Free file sync and share (FSS) services such as Dropbox typically come with security and privacy settings set to “public” by default. When a user shares a share link to corporate data, anyone who comes across that link can get to the potentially sensitive information. Some free FSS apps don’t offer privacy settings. Even if a user wanted to, they could not change the public settings to private in order to protect the data.
Here is one way those share links have escaped into the open. When an intended party receives a share link by email, their email client and / or security settings may prevent them from clicking on it as a live link. So, they copy the link and attempt to paste it into the URL field in their browser. Many users mistakenly paste the share link into the search field, which typically uses Google, the search engine people use most, to present search results for that link.
“People are conditioned more and more to put URLs in the search field rather than the URL field. On the iPhone, for example, the search field is the URL field,” says Hugh Thompson, Program Committee Chair, The RSA Conference.
This human error exposed share links because Google automatically collects users’ search terms for its AdWords and Analytics tools, which enterprise customers / Google ad partners use to determine optimal keywords for advertising campaigns. When enterprise FSS provider, Intralinks entered the name of its competitor, Dropbox to see what keywords people use to find it, share links, which include the name Dropbox came up in the results. Those share links were live, clickable links that were open and public, and they led to sensitive data.
This incident prompts some questions: Who is responsible? What can the enterprise do, if it can do anything to prevent sensitive data from leaking in this way?
Responsibility
According to Richard Anstey, CTO, his company, Intralinks discovered and disclosed this vulnerability to Dropbox (and to Google) in November of 2013. Dropbox posted a blog entry addressing these concerns among others in May of this year (the part about this vulnerability appears as a single paragraph that starts with “Update [5/6/14]”).
As of this writing, the updated blog entry does not disclose how any patch fixes the Google Adwords campaigns’ ability to scoop up shared link URLs. Nor does the entry address the live documents that are already out there that anyone could easily have downloaded and shared using the share links that Google Adwords retrieved.
But, default public settings among free FSS apps are not wholly to blame. Among end-users and employees, usability and convenience have trumped security and policy for a long time. It’s not uncommon for a small group of employees working together to informally agree to use a free FSS app such as Dropbox for a given project, Thompson illustrates. “They agree to use it without standardizing on it with IT,” says Thompson.
[Dropbox fixes flaw that exposed user documents]
And people using free FSS apps readily assume that only the people they send their share links to will be able to see and use them. But an astute criminal hacker, knowing the default construction of a share link could even guess combinations of characters that could appear at the end of a share link URL and try that to bring up live share links. “That could lead them to sensitive corporate data,” says Thompson. “There have been all kinds of attacks based on the generation of random characters,” Thompson confirms. So, this approach would not be anything new.
Plugging the hole
According to Anstey, it is unlikely that anyone was deliberately malicious at any stage of this vulnerability, from the end-users leveraging the free FSS tool and sending the share links, to the recipients who put them in the wrong browser field.
The way to mitigate it then, in addition to tailored policies for this type of service, is with thorough, effective, and confirmed user education. Effective employee security training media must enable the enterprise to quiz employees about their understanding and retention of policy information. Enterprises must have employees sign off on acceptance of the policy.
Then add technology to enforce policy. “Combine network boundaries with policies to ensure sensitive corporate data cannot reach the kind of vulnerability that exists in a free public file sharing service,” says Anstey. Through a combination of education and technology, the enterprise can minimize infractions and justifiably discipline transgressors.
[Employee engagement secures the workplace]
But the causal issue requires a broader solution. The enterprise needs to realize that employees want and need to work as effectively as possible; that’s what leads them to use FSS software. The enterprise should recognize and accept that FSS tools are useful. “It should find a solution, standardize on it, and endorse it,” says Anstey. Select an FSS tool that the enterprise has tested and approved. Ensure effectiveness, ease of use, and employee satisfaction with the authorized tool, or risk that they will continue to use other tools that they favor.
Enlist information lifecycle management in securing data in FSS apps. Determine whether and for how long any data should live on the FSS service. Determine when to unshare previously shared data, such as when projects or partnerships end. Consider eDiscovery, since the enterprise must dispose of some data on a certain schedule and keep other data for certain lengths of time. This will help the enterprise to limit the surface area of related vulnerabilities, says Anstey.
Toward a more flexible frame of mind
Thompson agrees that enterprises can adopt written policies and enforcement to curb employee use of free FSS apps with corporate data. “Enterprises can use technology to restrict access from the Intranet to websites that the free FSS apps use. And if an employee is out of the office yet connected to the corporate network / Intranet, the enterprise can use cloud tools to lessen the likelihood that people will use these free FSS apps,” says Thompson.
“But, people are trying to get their jobs done,” adds Thompson. And they will try to use technologies that help them meet their goals more quickly, Thompson explains. Whereas IT has historically been “the ministry of No!”, setting limits based on company risk, this new environment with all these useful apps is forcing IT to become an enabler of these technologies, Thompson asserts.
According to Thompson, enterprises can either look at this FSS issue as a single issue or as part of a larger pattern of similar issues. They can either react to the shortcomings of these apps or realize that these are part of the reality of doing business today. If they choose to do the latter, a recalibration of the security function in order to address the business is necessary. According to Thompson, the enterprise should ask itself how to become an enabler of security in this environment while allowing people some use of these technologies.
[Talking insider threats at the CSO40 Security Confab and Awards]
According to Thompson, this is the approach he is seeing with increasing frequency in the RSA Conference -- i.e., a move from absolute security to protecting the data as well as possible, understanding that because there are very sophisticated attackers out there, failures and breaches do occur. “And if failures happen, there are sets of technologies underneath so we can forensically determine what happened and then optimize the enterprise security policy,” Thompson says.