Over the past few weeks cloud storage services have been compromised all too regularly, triggered by the hacking of celebrities’ personal photos from Apple’s iCloud service.
Not long after, messaging service Snapchat also fell foul of cyber attackers, with both photos and videos stolen.
Now, it's Dropbox turn to react to what they say is a compromise of another service’s credentials store that is being used to compromise Dropbox accounts of users who use the same username and password on multiple services.
"A common theme across all of these is clear," observes Christina Goggi, Web Content Specialist, GFI Software. "Is that cloud services are being compromised."
"Does this mean you should not trust cloud services? Pull all your data back down to local storage and cancel your Internet connection? Go off the grid and return to the trees? Of course not."
Speaking to Computerworld NZ, Goggi says cloud services are a major component of our connected lives, and it is not at all true that they are inherently unsafe or vulnerable.
"They are, however, accessible from literally anywhere in the world, so most people should take more precautions with their data than they may be accustomed to," she explains.
Goggi offers seven tips to help both users and organisations use cloud services more securely.
Most of these services allow, or even require, users to use their email address as their username. While this makes it simple for people to remember their username, it also makes it easy for bad guys to figure out the first half of your credentials.
"If you have the option to use something else, or have multiple email addresses or aliases you can use, it will help make it harder for attackers to determine your username for a particular service," Goggi advises.
"I like to use my email address as my username, so I won’t change this, but it does drive home the next point."
Use strong, and much more importantly, unique passwords for each service. If you use the same username and the same password across multiple services and one is compromised, an attacker now has access to all your cloud services. This is the exact scenario Dropbox alleges happened to them.
"They were not themselves compromised," Goggi explains, "but some other service was and since users are using the same username and password, that provided attackers with the credentials to access victims’ Dropbox accounts."
According to Goggi, the subset of accounts that was posted online shows an alarming trend - users are frequently using dictionary words for their passwords, making it extremely easy for attackers to compromise accounts.
"Make sure your passwords are not only unique, but also strong," Goggi adds. "Use a mix of uppercase letters, lowercase letters, numbers, and punctuation.
"Consider using a passphrase rather than just a password, which is longer and more complex, but also easier to remember than some random string of characters."
3. Multi-factor authentication
If a cloud-based service offers multi-factor authentication, use it, urges Goggi.
"Many are able to work with mobile phone apps or use SMS messages to your mobile phone, so that before an attacker can compromise your data, they must also have your physical device," she says.
"You may not know that your credentials have been compromised for days or even weeks after the fact, but you will notice your phone is missing within minutes."
4. File encryption
While most cloud services offer encryption, both for network traffic and local storage, they manage that encryption.
As a result, Goggi suggests to consider using third-party file encryption where you control the keys and keep their storage local, so that even if your data is stolen, attackers cannot use the data since the encryption keys remain with you.
5. Client patching
Most cloud services rely upon client software. That can be an agent installed on your workstation, or the operating system of your phone.
But those that are web browser based only, still rely upon your browser. "Keeping your client software up to date helps to ensure that your machine is not the source of a compromise," Goggi adds.
6. Policy and availability
For organisations, Goggi believes there are "legitimate concerns" about storing data in cloud-based services, especially consumer-oriented services.
"Users want to use these services because they work well, and enable users to do things," she says.
"Organisations should first make sure they have a clear policy around what is permitted and what is not, and where data can be stored and where it cannot be.
"They should also offer their users with corporate-controlled equivalents of the consumer services that are controlled by the organisation and offer users the functionality they need."
Microsoft offers OneDrive for users, and OneDrive for Business for organisations while Dropbox is for personal use, while Dropbox for Business is for organisations.
Other services have similar models, Goggi advises, meaning companies can embrace the cloud while maintaining control.
7. Web filtering software
Businesses should also implement web filtering software to both support and enforce their policies.
"The web filtering software you choose should be both granular and intelligent enough to block only what you mean to block, without restricting access to things you want to allow," Goggi adds.
For example, you may want to block Google Drive but still permit users to search with Google. You don’t want a solution that just blocks Google. Implement a solution that supports the business need; not one that limits your options.
"Organisations that don’t want to embrace the cloud are in the same position today as those that thought the Internet was a fad back in the mid-90s," Goggi concludes.
"The organisations that take the lead, deploy technologies in a controlled and secure fashion, and enable their users to do their jobs will have a competitive advantage over those that do not."