Ho hum. Another day, and another data leak. What else is new?
The latest hullabaloo in my radar was from one of Malaysia’s reverent universities, UiTM, which reported a data leak of 11,891 student applicants’ private details including MyKad (national identity card) numbers of each individual. Reading from the news article, one can deduced that the unsecured link mentioned was probably from a cloud storage service, i.e. file synchronization software such as OneDrive, Google Drive, Dropbox, etc. Those files that can be easily shared via an HTTP/S URL link. Ah, convenience over the data security best practices.
It irks me when data security practices are poorly practised. And it is likely that there is ignorance of data security practices in the first place.
It also irks me when many end users everywhere I have encountered tell me their file synchronization software is backup. That is just a very poor excuse of a data protection strategy, if any, especially in enterprise and cloud environments. Convenience, set-and-forget mentality. Out of sight. Out of mind. Right?
Convenience is not data security. File Sync is NOT Backup
Many users are used to the convenience of file synchronization. The proliferation of cloud storage services with free Gigabytes here and there have created an IT segment based on BYOD, which transformed into EFSS, and now CCP. The buzzword salad involves the Bring-Your-Own-Device, which evolved into Enterprise-File-Sync-&-Share, and in these later years, Content-Collaboration-Platform.
All these are fine and good. The data industry is growing up, and many are leveraging the power of file synchronization technologies, be it on on-premises and from cloud storage services. Organizations, large and small, are able to use these file synchronization platforms to enhance their businesses and digitally transforming their operational efficiencies and practices. But what is sorely missing in embracing the convenience and simplicity is the much ignored cybersecurity housekeeping practices that should be keeping our files and data safe.
In one of my Sundays about 1 1/2 years ago, I was disturbed at about 8.30am in the morning with a slew of WhatsApp messages. It came from an end user who I know. His company provided business processing services for local Malaysian Oil and Gas companies. The message was like this “Help … we got hit by ransomware. Our files are encrypted and our backups are also encrypted too“.
Since his company had no business with me, I advised him as a friend. Identify the ransomware; look for a decryptor key if any. I also did some initial Q&A with him about their backup practices and regimes, since this was an area of interest of mine. He mentioned they had a “backup” regime running daily, and this is through Synology®’s Cloud Sync that synchronizes their company’s files to Microsoft® Azure. Brilliant, except … file synchronization is NOT backup! And his local NAS files also produced encrypted (i.e. infected) “backup” files in Azure as well.
How this friend arrived at the notion that the file synchronization feature in Cloud Sync is a backup tells me that many users, are still ignorant of what a backup practice should be. Check out this EaseUS blog that provided the context – 3-Minute Guide on Backup vs. Sync – EaseUS. Again, file synchronization is NOT backup! And the cloud isn’t immune to ransomware as well, as articulately described by Veritas® – Can Ransomware Infect Cloud Storage? | Veritas.
Convenience exacerbated by the Pandemic and the WFH phenomenon
Convenience has become the biggest threat to the data security when it comes to home NAS solutions and file synchronization software. I have already highlighted that NAS is a ransomware goldmine in a previous blog. Given the WFH (work from home) phenomenon driven by the COVID-19 pandemic, many end users, with or without the consent of their company’s IT organizations, have resorted to these convenient practices to do work.
But the work environments in these settings are totally and utterly insecure. The end points at home, the interfaces that connect to digital work on the Internet, were happily constructed and consumed, all in the name of work. Home NAS solution sales grew, cloud file synchronization services subscribed beyond the free tiers, and the data security practices took a back seat until IT realized that these environments are the backdoors to side channel attacks. Data security is minimum or non-existent at best.
What can we do?
The WFH practice is still in session. The pandemic is not fully over yet, and digital work cultures have changed to accept these unsecured locations are part of the online network. But these unsecured locations are exposed, weak. Coupled with the ignorance of data security practices, file synchronization services can become easy targets for ransomware, phishing and data leaks. How can we make file synchronization services more secure? What can we do about it?
I am no cybersecurity expert. But I do think about several table stakes data security practices should be in place in order to address the poor data security housekeeping habits.
- Identity and Access Management (IAM) with Multi Factor Authentication (MFA)
- Data encryption
- Data Protection
- Basic Security Awareness
- Patches and updates
Identity and Access Management (IAM) with Multi Factor Authentication (MFA)
Yeah. It sounds like some tech industry buzzwords. Distilled to their basics, the users must go through a series of authentication process to verify and validate the user logging is who he or she claims she is. Today, logins and passwords are slowly but surely becoming obsolete. The trust linking a login to a password to allow entry into data networks is getting weaker.
And it is good to see many organizations beginning to recognize this weakness and starting to implement 2FA (2 Factor Authentication) or MFA (multi factor authentication) to add an additional step to validate and verify the user credentials. Even better, some organizations have begun to antiquate the SMS OTP 2FA methods by going to passwordless logins.
I work for iXsystems™, and 2FA has existed for TrueNAS® logins for quite some years. Here is a video to show 2FA is set up with TrueNAS® SCALE.
Data Encryption
Always assume that all networks are insecure. Data and messages that travel of the wire (or wireless) can be snooped. At home, I would presume the users working with file synchronization apps on their desktops and mobile devices are always on. The set-and-forget convenience means instant data access at our fingertips. But that convenience also create a lax in data security, one that threat actors are happy to exploit.
So, it is more common now that home WiFi are configured with WPA (Wifi Protected Access). Even better with WPA2 and WPA3.
However, the online data that travels to and fro in the World Wide Web and the Internet can still be snooped and spied on. It is good to invest into VPN (Virtual Private Network) at the end points to ensure that there is an encrypted “tunnel” for the online communications. The data communication in the VPN tunnel are shielded from the snooping eyes.
Data Protection
To many, data backups are a nuisance. Especially when you are a user who have enjoyed the data protection work of tireless IT administrators. With the WFH practices, the joy of this “freedom” of working also comes with its downsides. When it comes to backup, often the home user or that digital nomad has to do their own backups. So, the data protection practice goes out the door, and often ignored, until …
And I want to point out strongly that file synchronization services are NOT backup. Stop thinking Google Drive or OneDrive are auto-“backing up” my files, so I am protected. File Sync is NOT backup.
Backups have versions, Synchronization usually overwrites the old file copy with the newer changed files. Backup may not have the latest copy of the file changes unless you are backing up every single time a change happened. But the recovery mechanisms in most backup restores will almost always save the day, unless you are not applying data security practices to the backups as well.
Basic Security Awareness
Besides cursing that now my passwords have to have at least one upper case, one digit, and a character with a minimum of 8 characters, and I cannot reuse my old passwords, there is a reason for enhanced password strengths. This is to force the user to adopt a habit to ensure there is a stronger and hopefully more secure “login gatekeeper” to their files and data.
Phishing has become one of the top threat techniques to data security. Learn to identify peculiarities, oddities and anomalies. There are companies that specializes in security awareness. KnowBe4 is one that I know through the years and I have taken one of their online trainings before. Very helpful.
At the end of the day, if unsure, just ask. If there is no one to ask, research it online. If it is too good to be true, it is too good to be true.
Patches and Updates
I was incredibly amused by one of the episodes of Space Force where the character Jimmy O Yang played was supposed to relay some data to a satellite, instructed by the character played by John Malkovich. The Windows OS of the computer, just there and then decided to do a software update. Here is the scene (profanity included):
Keeping your OS and your software patched to the latest versions is vitally important to make sure the CVE (common vulnerabilities and exploits) are kept in check. These updates and latest fixes should be able to address the security weaknesses and gaps that impact data security, including the file synchronization communication protocols and services as well.
Spread the knowledge of good data security practices
File synchronization data security practices are poor. The end points, be it at home, or Starbucks, are not secure. They are easy targets for threat actors to gain access and worm its way into valuable company and user data. Once access is gained, file synchronization services be it over the cloud or the VPN, become super spreaders. The threats can go far and deeper, and it can infect the internal networks rapidly. Thus a good knowledge and basic understanding of data security practices are essential to protect the data, from ransomware encryption, malware destruction, data infiltrations and data leaks. Even with the basic practices of a few simple data security habits can help in reducing these harmful threats.
As I was writing this blog, Ne-Yo’s song “So Sick” was playing in the air (I was at McDonald’s). The repeated lyrics “I’m so sick of love song ..” also reminded me of being so sick of the lack of understanding of real data protection. BTW, I am on VPN.
Let’s be vigilant. Trust no one.
Pingback: Random Short Take #86 | PenguinPunk.net