News

10:02 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Dropbox Security Warnings For Businesses

Recent Dropbox hack showed the risks of storing unencrypted, sensitive information on cloud services. Understand these security points.

What security secrets might an attacker unearth about your business on Dropbox?

The recent "life hack" of journalist Mat Honan has demonstrated the degree to which many technology-savvy consumers have tied together numerous online services, including Gmail, Twitter, Amazon, and Apple iCloud. Due to rampant password reuse, however, attackers have been able to take passwords used on one site, and reuse them to log into a person's account on another site. In the case of Dropbox, that means that any corporate secrets stored there could be easily accessed.

An example of such an exploit came to light this month, owing to a Dropbox employee having stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using a password that the employee had reused on another--compromised--site, obtained a copy of the document, then used the email addresses to unleash a flood of spam at Dropbox users.

[ What will it take for cloud service providers to get serious about social engineering attack vectors? See Apple, Amazon Security Fails: Time For Change. ]

Given the threat of such attacks, any business with employees that use Dropbox should keep the following five information security essentials in mind:

1. Monitor Dropbox Use

Too many businesses today are turning a blind eye to employees' use of file-sharing services. Accordingly, the first step to getting a handle on the related security concerns is to begin paying attention. "Based on our conversations with business users and IT staff, there is a fair bit more 'Dropbox' and 'Box'-like use out there than many enterprise IT would like or know about," said IDC analyst Richard Villars via email.

What's the risk? "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it," warned Apple co-founder Steve Wozniak at a recent event in Washington, reported Agence France-Presse.

2. Compare Cloud Service Security

But many current cloud users don't do their security homework. According to a recent survey of 4,000 business and IT managers recently conducted by Ponemon Institute, which was commissioned by security firm Thales, many business users distrust cloud security, but use the cloud anyway.

"Nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data," according to a report written by Larry Ponemon, chairman of Ponemon Institute. Accordingly, businesses must evaluate whether the cloud services being used by their employees are safe for doing business, and if they're not, which add-ons--or entirely different services--should be used instead.

3. Beware Lackluster Security Cloud Service Practices

Are cloud providers serious about security? Consider that in the Dropbox password breach that came to light this month, the company only reset the passwords of users who were known to have been affected--because their usernames or other credentials had been seen in uploads hackers made to password-cracking forums. But security experts believe that attackers typically excise any passwords they've already cracked from such uploads, as well as edit out duplicates, and they've criticized such services for not resetting all users' passwords.

"LinkedIn made the same mistake a few months ago--they only reset the passwords for the accounts they believed to be affected," said Rob Sobers, technical manager at Varonis Systems, in a blog post. "What did they base this on? The list of hashes that were published by the hackers? Is it beyond the realm of possibility that the attackers might not have published the whole list? They're hackers!"

On the upside, however, in the wake of Dropbox's password breach, the company said that it would be introducing two-factor authentication, alerts whenever it detected odd user behavior, as well as audit logs of user access.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Claudius
50%
50%
Claudius,
User Rank: Apprentice
8/14/2012 | 4:44:55 PM
re: 5 Dropbox Security Warnings For Businesses
Especially for part 4 (and of course for other reasons), it is important to make sure the files uploaded to Dropbox or other cloud storage services are client-side encrypted. Because even if the files will once be available to the public, the public won't be able to decrypt and use the files.
Our free tool cloudfogger ( http://www.cloudfogger.com ) provides that for al major cloud storage services.

Claudius from Cloudfogger
tonypry
50%
50%
tonypry,
User Rank: Apprentice
8/14/2012 | 6:25:57 PM
re: 5 Dropbox Security Warnings For Businesses
To be a proper business cloud service, security must be the fundamental building block in designing the product. Suggesting that you get that in the Dropbox for Teams product by simply adding a 3rd Party product like Okta for Active Directory integration, which adds further to the $800 cost, does not hold true. It provides authentication, but none of the important group policy functions used by IT departments.

Tony
www.exsafe.net
Jason Miller
50%
50%
Jason Miller,
User Rank: Apprentice
8/15/2012 | 4:21:09 PM
re: 5 Dropbox Security Warnings For Businesses
There are other options to use with Dropbox or any cloud service, like secreteSync to add an extra level of encryption, the above points are important- there are options to help protect what is placed in the storage.
John @ FileCatalyst
50%
50%
John @ FileCatalyst,
User Rank: Apprentice
11/20/2012 | 7:29:18 PM
re: 5 Dropbox Security Warnings For Businesses
The B2B file transfer solutions are usually branded under "Managed File Transfer".
There is a number of forums and groups that discuss these issues in depth. Take a look at the LinkedIn Managed File Transfer Group located here http://www.linkedin.com/groups...

There are many vendors that provide software solutions in this space, FileCatalyst is one of these vendors.
sconaty
50%
50%
sconaty,
User Rank: Apprentice
10/15/2013 | 8:22:26 PM
re: 5 Dropbox Security Warnings For Businesses
Another option is http://safeboxapp.com. It also encrypts encrypts your content before it is synced to the cloud by Dropbox.

Unlike some of the other tools mentioned in these comments, Safebox doesn't require you to setup an account (disclaimer, I am on the Safebox development team).
rockinspain
50%
50%
rockinspain,
User Rank: Apprentice
8/13/2014 | 12:08:20 PM
Secure and control the files you share on Dropbox
I think that if you use Dropbox to store professional or personal files and you want to share them with other people, you need an extra tool to prevent unwanted information leakage.

I use Prot-On because i can decide who and when access my documents and track document use.

http://www.prot-on.com
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed