Public cloud security - ignorance is no excuse
If you use Google, Apple, or Dropbox, then much of your life is already in the cloud. With nearly half of all business data also held in the cloud we’ve assembled these tips to help explain to employees the security risks associated with public cloud services.
The recent high profile hack of celebrities' nude photos on Apple’s iCloud shows just how little most users understand what’s happening to their data. You needn’t be a celebrity to attract malicious attention. Anyone who uses public cloud services to store confidential information could be targetted. Here are some ways to explain the threat:
Automatic sync between devices and cloud-based services is incredibly convenient for users but a nightmare for CIOs. Ensuring data is available everywhere makes it too easy for employees to put privileged information at risk using the public cloud. Once available on the public cloud, data is no longer controlled and becomes vulnerable to successful attacks on the cloud service. As sensitive content gets mixed up with personal files most of us forget to search and delete those private files from the public cloud. In the event your personal cloud service security is breached then you may be held responsible for any leak – even if you never knew it happened.
"no one wants my data”
Sophisticated online criminals have developed numerous techniques to undermine company security, such as spear phishing. This attack sees miscreants research a target entity to identify real names and email addresses of employees. They create convincing spoof emails addressed to named recipients asking them to reset their cloud service passwords. Click on the reset link they provide and you are directed to a convincing fake site. Enter your details and criminals learn your password, and gain access to your account. They can then explore your data to find what they seek, such as login details for your enterprise Intranet. Spear phishing is a popular tool for corporate espionage – it doesn’t matter how senior you are if you might be able to provide access.
“how did they know?”
If criminals know who you are they can find out more about you online on social networks. They may figure out your birthday or pose as a friend’s friend to get better access to your social network, or as an online retailer you recently used in order to credibly request credit card number verification.
Given so many people use dates of birth within passwords, this information gives criminals a better chance of success when launching brute force attacks in which thousands of potential passwords are entered using an automated tool. This may be all they need to compromise enterprise security.
“I didn't know it was sensitive…”
Ignorance is no excuse. Even if a document you are working with on behalf of your enterprise isn’t marked as top secret, your organization should have an information access policy, including tiers of data and access controls.
It’s important to recognize that if a criminal organization is attempting to subvert the security of the company you work for you are unlikely to be the only person they are probing. Small clues from multiple employees quickly become a bigger picture to help breach protection. The convenience of being able to easily access a project file using One Drive in preference to accessing your less reliable enterprise system needs to be understood within the context of your future employment.
“you can’t stop people taking data out”
It isn’t possible to prevent employees taking data out of the enterprise on devices, USB drives, or cloud services, but such actions can be actively discouraged. Extreme Networks’ Enterasys security software prevents corporate file attachments from leaving the corporate network using a webmail application.
“I didn’t understand what was happening”
Big tech firms actively encourage consumers to store data in the cloud on the basis of convenience, but may not be doing enough to let users know what data they store. Speaking to MTV after the iCloud hack, Jennifer Lawrence said, “My iCloud keeps telling me to back it up and I’m like, ‘I don’t know how to back you up. Do it yourself.’”
It is possible thousands of active iCloud accounts originally created when people got their first iPod may still use the original password. With this in mind it is worrying the world's two most used passwords last year were “123456” and “password”.