Earlier this year we warned of fake Dropbox emails that urge users to click on emails labeled as “urgent and highly confidential” documents. Those that followed these instructions were quickly added to the list of victims of a highly-effective phishing scheme as the redirect was to a false log-in page designed to capture user credentials. As our own Alessandro Pooro said at the time, “Dropbox is vulnerable to these common attacks as it was not originally designed with enterprise security in mind.”
It’s no secret that phishing campaigns against Dropbox users have spiked recently as cyber-criminals have identified this as a weak link in the security chain. Sensitive corporate and personal data is often contained throughout these accounts but are not subject to the same protections and level of vigilance as data on the corporate network.
In an effort to combat this, Dropbox has announced that they are turning to USB-based security keys to improve log-in security and better protect users from phishing attempts. Physical security keys are viewed as stronger than smartphone-based two-factor authentication solutions as the latter still exposes the user to the risk of being directed toward a fake Dropbox site designed to phish their password and verification code. However, using this type of file sharing service to share sensitive information is still wrought with risk and uncertainty.
Because information on Dropbox is stored rather than moved, it represents a “soft” target for hackers long after the information has been shared and forgotten about. Instead, users should consider a managed file transfer (MFT) solution that protects sensitive files before, during, and after transfer with guaranteed delivery. With the highest levels of encryption and a range of customization options, MFT is the safest and easiest way to exchange sensitive information.
>> For more information about managed file transfer solutions from Ipswitch, please visit: http://www.ipswitchft.com/moveit-managed-file-transfer.
Be sure to engage with us next month during the Ipswitch Innovate 2015 User Summit, a two-day (October 21-22) online only event for IT professionals to learn from each other, and our product experts.
Over the coming weeks, we will provide a sneak peek into each chapter of the book. Here’s a glimpse at Chapter 1:
There are many different ways to transfer data, but most of them are manual, unmanaged and often insecure:
Email: Although email is the most common and convenient, it is prone to error due to invalid addresses, delivery failures and file size limitations. It’s also not easily tracked or automated.
Physical transport: Physically transporting data with a thumb drive is best used for the casual transfer. Downside: It’s a common vector for virus propagation and isn’t “managed.”
Enterprise file sync and share: Services like Dropbox and other file sync and share solutions are popular ways to share files for collaboration between small groups of people, but presents a juicy target to cyber thieves because they hold large amounts of data from many companies in the same cloud.
File transfer clients and servers: File Transfer Protocol (FTP) is another method that is quite common and may be used explicitly through FTP commands. However, transferring data via FTP is very difficult to automate, secure, track and manage.
A good Managed File Transfer (MFT) system can often replace all the other methods described above, depending on your organization’s needs. MFT is automated and secure through a server (or multiple servers) that are configured and used to control transfers to and from people and processes. By using MFT as a single solution, it allows organizations to lower risks and cost for moving files across the borderless enterprise. Be sure to check back next week to read more on Chapter 2.
Last week, IT Briefcase published a byline about spring cleaning your Dropbox account. I wrote the piece and thought I’d share it here:
“April is finally here and that means IT teams, like everyone else, will be busy with their spring cleaning projects. While spring cleaning your house is a pretty straightforward endeavor, spring cleaning your files can be a lot more complicated.
IT teams can’t look at their files like they were a box of old clothes; they can’t toss them out if they haven’t been used in a year or more. Regulatory compliance mandates frown on the “toss or keep” approach. When it comes to sensitive data, there are a number of standards and guidelines in place that require IT to ensure that proper procedures were followed for the movement and transfers of this information. The last thing they want to do is leave themselves open for potential penalties during a compliance audit.
Despite best efforts, clutter can accumulate quickly and the longer you put off organizing and sorting through the data, the longer it takes on the backend. This holds true for both physical and digital files. IT teams have limited resources and way too much to do, and the last thing they want to do is clean files out of an EFSS (Enterprise File Synchronization and Sharing) system like Dropbox. But what are the alternatives?
There are a number of methods that IT can implement on the front end to ensure that they aren’t facing a proverbial landslide of files to deal with on the back. One of those options is the use of a managed file transfer (MFT) system. Unlike EFSS products like Dropbox that serve as a repository for files where they sit stagnant, MFT systems move files from one location to another and automate removal after use. This avoids creating an unintended database of files that needs to be sorted through and maintained. IT teams also benefit from having complete reporting capabilities for every file that traverses the system should they need to provide proof in the case of an audit.
Rather than worrying about the status of company files, where they are, where they’ve been and how they got there, IT professionals using managed file transfer systems can focus more time on their to-do lists. Many organizations often reference critical projects that are delayed or are resource constrained based upon the amount of time and budget that is allocated to file transfer. The five projects most often cited are:
Installing critical updates and patches – As most in the IT industry know, more than 60 percent of all breaches can be directly attributed to the failure of an entity to properly update software and patch against known vulnerabilities.
Certifying that compliance standards are being met – Compliance audits continue to be the bane of existence for IT personnel. They are costly, time consuming and resource intensive blocking the ability of IT to handle other critical projects.
Automating business workflows – Implementing technology that creates efficiencies of scale in the organization can often be the difference between hitting the margin or not. The inability for IT to implement and maintain these systems can have broad effects for the entire company.
Meeting SLAs – If you are in a service related industry, you understand the importance of service level agreements. Failure to do so can result in breach of contract and put the business relationship in jeopardy.
Ensuring business continuity – There is no bigger concern for an IT department than ensuring that systems and technology continue to run without interruption. Going dark, even for a brief time, in an IT environment is simply unacceptable.
A managed file transfer system is not a magical cure-all, but it does allow you to focus on more important technical issues rather than spending valuable resources retracing the steps of a lost file. Due to the large fines that now accompany instances of non-compliance, IT and the business can’t afford to take chances. By approaching the issue of file transfer through manual methods, it causes organizations to choose between risk and other critical projects. MFT systems remove this burden and allow IT to focus on the core objectives of the business.”
>>> Ipswitch created 5 Key Must-Haves for File Transfer Compliance to provide a clear framework for organizations seeking to improve their compliance processes and infrastructure in borderless enterprises.
Yesterday Dropbox posted an update at the end of their 10/13 blog that noted their servers were not hacked. Apparently the compromised credentials in question were stolen from a different source. At the end of the day, Dropbox isn’t to blame. The stolen credentials were used to access multiple services, including theirs.
So let’s leave the folks at Dropbox alone. Every organization that holds personally identifiable information (PII) is a target. And I agree with Dropbox’s advice to their users should use unique passwords across different sites, and when possible, add a layer of security to make things a lot safer.
Like everyone else, I just want to keep all my work and personal stuff online safe. So the Dropbox brouhaha got me thinking about how hard it is to remember and manage all my user account names and passwords. I’m a Mac guy and have found Apple iCloud Keychain to be helpful for managing my personal login credentials, but it has limitations.
Identity management in the enterprise world
IT pros who are responsible for security and compliance around managed file transfer and/or file sharing security should work with an identity management provider to evaluate solutions integrated with SAML 2.0. These vendors’ products can provide single sign-on (SSO), data loss prevention and two-factor authentication – any and all of which will add layers of security to protect personal and business information.
At the end of the day, security should be accessible to everyone in the borderless enterprise composed of employees, customers and partners.
In my many travels visiting customers and IT professionals around the world, I ask a simple question, “What do you do when you have to send a file to someone that’s just too big?” They ask me how big is big? I say too big for your email or even worse, something that is too big for the receiver’s email. These attachments are typically large powerpoint files, spreadsheets, uncompressed images, media files or even databases. With a sheepish grin people usually tell me they use one of the free email services, like GMail, MS Live or Yahoo. However, recently the answer has shifted. I’m now being inundated with business users and IT professionals professing their love for Cloud services such as DropBox.
In all fairness if you look at my iPad (peeling it from my cold dead hands) you will see my Dropbox app and PAID Dropbox account. So it’s unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users’ accounts and data… Including mine. Yep, just type in an email address and use any password you want and it’s all yours.
According to Dropbox there wasn’t any nefarious activity but if YOUR COMPANY’S information was on there – legitimately or illegitimately – you just had a data breach. So I was a breach victim… And if I had any Ipswitch IP on the servers, the breach is extended accordingly. To Dropbox’s credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest. In the end, some of these types of Cloud services will eventually get enough of it right to secure their future. Some will last, many won’t.
Regardless, how are you going to handle your data breach this morning? I’m headed over to my bosses office to explain my brazen disregard for corporate data. He’ll probably buy me a new iPad2 that’s locked down (wishful thinking) and order IT to set up a more secure way for me to be mobile with my documents (more wishful thinking).
Dropbox’s response is not adequate. It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers. As such, these users are increasing the risk of their information being stolen and their businesses being compromised.
Instead, Dropbox needs to say what steps they are taking to close this security gap. If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.
Encryption is the best way for Dropbox to proceed right now. Encrypting their configuration files would be the first and best place to start. Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity. Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.
Third, no application or user should be given implicit access to a user’s files. All access needs to be explicit. An end user needs to specify each application and user that has permission to view, update, copy or remove their files.
As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.