Cloud Security, Cloud Security, Patch/Configuration Management, Zero trust

Western Digital tells its customers to update their My Cloud OS 5 NAS devices

A visitor tries out a tablet next to a cloud computing symbol at the 2013 CeBIT technology trade fair on March 5, 2013, in Hanover, Germany. Today’s columnist, Josh Stella of Snyk, lays out five fundamentals of cloud security.
(Photo by Sean Gallup/Getty Images)

Storage manufacturer Western Digital last week notified its customers that they needed to upgrade to My Cloud OS 5 to access their network-attached storage (NAS) devices remotely.

The company said in a support note that for customers with My Cloud OS 5-compatible devices, after Jan. 15, 2022, it will no longer support prior generations of the My Cloud OS, including My Cloud OS 3. After Jan. 15, 2022, remote access, security updates and technical support will no longer be available for My Cloud OS 3.

For customers with only My Cloud OS 3-compatible devices, Western Digital plans to end all support for prior generations on April 15, 2022. After that date they will only be able to access it locally. Western Digital recommends that IT teams back-up the device, disable remote access, disconnect it from the internet, and protect it with a strong, unique password.

Western Digital was in the security news earlier this year when it asked customers to disconnect My Book Live hard drives from the internet to prevent malware from wiping them of data. Hackers evidently were taking advantage of a vulnerability first published in 2019. The company stopped supporting the My Book Live drives in 2015 and had not updated its firmware since.

Whether it’s internet-connected hard drives, IP cameras, printers, or the myriad of other IoT devices with known cyber vulnerabilities, managing risk comes down to a security team’s ability to update firmware quickly and remediate vulnerabilities, said Bud Broomhead, CEO at Viakoo.  

“Sadly, many of these devices will remain unpatched due to lack of manpower to physically get to the devices and update them,” Broomhead said. “That’s why the focus must be on making patching IoT devices as automatic as possible.”

Garret Grajek, CEO of YouAttest, said it’s imperative that vendors and customers stay up on latest releases. As the recent Microsoft Exchange attacks showed, Grajek said delaying security upgrades is a recipe for cybersecurity disaster.

As Log4j showed us, even diligent patching and upgrades can leave us vulnerable,” Grajek said. “This is why zero trust and identity governance on key accounts is paramount for enterprise security.”

Saryu Nayyar, CEO at Gurucul, said it makes sense to heed Western Digital’s warning, as without support it’s easier for attackers to find and exploit vulnerabilities.

“Patching and updates are critical parts of the IT maintenance processes to keep devices safe,” Nayyar said.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

You can skip this ad in 5 seconds