Network Attached Storage

NETWORK ATTACHED STORAGE (NAS)

NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.

Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
Don't allow direct access to the NAS from the Internet. On Synology, that means avoiding QuickConnect. Also, disable UPnP in the router to prevent the NAS from opening ports for itself. My Test your Router page links to many websites that offer tests of the firewall in a router.
If open ports are necessary, do not use the default ports.
If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
Chances are the NAS is able to turn itself on and off. If the NAS is off at night, then no data can escape. If data is being stolen during the day, it is more likely to be noticed. Plus, this saves electricity.
As always, disable features not being used; perhaps SSH and Telnet access.
As always, avoid short passwords.
The NAS operating system will have its own security scheme. Create multiple userids, one with full Admin privileges but all the others having a limited set of privileges. This will probably take some trial and error.
If there is lightning in your area, power off and unplug the NAS. No surge protector can stand up to lightning.
In August 2021, I blogged about how I use a router firewall rule to prevent my NAS from making any outbound connections, except for 30 minutes a day: A firewall rule can help block ransomware.

SYNOLOGY

The DSM Auto Block features offers protection from brute force password guessing. After too many bad guesses you can either lock out the IP address where the guesses are coming from, or the userid that the bad guys are trying to log into.
DSM 7 IP address blocking: Control Panel -> Security -> Protection tab
DSM 7 Account Protection: Control Panel -> Security -> Account tab
DSM version 7 supports two factor authentication (2FA)
Most Synology devices support the BTRFS file system. If your does, the Snapshot feature offers protection from ransomware. It is part of the Snapshot Replication add-on package. You need to install the app from the Package Center.
Snapshots are read-only copies of your data and thus protect from ransomware. Snapshots are configured on a folder by folder basis. When enabled, Synology creates Snapshots on a schedule you set. The system allows for a maximum of 1,024 snapshots.
Security Advisor is an app that runs on the NAS.
Synology NAS Security: How to Ensure Data Integrity (against Ransomware, etc.) by Dong Ngo (August 2021). A very long article
What can I do to enhance the security of my Synology NAS? from Synology. Last updated: Oct 13, 2021. For DSM versions 6 and 7.
10 security tips to keep your data safe from Synology. March 12, 2020. Much like the above
Protect Yourself against Encryption-Based Ransomware Undated and somewhat lame.
What network ports are used by DSM services? Needless to day, no date.
Synology Newsroom

QNAP

They finally recommend not using port forwarding and UPnP to open the NAS to the world. Take Immediate Actions to Secure QNAP NAS January 7, 2022
They have both a Malware Remover and a Security Counselor app in their App Center. Keep them up to date and run them periodically.
The Network Access Protection feature offers protection from brute force password guessing
Periodically check this: QNAP Security Advisories
Checkmate Ransomware via SMB Services Exposed to the Internet July 7, 2022

WESTERN DIGITAL

Western Digital (WD) has a poor track record as far as security goes. The articles below illustrate this. Probably best to avoid their NAS devices. Dong Ngo has tested many NAS devices over many years. He recommends Synology.
Western Digital struggles to fix massive My Cloud outage, offers workaround by Sergiu Gatlan for Bleeping Computer. April 8, 2023. The response from WD to this outage has been poor. Affected services: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, SanDisk Ixpand Wireless Charger, and their linked mobile, desktop, and web apps. The outage has prevented users from accessing files stored on their WD NAS devices, as this requires access to the company's cloud services.
March 26, 2023 they discover a network security incident
April 3, 2023 They announce it
April 8, 2023 They provide a workaround so that customers can access their local files
April 11, 2023 still off-line with no estimate for when things will go back to normal
Western Digital's My Cloud goes offline after hack by Mark Hachman for PCWorld April 11, 2023. "WD's My Cloud service remains offline as of April 11, and the company has provided no additional information on when the service will be restored."
Another 0-Day Looms for Many Western Digital Users by Brian Krebs. July 2, 2021. Quoting: "Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system."