Ed Macnair is CEO of cloud security firm CensorNet
In today’s collaboration-happy workplace, applications like Box, Google Drive and Dropbox have been embraced with a big corporate hug. Even traditionally security conscious organisations have rushed headlong into adopting them.
However, as with any tech that’s seeing big corporate adoption, these apps have also come under the microscope of the bad guys.
Endlessly creative and ruthlessly focussed, criminal organisations are beginning to pull at the threads of companies trying to figure out how they can be unwound.
The targeted theft
A conscientious employee from finance knows he needs different passwords for accessing the raft of applications that his job demands.
This all gets terribly hard to remember so instead of writing them down, he puts them in a spreadsheet in Dropbox.
Unfortunately, he isn’t that security conscious in his personal life. So, when a small MineCraft forum he uses is breached and his email address and password are exposed, cyber criminals start checking popular applications for where those credentials might be re-used.
They hit pay day with his Dropbox account, hoovering up all the data and, alongside the photos from his holiday, they snaffle a file called PASSWORDS.xlsx.
Noting which applications the company uses on a regular basis from Twitter and LinkedIn they gain access to company finances and business plans, which are sold to a competitor for a hefty amount.
In addition, the online accounting platform is now also wide open. A string of financial transactions see money syphoned off and before anyone knows it, the account is empty.
The accountant decides to return to paper….
The disgruntled employee
He was always a problematic member of staff, but now the awkward freelance developer has heard on the grapevine that his bosses are planning to fire him and he is not amused.
Thankfully, he doesn’t have access to sensitive data, but he does have administrative permissions to the company’s cloud-based software update system.
Quietly, he takes out an ‘insurance policy’, pushing any changes to the source code into his own hidden personal account, scraping off intellectual property.
Eventually, he is invited into his boss’ office where he is told he’s being let go and is asked to clear out his desk. He requests time to delete personal files from his PC, secretly initiating Mission Scorched Earth.
He first of all disconnects his copying of the source code, removing the history of changes for every software project and overwriting every file with gibberish.
He also changes everyone else’s access so no one can undo things. Sure, some people may have copies of the code, but safely recovering it could take months.
He leaves with a smug smile on his face, wondering whether he should leave them hanging, or take the blackmail route.
The reputation vandals
The CEO is ‘traditional’ and never uses his company’s collaborative messaging application.
Unfortunately, he has been spear phished and the cyber criminals embark on a social engineering spree with his stolen login information.
Under the guise of the CEO, they turn off all email notifications so he is none the wiser.
They then copy the company hierarchy data, learning everyone’s names and responsibilities. This forms the basis for a campaign of direct messaging, posing as him, asking for various files. People comply because you don’t say no the CEO!
After getting their hands on enough confidential information, they begin spreading confusion. Suddenly the CEO is talking about redundancies in an open forum. Someone panics and leaks the message to the press, causing stock prices to plummet.
It’s only when the CEO is asked about his comments that the company finally realises someone has been masquerading as him on the company messaging system.
But the reputational damage is already done.
Given the adoption of such services and the innovations employed by the cybercriminal underground, the scenarios above are only the tip of the iceberg.
Sitting in a grey area outside traditional protected corporate IT, cloud applications are currently a soft target.
Ownership of securing these things is often blurred, especially inside smaller organisations where they are often assumed to be safe.
This is very far from the case.