom_padding_tablet=”4%|0%|4%|0%|true|true” custom_padding_phone=”6%|0%|6%|0%|true|true” global_colors_info=”{}”][et_pb_row _builder_version=”4.14.7″ _module_preset=”7b1bf5ad-cc2a-4448-981c-4963d88bd6e8″ custom_margin=”||||false|false” custom_padding=”||||false|true” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.9.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” module_id=”Collect-Data-Without-Opening-Ports-With-MASV-Centralized-Ingest” _builder_version=”4.14.7″ _module_preset=”2514b1ee-af07-4bc3-a96b-c9aaa32f4a18″ text_text_color=”#000000″ text_line_height=”1.8em” header_2_text_color=”#000000″ global_colors_info=”{}”]<\/p>\n Securing your storage connection isn\u2019t difficult, but does take a bit of effort and diligence. To secure your connected NAS or other storage devices you should consider:<\/p>\n Most of the measures above are low-friction and easy to implement, but unfortunately can still leave you at risk to a determined attacker.<\/p>\n Other techniques, such as using Synology QuickConnect or a VPN, can cause headaches around performance and other variables when sending or receiving large files<\/a> or datasets.<\/p>\n MASV Centralized Ingest<\/a>, on the other hand, allows users to centralize their data ingestion process through a single entry point to any connected storage, either on-premises or in the cloud. It\u2019s a secure, unified entry point to shared storage destinations, helping to lessen the IT and security burden around configuring and managing multiple storage platforms and remote users.<\/p>\n Connecting your on-premises connected storage to MASV<\/a> doesn\u2019t require any port forwarding\u2014or the opening of any ports at all. Users can collect files from collaborators using a MASV Portal secure web uploader without granting direct storage or network access. MASV is a Trusted Partner Network (TPN)-verified file transfer service with strong encryption and access management controls<\/a>, and that\u2019s compliant with ISO 27001, SOC 2, and other data protection regulations.<\/p>\n With Centralized Ingest you or your IT team can easily define the ingest path and restrict upload access to a single bucket or folder, rather than the entire storage system.<\/p>\n\n
\n
\n
\n
<\/p>\nThe Storage Connection Threat Landscape<\/h2>\n
\n
The dangers of leaving ports open<\/h3>\n
How to Secure Your Storage Connection<\/h2>\n
\n
Keep your network secure<\/h3>\n
\n
Disable your storage device\u2019s admin account<\/h3>\n
Enable IP and username blocking<\/h3>\n
Use 2FA or adaptive MFA<\/h3>\n
Enable NAS firewall and DoS protection<\/h3>\n
Secure your ports<\/h3>\n
\n
Use a VPN<\/h3>\n
Change the default port number<\/h3>\n
\n
Collect Data Without Opening Ports With MASV Centralized Ingest<\/h2>\n
\n