5 Dropbox Security Warnings For Businesses

What security secrets might an attacker unearth about your business on Dropbox?

The recent "life hack" of journalist Mat Honan has demonstrated the degree to which many technology-savvy consumers have tied together numerous online services, including Gmail, Twitter, Amazon, and Apple iCloud. Due to rampant password reuse, however, attackers have been able to take passwords used on one site, and reuse them to log into a person's account on another site. In the case of Dropbox, that means that any corporate secrets stored there could be easily accessed.

An example of such an exploit came to light this month, owing to a Dropbox employee having stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using a password that the employee had reused on another--compromised--site, obtained a copy of the document, then used the email addresses to unleash a flood of spam at Dropbox users.

[ What will it take for cloud service providers to get serious about social engineering attack vectors? See Apple, Amazon Security Fails: Time For Change. ]

Given the threat of such attacks, any business with employees that use Dropbox should keep the following five information security essentials in mind:

1. Monitor Dropbox Use

Too many businesses today are turning a blind eye to employees' use of file-sharing services. Accordingly, the first step to getting a handle on the related security concerns is to begin paying attention. "Based on our conversations with business users and IT staff, there is a fair bit more 'Dropbox' and 'Box'-like use out there than many enterprise IT would like or know about," said IDC analyst Richard Villars via email.

What's the risk? "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it," warned Apple co-founder Steve Wozniak at a recent event in Washington, reported Agence France-Presse.

2. Compare Cloud Service Security

But many current cloud users don't do their security homework. According to a recent survey of 4,000 business and IT managers recently conducted by Ponemon Institute, which was commissioned by security firm Thales, many business users distrust cloud security, but use the cloud anyway.

"Nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data," according to a report written by Larry Ponemon, chairman of Ponemon Institute. Accordingly, businesses must evaluate whether the cloud services being used by their employees are safe for doing business, and if they're not, which add-ons--or entirely different services--should be used instead.

3. Beware Lackluster Security Cloud Service Practices

Are cloud providers serious about security? Consider that in the Dropbox password breach that came to light this month, the company only reset the passwords of users who were known to have been affected--because their usernames or other credentials had been seen in uploads hackers made to password-cracking forums. But security experts believe that attackers typically excise any passwords they've already cracked from such uploads, as well as edit out duplicates, and they've criticized such services for not resetting all users' passwords.

"LinkedIn made the same mistake a few months ago--they only reset the passwords for the accounts they believed to be affected," said Rob Sobers, technical manager at Varonis Systems, in a blog post. "What did they base this on? The list of hashes that were published by the hackers? Is it beyond the realm of possibility that the attackers might not have published the whole list? They're hackers!"

On the upside, however, in the wake of Dropbox's password breach, the company said that it would be introducing two-factor authentication, alerts whenever it detected odd user behavior, as well as audit logs of user access.4. Treat Dropbox As A Public Repository

Until Dropbox adds those stronger security measures, and all employees adopt them, businesses that use Dropbox should inform employees that anything they upload to the service will be treated as "public"--that is, as if it was published to a public Google Group, Yahoo mailing list, or the like.

"If there's any information you're worried about, you're better off encrypting those files before you upload them. But that adds another layer of work for users, and users are lazy," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It annoys me that companies rely on third-party services like [Dropbox], but that's the way that businesses are going."

Other security experts agreed with that assessment. "Anything that is really sensitive or extremely valuable or needs to be kept very secret, I wouldn't store on anybody else's servers," said Marco Arment, the creator of Instapaper, on his blog. "That, to me, seems ridiculous unless I held the encryption keys--like with the online backup service that I use."

5. Insider Theft: Can You Detect It?

One of the biggest information-leakage threats facing businesses, besides external attackers, is malicious insiders. Thus, when weighing if and when employees can use Dropbox, ask whether your business would be able to detect information exfiltration while it's happening or after the fact. "As an old IT guy, having my employees use something like Dropbox--where the files are no longer accessible to the IT department--makes me very, very worried. Because as an IT guy responsible for data, I want ... to know that if someone gets fired, I still have access to all of that information," said Trustwave's Space Rogue.

Accordingly, businesses should consider restricting employees to use only centrally managed file-sharing services. "If I was looking to get a third-party file-storing service like that, I'd want to ensure that I had admin access to all of that data," he said.

The only catch, unfortunately, is that instead of being baked in, decent cloud security can be a costly add-on. Dropbox, for example, now offers Dropbox for Teams, which adds centralized administration, better security, as well as Active Directory integration. But the cost of the service starts at $800 per year, for just five users.