NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Is ransomware attack on ReadyNAS possible?
Synology NAS servers are under attack of SynoLocker ransomware http://www.cso.com.au/article/551527/synolocker_demands_0_6_bitcoin_decrypt_synology_nas_devices/. Devices are encrypted and the owners a...
Managing risk is about :
- reducing the odds
- reducing the duration (if applicable)
- reducing the impact (the gravity)
- reducing the affected devices (the zone)
A risk can be defined as a potential threat (a threat that could become reality). Your job is to list and patch every possible threat to reduce the risks.
As for quantifying unknown risks, that's really hard, most people use statistics, but with no historical basis you can't have reliable approximations. Risk management methods rely on some kind of multiplication of the factor I quoted above. Quantifying known risks is easier as you already know, how often the risk occurs, if it's recurrent, if it affects specific targets (phishing works because people don't know how to identify it, add "this is an attempt to steal your money" in the mail title, only idiots will clic, therefore IT guy are less likely to fall in the trap than a 80 years old grand mother that just got her first computer).
As for your question on how many people know exactly how much risk they take going on internet, the answer is only a few specialists (if anyone at all). I'm a computer scientist and I can assure you that I don't know half the risks of the internet. All I know is how to avoid common threats and when to be suspicious. Internet is too big to know it all. Knowing everything that could happen would be like knowing all the potential poisons, allergens, interactions with meds, potential side effect of all possible food (& drink) that exist (or will exist) for a nutritionist.
When something is unknown, you prepare for the worst possible scenario, and for all the other scenarios that cross your mind.
A well designed information system takes everything into account. You will always forget something but since you audit your security every six months and upgrade it every year, at some point the vulnerability will be patched mechanically (sometimes after being exploited, unfortunately).
Security can be considered as a onion because it uses layers.
If you pass from internet directly to your NAS, you are exposed and rely on the NAS security only. If you add a decent firewall then you block some attacks before they get to the NAS. Then add another firewall from another brand with other technologies, then even if one of the firewalls can be bypassed, the second one should do its job. Then choose to block all unauthorized IP addresses, attacks won't come from blocked addresses. Then use an antivirus (or 10 different), virus should have trouble to get through... Each layer is susceptible to failure, but all the layers simultaneously, if well thought, should not fail easily. They will fail to a well trained attacker if he is given enough resources and time (it could be hours our centuries depending on your security level). Ultimately you security will always fail you, but the goal is to update it before it does.
Security also includes physical security. if your NAS is overprotected by softwares but if it sits in an open locked in a train station, anyone can figure out how to reset the password and how to steal the NAS...
hope this is clearer for you.
- reducing the odds
- reducing the duration (if applicable)
- reducing the impact (the gravity)
- reducing the affected devices (the zone)
A risk can be defined as a potential threat (a threat that could become reality). Your job is to list and patch every possible threat to reduce the risks.
As for quantifying unknown risks, that's really hard, most people use statistics, but with no historical basis you can't have reliable approximations. Risk management methods rely on some kind of multiplication of the factor I quoted above. Quantifying known risks is easier as you already know, how often the risk occurs, if it's recurrent, if it affects specific targets (phishing works because people don't know how to identify it, add "this is an attempt to steal your money" in the mail title, only idiots will clic, therefore IT guy are less likely to fall in the trap than a 80 years old grand mother that just got her first computer).
As for your question on how many people know exactly how much risk they take going on internet, the answer is only a few specialists (if anyone at all). I'm a computer scientist and I can assure you that I don't know half the risks of the internet. All I know is how to avoid common threats and when to be suspicious. Internet is too big to know it all. Knowing everything that could happen would be like knowing all the potential poisons, allergens, interactions with meds, potential side effect of all possible food (& drink) that exist (or will exist) for a nutritionist.
When something is unknown, you prepare for the worst possible scenario, and for all the other scenarios that cross your mind.
A well designed information system takes everything into account. You will always forget something but since you audit your security every six months and upgrade it every year, at some point the vulnerability will be patched mechanically (sometimes after being exploited, unfortunately).
Security can be considered as a onion because it uses layers.
If you pass from internet directly to your NAS, you are exposed and rely on the NAS security only. If you add a decent firewall then you block some attacks before they get to the NAS. Then add another firewall from another brand with other technologies, then even if one of the firewalls can be bypassed, the second one should do its job. Then choose to block all unauthorized IP addresses, attacks won't come from blocked addresses. Then use an antivirus (or 10 different), virus should have trouble to get through... Each layer is susceptible to failure, but all the layers simultaneously, if well thought, should not fail easily. They will fail to a well trained attacker if he is given enough resources and time (it could be hours our centuries depending on your security level). Ultimately you security will always fail you, but the goal is to update it before it does.
Security also includes physical security. if your NAS is overprotected by softwares but if it sits in an open locked in a train station, anyone can figure out how to reset the password and how to steal the NAS...
hope this is clearer for you.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
