Tag Archives: dropbox

Firms Must Redefine Cyber Perimeter

The rising business use of cloud services and mobile devices has opened a Pandora’s box of security exposures.

Software as a service (SaaS) tools such as Salesforce.com, Gmail, Office 365 and Dropbox, as well as social media sites such as Facebook, LinkedIn and Twitter, are all being heavily leveraged by companies to boost productivity and collaboration. This SaaS trend also has opened up a whole new matrix of access points for malicious attackers to get deep inside company networks.

Wall Street recognizes that all organizations will have to acknowledge and make decisions on how to mitigate new business risks introduced by cloud services. And big bets are being placed on new technologies to help companies get a handle on these fresh exposures.

See also: The Need for a Security Mindset

ThirdCertainty recently sat down with David Baker, chief security officer at Okta, a cloud identity management vendor that’s one of dozens of security vendors developing cloud security systems. A $75 million round of private investment last fall pushed Okta’s market valuation to more than a billion dollars, vaulting it into so-called “unicorn” status.

Okta’s backers include a who’s who of venture-capital firms that are placing big bets on cybersecurity plays: Andreessen Horowitz, Greylock Partners, Sequoia Capital, Khosla Ventures, Altimeter and Glynn Capital, among others.

Baker talked to us about this particular big bet on cybersecurity tech. The text is edited for clarity and length.

3C: Congratulations on achieving unicorn status.

Baker: Thank you. We have a lot of work to do as a company to continue growing. The problem that we solve is really about enabling companies —  enterprises, as well as small, medium and big companies — to adopt the cloud.

3C: How would you frame the big challenge?

Baker: The problem for companies now is that the things I need to access in the cloud bring a whole host of security concerns. I have users working within my four walls, and they have to authenticate into these applications where I have critical business data. It could be information about my company’s source code, or email or all of the files we share. So what’s needed is a secure way of authenticating users into all of those systems.

It also is a challenge to provision that identity into the downstream applications and, just as importantly, to de-provision users. So when a user eventually is transferred to a different group or is terminated, their access has to be disabled. So it’s about managing that identity and also managing the access of that identity to these cloud services.

3C: Lots of employees set up their own Gmail or Dropbox account to be more productive. It sounds like they shouldn’t be doing that?

Baker: Correct. The security piece is knowing what set of tools you want your employees using, and then making sure you have an authentication mechanism in place to enable them to go securely into those cloud-based applications.

See also: Cyber, Tech Security Start to Merge

3C: The company sets the rules, and its employees should use only the company-sanctioned versions?

Baker: Correct. Users get exactly the version of Dropbox the company wants them to use, not their own personal account. Okta creates a secure connection to that version. The IT administrator can give the employees access to hundreds of apps. Right now, we have connectors to well over 4,000 different applications across the internet.

3C: Seems like we’re extending the traditional network perimeter. It’s not just the on-premises servers and clients that companies have to be concerned with, it’s everything out in the internet cloud that employees might try to use.

Baker: I’ll do you even one better. The perimeter really exists with respect to identity. When I’m sitting at home or in the coffee shop and using my cellphone to get access into an application, I am now the perimeter. So that’s why we like to say, really, identity is the new perimeter.

This article first appeared at Third Certainty.

More stories related to cloud security:
Be selective about what data you store and access from the cloud
Cloud apps routinely expose sensitive data
SOC-2 compliance crucial for keeping data safe in the cloud

Use of Cloud Apps Creates Data Leakage

A large U.S. cable television company recently sought to better understand how its employees were using cloud apps to stay productive. Management had an inkling that workers routinely used about a dozen or more cloud file sharing and collaboration apps.

Ed note_CipherCloud_Willy Leichter

An assessment by CipherCloud showed the employees actually were using 204 cloud services that posed a security risk: 78 cloud storage apps and 126 collaboration apps, many of which included file-sharing functions.

Emerging risk: A major concern for the cable company was that sensitive information about customers and employees could leak unnoticed beyond its network perimeter.

Free cloud file storage makes it convenient to share data quickly and widely. The company learned that sensitive files had been moved into folders accessible to people who should not have had access to the information.

Wider implications: Like many organizations, the cable company routinely stores customer transactions data as well as employee healthcare data covered by HIPAA privacy rules. The rising use of free Web apps by employees has created many more opportunities for data leakage and could lead to sanctions and fines – or, worse, an embarrassing, expensive data breach.

The cable company set up sanctioned accounts with a popular cloud storage service-Box-for employees to use. It also has begun examining other steps it can take to impose tighter controls around sensitive company records.

Excerpts are from ThirdCertainty’s interview with Willy Leichter of CipherCloud. (Answers edited for length and clarity.)

3C: Can you outline how the rising use of cloud apps in the workplace is creating security issues?

Leichter: A typical process is one person sends you something from a Dropbox account, and suddenly you become a Dropbox user. Or, often, departments will say, “OK, we’re going to use Dropbox or Hightail for this particular project,” and it kind of grows department by department. It grows virally.

The challenge is the very nature of the whole file-sharing world. It’s like Swiss cheese. It’s designed to be very easy to share and to open up public links and to let another person in.

That’s where this cable company approached us. They had about a dozen different things they knew about and wanted to standardize.

3C: You found a lot more than a dozen cloud apps in use.

Leichter: We found well over 1,000 cloud apps, what we call shadow IT apps, that they were using. We have about 20 different categories of such apps; it could be software development tools, or it could be social tools. In one category, file-sharing tools, we found more than 120 apps. This one category is probably the most actionable category because file sharing involves sending people documents.

3C: How did this discovery help the cable company?

Leichter: They were trying to do two things. They were trying to standardize on two or three different file-sharing services and use monitoring tools on them. And they also wanted to shut down the worst offenders, which you can do easily enough.

3C: In general, what kinds of malicious or worrisome activity are you seeing in shadow IT?

Leichter: It’s kind of a spectrum. Officially sanctioned apps are being scanned in real time, using tools we and others make. That’s kind of a new world. We can give you all kinds of detail about who’s using all these apps. Then there’s the other 90% of the apps in shadow IT.

Anomalies can be where someone is sending huge amounts of files to some strange apps. Or someone is downloading stuff they shouldn’t be at two in the morning. Or it could be multiple people using the same account from different IP addresses. Someone is logging in from San Jose and then an hour later they’re logging in from Beijing. You can spot a lot of these and take steps to shut them down.

3C: What else surprised the cable company?

Leichter: One of the things they learned is why people were doing this. For the most part, it was because the company wouldn’t pay for them to use an account. So they were account hopping from one freebie to the next. It was because people just did not want to pay for stuff.

So now the company is trying to steer people to use better practices through outreach and education. And it also is buying them accounts.

Technology Companies to Watch in 2016

Here is a baker’s dozen (plus one) of technology firms that I find exciting or interesting and feel are companies to watch. Some, like Guidewire and Salesforce, I have followed and written about for many years. Others are technology firms I have recently written about (e.g. Clari). Some technology firms are public, and others are private.

Caveats:

  • The following 14 companies to watch (including two pairs of partnerships) are technology firms that I think insurers should be watching or possibly consider whether to use in 2016.
  • I didn’t use any “scientific reasoning” or market share data to include (or exclude) companies. Other than Apple, Google and IBM, I do not own shares in any of the technology firms. (Not that I own enough shares of any of these companies to retire to the beaches of Maui anyway….)
  • By including technology firms on this list, I am in no way implicitly or explicitly saying that I will only follow/research/write about these firms in 2016. That is not the case: I plan to write about other technology firms in 2016.

My personal list of exciting or interesting technology firms

Here is my list in alphabetical order:

  1. Apple-IBM partnership (specifically the insurance industry applications)
  2. Box
  3. CafeX
  4. Clari
  5. Dropbox
  6. Facebook
  7. Google (specifically, Google Compare)
  8. Guidewire
  9. Librestream-Symbility partnership (Symbility is Librestream’s partner to go to market in insurance)
  10. Salesforce
  11. Slack
  12. Vlocity

Going forward

Do with this list what you will.

Next year, I plan to create short snapshots of these firms (or partnerships) in which I discuss why insurers should care about these technology firms.

However, I do suggest that you – whether an insurer or technology firm – create your own watch lists. Add to them, delete from them and otherwise keep your lists (and the reasons you have certain firms on the list) vibrant.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.