Sharing Files in an Insecure World

Friday July 20, 2018

In the age of information, data is our currency. How we store, move and use this data has become critical to how we operate and do business. Consequently, the introduction of the file sync and sharing (FSS) service has provided major advancements to our data-driven world, but these advancements come with added risk. Let’s take a look at the history of the FSS, it’s many advantages and the new security risks they have introduced.

The first commercial file sync and sharing service began as a college project by USC student Aaron Levie in 2004. Frustrated with having to transport files between his library and dorm room PC’s, Levie began developing what would eventually become Box.com. By 2007, competitors Dropbox and OneDrive had entered the fray, and the FSS market took off from there. Users quickly embraced the technology. Businesses took note and, in an effort to curb non-sanctioned software and devices, the Enterprise file sync and share (EFSS) service was born.

Today, FSS giant Dropbox has 500 million registered users, with a valuation of $10 billion, while Google Drive boasts an astounding 800 million active users. On the business side, Citrix ShareFile, Box and Egnyte are major players, but Dropbox Business is king with 46% of the corporate market share. The EFSS has become such a critical part of the corporate data storage and collaboration strategy that market trends predict the industry to grow from $3.35 billion in 2018 to $10.94 billion by 2023.

With the many different FSS products and flavors, there are three main features in common. The first is the original motivator behind Levie’s little project: the ability to sync files between devices including personal computers, smart phones and tablets. The FSS interface can be a web page or an application, and the data to be synced is not limited to a specific type (Word or Excel files, programs, music, pictures, even entire databases). Most third-party applications now integrate directly with FSS services, making data syncing an automatic and indispensable feature that users have come to expect.

Another common feature of the FSS is the ability to share data with other users. Sharing is done in two ways, the first of which is sending large files beyond the email size limits. Most email systems cap the size of file attachments at around 30 MB, but with data files growing at an exponential rate, users have developed a need to transfer larger files then their systems allow. FSS services allow for data to be uploaded in excess of 3 GB, and provide additional features like password protection, download count limits, and verified notifications that files were delivered. Many EFSS’s also provide email plugins so that the upload process is automatically performed behind the scenes when the email client sends an attachment over a certain size. For example, if a user sends an attachment over 20 MB through Outlook, their ShareFile plugin uploads the attachment to the cloud behind the scenes and sends a download link to the recipient.

The second method of sharing is the ability to create an entire folder hierarchy and set permissions all the way down to the file level. Permissions can be set as granular as the user wants, allowing external parties to read, edit, download, upload, and collaborate in real time. Users can even set up email notifications to alert them whenever changes are being made, and advanced versioning will keep track of these changes. This collaboration ability is one of the main factors that drove the explosive adoption levels of the EFSS in the business world.

The third set of features that most FSS systems now offer are built in productivity tools to compensate for different end user software. Gone are the days when two users had to have matching Microsoft Office installations, or Apple iWork Suite, to work together. Now, users can work together through built-in tools like Dropbox Paper, Google Docs, or Box Notes to collaborate more efficiently.

The FSS has given users and businesses some of the most powerful data storage, sharing, and collaboration tools we have ever seen. All of these features have been presented in a user-friendly interface and operate seamlessly with our most popular systems and services so that the FSS has become a staple of our every day lives. However, with these new abilities comes a unique set of increased security risks that must be addressed.

One of the most obvious risks with an FSS system at home or in the workplace is the risk of data loss. The exfiltration of data outside of a protected system can easily occur when an employee copies sensitive or proprietary data outside of the company through their personal Google Drive share. Many businesses would previously attempt to ensure confidentiality by blocking USB drives access on the local PC, or by using expansive Data Loss Prevention software to ensure that specific data stays internal. Unfortunately, FSS systems circumvent these controls. Hosting a hybrid EFSS on internal company resources provides some risk mitigation, as data transfers can be limited or at least logged. However, as long as sensitive data can be synced to an employee’s personal device, and that device can be lost or stolen, the risk of data loss is ever present.

The flip side of data loss is the risk of incoming malicious data into an otherwise protected network. IT organizations spend an inordinate amount of their time and budget detecting and preventing malware and viruses from gaining entry. Firewalls, Intrusion Detection Systems, email and web spam detectors, and antivirus programs are just some examples of the many systems at work to keep the user environment secure. When users receive files through an EFSS, they are circumnavigating these protective systems (except possibly for antivirus on the local machine). This is the stuff that keeps company security engineers up at night.

There’s also the risk of incorrectly assigned permissions. When users assign their own permissions to data, an incorrect setting to the wrong recipient can be catastrophic. Additionally, allowing write permissions to another user can be an inherently risky proposition. Allowing an external party to write to an internal resource is akin to letting a friend rent a room in your house. If that friend is later infected with ransomware, they will bring it to your home as well. In the case of a hybrid hosted EFSS, the company’s network has just been compromised.

However, the most prevalent security risk that we see involving the FSS are phishing attempts using fraudulent invites to shares. Typically, a user will receive an emailed link inviting them to connect to a share for access to documents. The share will lead them to an authentic looking webpage designed to mimic one of the major FSS providers, a practice called brandjacking. The user will then be prompted to enter their credentials. These may be their Office 365 username and password, local company password, Gmail credentials, or often times their real Dropbox password. These credentials end up in the hands of malicious actors, who now have full access to the user’s email or FSS. This technique is often called Dropbox Phishing due to the fact that Dropbox is the number one target of these scams.

So what kind of controls can we put in place to mitigate the increased security risk introduced by the FSS? The number one control we can implement (and the cheapest) is education through regular training. Users should always be on alert and question any unexpected email they receive, but this is especially true with an FSS invite. All FSS request links must be examined thoroughly by first hovering the mouse over the link before clicking. If the link says www.MyCompany.Dr.0boxx or www.ClickMeQuick , this is obviously not a legitimate link. Once clicked on, the user may be prompted to create a new account on a hosting company’s EFSS. However, they should never be prompted to enter any of their existing account credentials. As I explain to users, if I send you a sharing link from my FSS, why would I need your Gmail username and password? I wouldn’t, unless I was trying to gain access to your Gmail account. Ultimately, if there is any doubt, the best course of action is to contact the person who sent you the link to confirm its legitimacy.

Outside of education, the next best control a company can implement are strict, clear policies on what data should be stored or shared through an FSS. These policies should be communicated to everyone and enforced, potentially with the help of a DLP system.

FSS and EFSS systems are now a fixture of our lives and businesses. They allow us to share data and collaborate with ease and at a rate never before imagined. With these new abilities come new security risks, but through education and the proper policies we can avoid the pitfalls and take full advantage of the next-generation work environment.

 

Robert J. Garcia, CISSP, PMP is the IT Director at Gursey Schneider LLP in Los Angeles.