Recently it made the rounds in the media that DropBox had their passwords hacked in 2012 which may have impacted 68 million users. This Dropbox hack highlights a number of risks for organisations that use Enterprise File Sync and Share (EFSS) solutions as either their primary storage for corporate data or that allow employees to place corporate data onto their personal accounts.
Many of us use EFSS tools to transport and share files. But how do you know that the files you share are safe? Do you trust the cloud service provider and the security measures they've put in place? How sure are you that these security measures are foolproof?
These questions are all valid for personal use of these services, but take on a whole new level of importance for those of us responsible for corporate IT policy. With any of the questions above, the weakest point of failure is usually the end user, and bad password habits in particular leave individuals and their employers open to risks.
But it's not just the cloud services, or the passwords. Working with files or cloud services through unauthorised hardware such as home computers or mobile devices, increases the risks to a company of a security breach taking place. Devices off the corporate network are not protected with the same regulatory or corporate IT policies in relation to encryption, authentication, identity and access management, threat detection, device management, or something as straightforward as password policy.
Employees are of course, largely, just looking for the best and most efficient way of getting a job done, even if they are less aware, or conscious of considering, the security implications of using personal cloud storage accounts to facilitate the movement of files. Taking a step back from which cloud services should or should not be authorised for use by an IT department, simpler questions need to be asked about the files themselves: Who should be able to move files? Who is allowed to receive them? What protection is in place when those files are on the move and at rest?
We've seen that having information protected by a password is simply not enough. Despite educational efforts to help users create unique passwords for each of their accounts, it's human nature to be repetitive. So it's common place for users to use the same (or similar) password across multiple different log-ins. This means allowing employees to use their personal EFSS accounts for work offers a window malicious attackers can exploit and leaves corporate data vulnerable as it's very possible that ‘shared' password is being used for other accounts.
As we alluded to earlier, the primary concern should be protecting data at its source. This means knowing what controls are in place to control the way data moves to and from EFSS services, and how it's protected while on that service. Any data that you would fear losing, or is sensitive in any way, should always be encrypted at the end point in the organisation. Through a policy engine you can also ensure that data leaving the organisation is encrypted at external end points – access to the files remains completely under the control of the organsation, and a centrally controlled encryption key server.
When an organisation keeps control of their keys by encrypting the data before it ever is sent to an EFSS service, then – and only then – are private keys hidden from and not accessed by third party vendors. In this scenario, if the EFSS provider or device is ever breached, a business can ensure that its data is still safe from prying eyes.
But there are also other benefits to embracing encryption in this way. If a personal cloud service account has been used by an employee, and then they leave the organsation, then access to those encrypted files can be recinded. Yet without encryption the user retains access to those files, and the organisation would have no way of removing them from the cloud service, or in fact any other device. Using centrally managed encryption, the user's access can be removed in the policy engine of software – the user instantly loses the ability to decipher and read the files.
These are just some of the reasons why It's important that organisations enforce encryption automatically through their security policy. Encrypting at the source may not stop a hacker from gaining access to an employee's EFSS account, but it will prevent the data itself from being disclosed.
You may not be able to remove human error from the variables that impact security, but with the correct application of encryption technology and policy control you can ensure that you data has a final line of defence, that will remain when all others fall.
Contributed by Mark Hickman, chief operating officer, WinMagic
Dropbox has subsequently contacted SC to provide its response to the issues raised:
We wanted to provide more clarity around the incident you mention above. The list of email addresses with hashed and salted passwords is real, however, we have had no indication thatDropbox user accounts have been improperly accessed.
Based on our analysis, the credentials were likely obtained in 2012. Dropbox reacted quickly and we emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensured that even if these passwords were cracked, they couldn't be used to access Dropbox accounts. We maintain the very highest levels of protection for our users by using hashed and salted passwords, which means that they are cryptographically protected and can't be used.
At Dropbox, security is a top priority. We have dedicated security teams that work to protect our services and monitor for compromises, abuse, and suspicious activity. We've implemented a broad set of controls including independent security audits and certifications, threat intelligence, and bug bounties for ethical hackers. In addition, we build open source tools such as zxcvbn, use bcrypt password hashing, and offer Universal 2nd Factor authentication to all users.
We are confident that our security features can keep our customers' data safe, and provide a range of management features through Dropbox Business that allow admins to maintain control.