Are you, too, exposing your company’s confidential content to public?
As more work processes move to mobile devices and companies increasingly use more SaaS or cloud applications, cybersecurity becomes a pressing issue in every sizeable organization.
Even a decade ago, applications used to be inside the perimeter. So if a File server or Sharepoint were configured incorrectly, the consequences were minimal. But with the rapid introduction of SaaS applications to the workspace, a single misconfiguration in Box, Google Suite, or Office 365, for example, could spell massive disaster. If your organization’s sensitive information is leaked, you’ll have to deal with reputation damage and crisis management. If the referenced data were related to a regulatory requirement, you’d also be subject to significant fines.
Adversis, a cybersecurity firm that performs audits involving red team assessments, penetration testing and vulnerability hunting, investigated the public accessibility of Box files at several enterprise companies and found breaches in internal files, sensitive documents, or proprietary technology.
Many Box users are at risk because of a simple setting in their account. When a new document is created or uploaded to Box, the default file setting is public. In order to restrict access, you’ll need to turn on the “people in your company” setting. But this setting isn’t the only way that hackers are gaining access to company info. If employees change the randomly coded URLs of files to ‘vanity URLs’, this puts the file at greater risk.
Adversis experimented with trying to ‘dictionary attack’ various top companies in hopes they would correctly ‘guess’ the URLs of important documents. Using companies such as Apple, Herbalife, and Pointcare, Adversity gained access to data such as passport photos; social security numbers, financial data, IT data, email addresses, phone numbers, bank account information, customer lists and more. Even some of the documents belonging to Box’s own staff were exposed.
The primary cause is the “cloud” nature of the application, it does not matter if it’s Box, Google Suite, Salesforce, Workday, or Office 365. Each application can have separate business unit, separate administrator, different configuration, and security maturity. Most users think about their business and convenience, not security, when using their business applications. They may share confidential information via public links that can remain publicly accessible forever. They may change a configuration without knowing its side effects. Clearly, security of SaaS applications is something many businesses are struggling to learn and manage effectively.
Given the seriousness of potential breach, it’s smart for businesses to have an independent cloud security provider who can govern all their cloud applications, scan all data structured or unstructured, and take remedial actions like quarantine files and applying rights management when sharing sensitive files.
It’s prudent for businesses to have an independent cloud security provider to:
Govern all your cloud applications with deep visibility over users activities and data
Scan content for malware as well as sensitive data
Take automated actions based on your policies
Apply rights management when sharing sensitive files so that only authorized users can access them for a limited time
Encrypt sensitive data and hold your keys locally, not with the cloud provider
Detect anomalies and block them such as dictionary attacks used here
Satisfy regulatory compliance such as GDPR, HIPAA, PCI, etc. and country specific residency requirements
Protecting customer data is more important than ever. New best practices such as the use of a third-party cloud application security provider is a must-have for security as well as for the barrage of new regulatory requirements.