Menu
Today's forecast…cloudy with a chance of compromise

Today's forecast…cloudy with a chance of compromise

"A common theme across all of these is clear... Is that cloud services are being compromised."

Over the past few weeks cloud storage services have been compromised all too regularly, triggered by the hacking of celebrities’ personal photos from Apple’s iCloud service.

Not long after, messaging service Snapchat also fell foul of cyber attackers, with both photos and videos stolen.

Now, it's Dropbox turn to react to what they say is a compromise of another service’s credentials store that is being used to compromise Dropbox accounts of users who use the same username and password on multiple services.

"A common theme across all of these is clear," observes Christina Goggi, Web Content Specialist, GFI Software. "Is that cloud services are being compromised."

"Does this mean you should not trust cloud services? Pull all your data back down to local storage and cancel your Internet connection? Go off the grid and return to the trees? Of course not."

Speaking to Computerworld NZ, Goggi says cloud services are a major component of our connected lives, and it is not at all true that they are inherently unsafe or vulnerable.

"They are, however, accessible from literally anywhere in the world, so most people should take more precautions with their data than they may be accustomed to," she explains.

Goggi offers seven tips to help both users and organisations use cloud services more securely.

1. Usernames

Most of these services allow, or even require, users to use their email address as their username. While this makes it simple for people to remember their username, it also makes it easy for bad guys to figure out the first half of your credentials.

"If you have the option to use something else, or have multiple email addresses or aliases you can use, it will help make it harder for attackers to determine your username for a particular service," Goggi advises.

"I like to use my email address as my username, so I won’t change this, but it does drive home the next point."

2. Passwords

Use strong, and much more importantly, unique passwords for each service. If you use the same username and the same password across multiple services and one is compromised, an attacker now has access to all your cloud services. This is the exact scenario Dropbox alleges happened to them.

"They were not themselves compromised," Goggi explains, "but some other service was and since users are using the same username and password, that provided attackers with the credentials to access victims’ Dropbox accounts."

According to Goggi, the subset of accounts that was posted online shows an alarming trend - users are frequently using dictionary words for their passwords, making it extremely easy for attackers to compromise accounts.

"Make sure your passwords are not only unique, but also strong," Goggi adds. "Use a mix of uppercase letters, lowercase letters, numbers, and punctuation.

"Consider using a passphrase rather than just a password, which is longer and more complex, but also easier to remember than some random string of characters."

3. Multi-factor authentication

If a cloud-based service offers multi-factor authentication, use it, urges Goggi.

"Many are able to work with mobile phone apps or use SMS messages to your mobile phone, so that before an attacker can compromise your data, they must also have your physical device," she says.

"You may not know that your credentials have been compromised for days or even weeks after the fact, but you will notice your phone is missing within minutes."

4. File encryption

While most cloud services offer encryption, both for network traffic and local storage, they manage that encryption.

As a result, Goggi suggests to consider using third-party file encryption where you control the keys and keep their storage local, so that even if your data is stolen, attackers cannot use the data since the encryption keys remain with you.

5. Client patching

Most cloud services rely upon client software. That can be an agent installed on your workstation, or the operating system of your phone.

But those that are web browser based only, still rely upon your browser. "Keeping your client software up to date helps to ensure that your machine is not the source of a compromise," Goggi adds.

6. Policy and availability

For organisations, Goggi believes there are "legitimate concerns" about storing data in cloud-based services, especially consumer-oriented services.

"Users want to use these services because they work well, and enable users to do things," she says.

"Organisations should first make sure they have a clear policy around what is permitted and what is not, and where data can be stored and where it cannot be.

"They should also offer their users with corporate-controlled equivalents of the consumer services that are controlled by the organisation and offer users the functionality they need."

Microsoft offers OneDrive for users, and OneDrive for Business for organisations while Dropbox is for personal use, while Dropbox for Business is for organisations.

Other services have similar models, Goggi advises, meaning companies can embrace the cloud while maintaining control.

7. Web filtering software

Businesses should also implement web filtering software to both support and enforce their policies.

"The web filtering software you choose should be both granular and intelligent enough to block only what you mean to block, without restricting access to things you want to allow," Goggi adds.

For example, you may want to block Google Drive but still permit users to search with Google. You don’t want a solution that just blocks Google. Implement a solution that supports the business need; not one that limits your options.

"Organisations that don’t want to embrace the cloud are in the same position today as those that thought the Internet was a fad back in the mid-90s," Goggi concludes.

"The organisations that take the lead, deploy technologies in a controlled and secure fashion, and enable their users to do their jobs will have a competitive advantage over those that do not."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags AppledropboxGFI SoftwareiCloudSnapChat

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments