Question Reasonable precautions against Ransomware for NAS backups ?

[yoji]

Hi, Probably a noob question, but looking for some guidance
My system has up to now been pretty much at my network periphery.. i.e. anything in my network is open, and in general, I am not open to internet (i.e. I can go out via my router.. but I dont have PnP enabled, and dont have any ports open to come in)

However, I have a couple of apps (Tlink Deco wireless and my EV charger App, Amazon Alexa which, if compromised.. could compromise my network)
So... whats a REASONABLE level of hardening I should do?
I dont think I would ever fall for a phishing email, but others in my network, not 100% sure..

I do make regular backups.. to my NAS... so I have protection, but ofc, if a ransomware attack gets access and encrypts as well as my machines, I am stuffed.
At the moment, my NAS shares are all open, so may be I need shut that down, and secure with specific unique id/pass for the backup Shares on my NAS.

But is that enough? if I secure my Backup NAS shares... will that protect me if I leave the other two shares (a family share for sharing files... and a share for Video films) open? Could a ransomware bot get access to my backup share via them and encrypt ? (my NAS admin access is only by me, with a completely different id/pass from any PC, but is saved in my PC for easy access.. that a problem?).

Not looking for "enterprise" level security (does not seem to have helped M&S and Co-Op recently lol) .. but may be just ratchet it up a notch.
Not sure I want to go full 3-2-1 level (though I do have that for my most precious "family photos" data)... just "reasonable".

Shout if you have questions (my descriptions are probably severely lacking) and thanks in advance for your guidance.

 

[USAFRet]

So... whats a REASONABLE level of hardening I should do?
I dont think I would ever fall for a phishing email, but others in my network, not 100% sure..

I do take regular backups.. to my NAS... so I have protection, but ofc, if a ransomware attack gets access and encrypts as well as my machines, I am stuffed.

Multiple backups, at least one of them offline /offsite, or otherwise inaccessible.

A ransomware than infects your PC cannot infect drives and volumes it cannot access.

 

[Secret-Squirrel]

I do take regular backups.. to my NAS... ...................if a ransomware attack gets access and encrypts as well as my machines, I am stuffed.

Turn it off or disconnect it from the network when not in use.

And as already mentioned, in case of fire, flood, or theft, one backup needs to be stored off-site. Cloud storage is one option for this. OneDrive has ransomware detection and recovery built-in for MS 365 subscribers.

 

[yoji]

Multiple backups, at least one of them offline /offsite, or otherwise inaccessible.

A ransomware than infects your PC cannot infect drives and volumes it cannot access.

Turn it off or disconnect it from the network when not in use.

Thanks guys.. but said I didnt feel I need go 3-2-1 level.. and turning off NAS somewhat defeats the object of a NAS that designed for 24/7 access (so if someone needs access to family files or the media files.. they always avail and I dont need turn on PC's etc).

What I do have is a second NAS which is pretty much retired and turned off... but does have historical backups on it.
May be I will just turn that on once a month.. update by copying over recent backups.. and turn off again.
As I said, I do have most precious stuff in cloud (in case fire/flood etc).. PCs less important (considering risk of fire and total loss).. I have licence keys passwords in cloud.. so can rebuild from scratch if needed.

 

[USAFRet]

Thanks guys.. but said I didnt feel I need go 3-2-1 level

Ransomware prevention requires some data store that is inaccessible from your actual PC.

How you get there, or what you call it, is up to you.
But anything actually connected is subject to malware or ransomware screwing with it.

 

[yoji]

Ransomware prevention requires some data store that is inaccessible from your actual PC.

How you get there, or what you call it, is up to you.
But anything actually connected is subject to malware or ransomware screwing with it.

Yes.. so my proposal to

What I do have is a second NAS which is pretty much retired and turned off... but does have historical backups on it.
May be I will just turn that on once a month.. update by copying over recent backups.. and turn off again.

SHould cover that.

 

[USAFRet]

What I do have is a second NAS which is pretty much retired and turned off... but does have historical backups on it.
May be I will just turn that on once a month.. update by copying over recent backups.. and turn off again.

Sure.

My offline/offsite is a couple of drives in a desk drawer at work.
Refreshed quarterly.


Ramsomware prevention also requires functioning brain cells. AKA - Don't click on stupid stuff.

 

[punkncat]

I don't have my NAS setup where it is accessible from outside the local network. I use a user/pass scheme and have levels of access such as read, read/write (and so on). My biggest vector of intrusion would be someone driving by within wireless range, or someone's phone. So basically if they want a share I put them on a limited access without powers to write, save, and so on.

In addition to this, I typically limit the DHCP (I think I am recalling that correctly) where I only issue so many IP for access. I have to be mindful of this when purchasing new hardware or doing a repair and so on. I chased a no internet issue on a machine one fine afternoon to realize I had run out of leases...duh!

 

[USAFRet]

I don't have my NAS setup where it is accessible from outside the local network. I use a user/pass scheme and have levels of access such as read, read/write (and so on). My biggest vector of intrusion would be someone driving by within wireless range, or someone's phone. So basically if they want a share I put them on a limited access without powers to write, save, and so on.

In addition to this, I typically limit the DHCP (I think I am recalling that correctly) where I only issue so many IP for access. I have to be mindful of this when purchasing new hardware or doing a repair and so on. I chased a no internet issue on a machine one fine afternoon to realize I had run out of leases...duh!

The question is....Is your NAS directly accessible from any of the PCs in the house?
If so, it is potentially at risk.

 

[punkncat]

The question is....Is your NAS directly accessible from any of the PCs in the house?
If so, it is potentially at risk.

Agreed, but the most common case of that would be someone sitting in front of the PC with hands on access. I know for sure that there are some smart folks out there on the web that could access my system and do nefarious things. I probably wouldn't even know if they did if encryption or whatnot didn't occur.

Being realistic I have to consider what gain or benefit a nefarious individual would have doing so in respect to their time and effort. Other than hoping they can skim my card or something there isn't a whole lot of other motivation outside seeing my family pics and so on.

The whole point of having a NAS for many of us is to have access from a PC such that we can listen to our music or watch that show and so on. But I know I am preaching to the choir and for CERTAIN know that you are fully aware of your way around a network as you have given me help before as well. Was merely putting forth the method by which I (feel like) is successful.

 

[yoji]

I don't have my NAS setup where it is accessible from outside the local network. I use a user/pass scheme and have levels of access such as read, read/write (and so on). My biggest vector of intrusion would be someone driving by within wireless range, or someone's phone. So basically if they want a share I put them on a limited access without powers to write, save, and so on.

In addition to this, I typically limit the DHCP (I think I am recalling that correctly) where I only issue so many IP for access. I have to be mindful of this when purchasing new hardware or doing a repair and so on. I chased a no internet issue on a machine one fine afternoon to realize I had run out of leases...duh!

You appear to be similar to me... but as I said in my OP, I do have things like Amazon Alexa/TP-link Deco/MS sign-in and my EV charging device which come into my local network... If they are compromised, my network may be.
Also, as you say, anyone one your local network might click a bad link and let someone in.. (we all like to think we are immune to Phishing links/traps, but best not trust to that).
So as I now plan to do.. having a backup offline will be good security... I did read that some ransomware will remain dormant till it sees your backups.. and then activate for them and all devices... but I dont want to be totally paranoid.. I think my proposals are "adequate" for my risk profile.

 

[USAFRet]

Agreed, but the most common case of that would be someone sitting in front of the PC with hands on access. I know for sure that there are some smart folks out there on the web that could access my system and do nefarious things. I probably wouldn't even know if they did if encryption or whatnot didn't occur.

Being realistic I have to consider what gain or benefit a nefarious individual would have doing so in respect to their time and effort. Other than hoping they can skim my card or something there isn't a whole lot of other motivation outside seeing my family pics and so on.

The whole point of having a NAS for many of us is to have access from a PC such that we can listen to our music or watch that show and so on. But I know I am preaching to the choir and for CERTAIN know that you are fully aware of your way around a network as you have given me help before as well. Was merely putting forth the method by which I (feel like) is successful.

Right. And that what I use my NAS for.
It holds not only the daily/weekly backups from the PCs, but also the main movie and music libs.

But...if the PC you are using right now gets spanked with ransomware, and spaces on your NAS is a simple mapped drive letter away...those spaces are also subject to getting encrypted.

Various volumes/drives in my NAS are just a drive letter away.
Others, are not.

 

[thestryker]

You appear to be similar to me... but as I said in my OP, I do have things like Amazon Alexa/TP-link Deco/MS sign-in and my EV charging device which come into my local network... If they are compromised, my network may be.

If you're worried about this sort of thing the only thing you can really do is isolate the devices (obviously easier said than done for your networking hardware/app) or at the very least put them on their own vlan. None of this is particularly easy to setup and may require hardware you don't have, but once it's setup it's usually good to go though.

I keep putting it off because I don't have much on my network, but for example I have a couple of lights that do require an app to setup. I have an old phone I don't need to have connected on the main network so the options become either using an entirely separate network (assuming one has extra hardware which I do) or assigning all of those devices to a vlan (also requires capable hardware) where they're isolated at the software level.