There’s no doubt about it, companies have a much more mobile workforce now than ever before. Mobility has transcended the sales department, and is growing more common throughout the entire organization. From marketing to accounting, employees are accessing information from outside the office walls, and with that comes the inherent challenge of how to share data. In a perfect world, everything would be maintained in an environment where access and security could be systematically controlled. Well, today that’s just not realistic. Business moves too fast for some internal systems to keep up. Employees, and even entire departments, are implementing their own solutions to data sharing problems. And with that unfortunately, comes new risks.
Take for example, the Man in the Cloud attack. Here’s how this one goes down. Your employees have decided they need a cloud based service to share files. So they sign up with Box, or Google Drive, or Microsoft OneDrive, DropBox, or similar. Once they sign up, they are able to upload whatever files they would like to share. The online service then adds a token to their machine, allowing them to sync these files from their machines to the cloud provider. And away they go, sharing whatever they need or want. All sounds good, but then, with either a phishing style attack, or a drive-by download (visiting a website that pushes malware to your machine), an attacker easily grabs the user’s token. Then through some simple decoding is able to configure the token on any machine of their choosing, thus allowing them to sync with all of these files. From this point the attacker can do anything from stealing or encrypting the files for ransom, to compromising the data and syncing it back inside your network. Pretty much anything their heart desires.
To further complicate the issue, according to Imperva’s latest Hacker Intelligence Initiative report, some of these services don’t even change the token if you change your password. Meaning it is extremely hard to kick these attackers out once they get access! Needless to say this can pose some serious security concerns for any organization. Luckily there are some things you can do to minimize your risk.
- Involve a technology specialist in your solution planning sessions. Although speed of execution is very important, so is security. Deciding to move fast at the expense of the safety of the business can be disastrous. You need an expert in-front of the people and departments that are making these decisions so you can properly address the risk and make sure there are proper controls in place.
- Consider solutions that utilize a central repository of files as opposed to remote syncing. Monitoring and detecting access irregularities is less complicated when the files are completely contained within a single location. If that repository is outside of your location, consider using solutions that have advanced monitoring capabilities.
- Deploy advanced monitoring solutions internally, as well as at your perimeters and on remote devices. Detecting irregular uses of data is the first step in eradicating the issue. If you can detect issues as close to real-time as possible, you’ll minimize some of the impact. If the attack goes unnoticed for a long period of time, the potential damage can be much greater.
- Lastly, Imperva recommends considering a Cloud Access Security Broker (CASB) solution. CASB’s monitor the access and usage of cloud based services. They can help to detect anomalies in the way these online services are used, which can shorten the time it takes your company to respond. The faster you can respond, the less time the attacker has to infiltrate your network. Which of course is good.
The bottom line is that until the large file sharing providers tighten the authentication methods they use to synchronize files, there is not a ton that can be done to mitigate the risk when using them. Your options are to either stop using these services (bad for employees), or to increase your monitoring and put restrictions in place for the type of data that can be shared on these accounts (meaning nothing confidential or proprietary). Hopefully the big providers make some moves to address this fairly quickly, otherwise we are still of the opinion that these services are not ready for corporate use.