The Danger of Public Cloud File Sync Applications: 3 Ways to Make Them More Secure
By Frank Butler
Cloud file sync services are quickly becoming a mainstay IT service and most folks who use a computer are already using or have at least heard of file syncing applications like Dropbox, Box, Google Drive and Microsoft OneDrive. But my bet is most folks have no idea of the risks involved with using public cloud file sync apps. I’m speaking primarily latest threat: the relatively easily executed hack called “man-in-the-cloud”.
Man-in-the-cloud attacks, as a report published at the Black Hat conference in Las Vegas this month shows, are usually perpetrated completely without your knowledge and without the hacker ever even needing to know your password. The results are stolen data, corrupted or deleted files, and malware infections to name but a few – including the dreaded Cryptolocker virus. As security company Imperva illustrates in the report, all of this could be done from the attacker’s laptop, without any exploits and without writing any server-side code. And while these types of attacks in previous years were mostly a consumer issue, businesses are increasingly using cloud file sync services in an effort to improve or streamline the sharing of sensitive customer and corporate data.
For you kids keeping score at home, here is how the man-in-the-cloud attack works: It grabs a password token which is a small file that sits on your device (PC, tablet, laptop or smartphone) for the convenience of not having to enter your password every time you access the same site over and over. This is usually collected through a previously executed phishing attack (think emails luring you into exposing sensitive info), a virus or malware infection, or a drive-by wireless attack (also relatively easy to execute on poorly protected systems). Once the password token has been obtained, it is very easy for the attacker to masquerade as the actual user or individual. And to make matters worse, the user or account owner is almost completely powerless to defend against this because a simple password change still ties the token to the user’s device.
There are 3 simple ways to make cloud file sync safer:
- Shy away from cloud file sync apps that use Single Sign On to simplify the password process as that process is usually part of a 3rd party integration making it inherently more risky. It’s amazing how readily we give up security in the name of convenience. Opt instead for file syncing that takes advantage of Active Directory (Windows based) or LDAP (more commonly Linux based but also used in a Windows environments). This leverages the security and authentica
- tion that you already use every day and simplifies the management process (read: lower TCO).
- Use notifications that can be setup for unauthorized access attempts such as from a new computer or from a different geographic location AND that these notifications go to a mailbox that is regularly accessed. Doesn’t do you much good if no one sees the messages. This won’t necessarily prevent a man-in-the-cloud attack, but like the first suggestion, it will go a long way to shoring up cloud security in general.
- Use your own cloud file sync application. From us. For free.
OK – full disclosure: Our free cloud file sync application is built into all of our SIRIS ContinuITy DR and BCP appliances. But now you can have hourly backups with cloud replication and virtualization AND a secure, robust cloud file sync service which – unlike the Dropboxes and Google Drives of the world – remains 100% in your control.