I can pretty much guarantee that the majority of people in this thread do not keep all their Linux based devices fully patched and up to date. Case in point, routers. All SOHO routers that I know of run a reduced version of Linux and it is not common for people to update their router's firmware.
So before, you asserted that people who use good passwords and don't open their NAS up to WAN access are safe, but now you assert that most people don't maintain the router that keeps the LAN safely isolated.
This feels like an own goal, Colin. You're not making me change my assessment of your security knowledge.
I couldn't locate where I ever said someone was safe. I would avoid making such a claim as it is impossible to achieve. What I believe is that good password hygiene and limiting the attack surface to an internal attack provides a greater security gain that just updating firmware hurr durr.
Obviously I can't know for certain because I do not everyone in the thread, but we can assume that general trends hold true. Therefore, if we assume this is true, by your logic everyone's networks are at critical risk of being compromised.......
How did you jump from "lots of people never update their router firmware" to EVERYONE has vulnerable routers?
I didn't make that jump, NickZ2016 did. Their logic was if your computer connects to the internet even occasionally then you need to make sure your NAS's firmware is patched else bad things can happen. Using that same logic, it is even worse if you don't patch your router (which many don't) because it is public facing.
Also, you didn't provide a reason for your argument, you just blindly said I was incorrect because I disagreed with you.
Nah, I said that because you made a claim that is so obviously incorrect. Not patching is stupidly unsafe. And security is a multi layered approach. No one in the field would ever propose that having one good layer means you can completely ignore the others.
I am not suggesting that at all. My original statement is that someone doesn't NEED to update their system. If it's kept internal to their home network (as the OPs would be) then it isn't the end of the world if they don't. Of course it is good practice but as you know security is a trade off with convivence and that may be a trade off the OP is willing to accept.
I have to explain to auditors from multiple regulatory organizations 3x/year how I protect customer data at my company. If I told them we don't need to patch because we have a good router in front and rotate passwords often, we'd lose our PCI and Fedramp certifications and lose a lot of business.
Completely different scenario. If you are working in that environment then I am sure you have many policies and procedures in place for all types of things. I am sure you have honeypots setup, a DMZ and multiple other security measures. Does that mean every single person should replicate this in their home environment?
Your logic was that all NAS (unless air gapped) need to be updated due to protect against the various attacks that have occurred. I stated, this isn't accurate and never stated that it isn't good practice to keep your system up to date.
Maybe you should spend more time reading the CVEs....
I admit when I wrote this I was confusing you with a different user in the thread.
StealthWorker was known to target NAS devices by brute forcing accounts with weak passwords. So even if you did have an up to date system, if your password was weak and an internal computer was compromised you were at risk. Firmware update magic bullet: NO
Definitely need to spend more time reading the various attacks on Syn/Qnap devices.
I was pointing out that when the other user stated that EVERY attack on a NAS depended on an unpatched system, that this wasn't correct.
BTW, one of the changes that came with firmware updates is stricter password requirements.
Sure the firmware update may have introduced a stricter password policy but this isn't a fix to the root of the problem, that is the type of user that is happy to employee weak passwords. Why do you think that security awareness training is an ongoing thing? Because regardless of the tech put in place the human is always a very weak link.
https://www.trendmicro.com/en_us/re...-users-NAS-devices-from-evolving-threats.html Many more important things to do to secure your NAS before updating your firmware.
So while I agree that it is good practice, it is not the only thing that will protect your NAS and nor should it be the only thing you do. Well before updating your firmware, a user should follow many other best practices when it comes to security. The first and most basic thing is not exposing it to the internet unless this is a hard requirement of your use case.
Unless it's airgapped, it risks exposure to the internet when there are windows users in the network. THAT WAS THE ACTUAL STATEMENT I MADE. If you fall for a malware scheme and they gain control of your desktop, there are no longer any network protection for your NAS.
True, but if someone gains control of your desktop and wants to attack your NAS then a firmware update is going to do little to protect you. Will it add some protection? Sure, possibly but it doesn't completely mitigate the risk.
By you over simplifying security of a NAS device to "NAS devices NEED firmware updates" for security while technically true, is very dangerous advise because those that are less tech savy will assume that they are secure because they conform to your false narrative.
I don't have any empathy for idiots that create such a strawman. At least you seem to admit now that the need for patching is "technically true." Snort.
No I do not agree there is a need for patching systems in every single situation. As mentioned previously, if coming at it from a security point of view then yes, it is good practice however, we often trade security away for convivence. You obviously have experience working with business so you must be aware that part of the way to handle risk is risk retention. And that's my whole point, if the user wants to retain risk then it's not the end of the world especially if the system is only internal facing.
You are not wrong that if an internal system is compromised then it is possible that the attacker can pivot towards the NAS but even if the NAS was fully updated, there is still that risk.
