Wednesday, July 20, 2016

How to safely use EFSS solution

Shameless plug - I recommend reading my previous article if you prefer full stories: Software complexity as an enemy of security. It's a good read, but you can totally go just with this post, both of them have a value individually so it's not required to know the preface.

I've been in EFSS(Enterprise File Sync and Share) space for almost 4 years already. I started out my journey with this industry by doing penetration tests for FSS vendors and for the last 3 years I've been working as a security architect for a company that offers exactly that stuff.
I believe this experience makes me kinda qualified to share some observations in terms of products security. There is a lot of vendors' content like "we have this great feature, it allows you to enable so granular permissions that even you won't be able to access that data", and while marketing-wise it may be good, it's doesn't provide much of a value in the category I want to talk.
I failed to find resources that describe how to actually benefit from security features of FSS products so I'm sharing my own content for benefit of regular users, tech admins and to poke vendors a bit.
Maybe someone already produced great educational materials on this subject and I wasn't diligent enough in my search, but I assume that if I wasn't able to find it, regular user won't waste time to dig deeper.
Either way, let's move on and get some good content together.  General goal is to level up security awareness in the EFSS industry, because basing on my observations lots of users are still not aware of all the things they should know.
Disclaimer I need to put here - all I'm writing here is my opinion based on a few years of watching the industry from inside, working 1-1 with customers, and researching other vendors in this space - in short, just my experience, no ads or sponsorship in here.

During pentests it happens that you can't break security of customer's core network but you can access all their confidential data by breaching unsecured 3rd party assets. Breaking into on-premise messaging server or external data storage is often times much more simple because even admins sometimes have no clue about that little thing they were supposed to configure. It's the same thing as with internal apps which are known for being less secured than main products for weird legacy culture and poor mindset reason, which luckily I can see is changing. Internal apps/3rd party productivity tools have often loads of users and each one of them is potential attack vector.

In case of EFSS product specifically, when the breach happens and the setup was too open in terms of permissions, it's often too late to do anything - the data is already gone. When a breach is identified users run like headless chickens removing all links, old accounts, changing their password to minimize the damage, but well - that could had been prevented in the first place.
EFSS products offer variety of security features allowing you to secure your data in a very precise way, but only minority of users is taking a full advantage of all those goodies. There is a bunch of reasons why users don't want to use security features and I don't have yet a power to change how vendors(except of one) build their software but I can give generic tutorial how to take advantage of what's available in most of them. Thanks to that you'll know what to look for and what are potential consequences and risks of not applying given measure.

Just below this paragraph you can find promised tutorial. If you find it to be a valuable content, it would be great if you forward it to other users in your organization to give them a chance to secure their data.
Some may appear trivial, but reality is that most users fail to do all of these right. And we fail very often on those trivial things because we don't pay attention to day-to-day tasks, people are like "This so simple, obviously I will not do any such dumb mistake", and a while later their credentials leak and it turns out the master password was "dadada".
You're not required to put all those measures in place or audit entire setup each day because who has time for this, but keep them in mind while setting up/using EFSS solution. I'll keep wording simple so regular users can learn how to harden their accounts on their own and IT Team can use it as a checklist to see how they're holding up. So here we go:

In terms of general setup:

Keep access permissions according to principle of least privilege:
Software often offers per folder/file granular permission settings, which you should use to limit availability of your data only to people who actually need it to do their work. I suppose your cleaning lady doesn't need access to executives' invoices or strategic products roadmaps, does she?

I recommend you to prefer whitelisting approach which is giving access only to specific individuals/groups as an opposite to blacklisting which is allowing everyone except of specified individuals. New-hires shouldn't have access to everything by default, they should receive access to given resources only if needed/requested.

2. Secure access to your share links:
While generating a file/folder link take a look on access level and other security options you can choose like DRM protection.
You shouldn't keep all links open in hope that no one will ever guess UUID of the link. People share links, use not secured computers, misclick Ctrl+V and leak links from clipboard. Sometimes system generates guessable UUID or leak them in referer header. It's not once I've seen antivirus or a browser plugin accessing the share link on user computer without his knowledge. While it's done in a good will it's still a privacy concern as you don't know what browser plugin does with that link, if it gets stored or sent to the server and what happens to your corporate data.
There is a plenty of ways how shared link can leak an it just happens. I doubt you want random Internet bots to crawl through your shared invoices.

While smart vendors protect your links from being guessed, by employing various mechanisms recognizing bruteforce attempts on shared links, there is nothing vendor can do if user recklessly paste share link everywhere and doesn't set appropriate access settings.
If the data you're sharing is sensitive, protect the link with the password or make link accessible only for logged users. Obviously for external recipients, you can't create account for each one of them so go with password. Whenever possible(when sharing a file with co-workers) - use internal links accessible only to logged users.
If you use the solution mostly within the company, make internal access to be a default setting for links. Assess what's the most cost effective approach in your company and implement it from admin level for all users.

3. Set expiry for share links:
Use time/click based expiry for your links. Don't make links live forever when not needed and seriously, huge percentage of links is being created for one/few uses only. Set expiry on those links which you think won't be needed after given period of time, so you don't need to worry about them if a link leaks years in future.

4. Use strong password for your account and shared links:
Modern computer systems implemented smart solutions for assessing password strength, like popular in web applications - great zxcvbn. If you want to know in details how to create solid password, take a look on link under zcxvb, as there is no point in creating one more resource if there are great existing ones.
Use long, unguessable but meaningful(easy to remember) to you passwords.
Don't require employees to change their complex password too often, it doesn't work the way security industry wished it to work. We tried that dumb approach for 20 years and it didn't work.

5. Enable two factor authentication(2FA):
These days, using 2 factor authentication is so trivial that it's a shame not to use it. There are still vendors who still suck at implementing 2FA with decent UX, but most have done it well. Whether it's a 2FA mobile application, phone call or SMS used for 2nd step verification - it doesn't matter. All work fine, I don't want to elaborate on differences between safety of particular options, because it doesn't matter for regular users.
If you don't feel comfortable with 2FA settings of the product you're using and it doesn't provide a space for customization, then let vendor know. Security shouldn't cause a bad experience, because if it is off for you, there are chances it's also problematic for that other shy person in your company who's going to hate it and not say a word. For the common benefit, take the lead and report to the vendor your feeling about weaknesses of their 2FA.

6. Don't create too many temporary accounts:
Do you really need to create an account for that short-term contractor if all he's going to need is an access to 2 files which you can share with him using password protected link?
If it happens that you need to create an account for any reason, setup an account expiry for a date when his/her contract is going to be terminated. The date is usually known at the beginning of a contract so this is easy. It's better to extend his account lifetime if necessary, than to forget about blocking it and leaving dummy account open to attacks.

7. Put access removal on your employee termination checklist:
When employee leaves your company, you should obviously block his accounts in all internal services, but in case of EFSS products behavior after account block vary a lot. In some products, when you block an account all links are automatically expired while for different vendor they remain intact. You should check what's a behavior for product you use and after employee is terminated it's a good habit to review links he shared and block those which don't need to be open anymore.
You may need to leave some links because they have been shared with a customer, but you never know what was else was shared. "Trust everyone, but cut the cards" is a good summary to put here.

8. Reading audit reports:
Most vendors offer cool auditing capabilities and this is tremendous help for security audits. You can jump into your account settings, run a report or see it in near-real time and verify what operations have been done on your account and for your files. It includes data on login history, lists bruteforce attempts, describes folders' permission changes and ton of other goodies - this is gold.
It's especially important for technical admins, who should on periodic basis review their users' activity and look for alerts and anomalies.

9. Report weird activity to tech admin/vendor:
This is really important, sooner you react, more likely you'll limit probability of data leakage. If your data is missing, files get renamed out of blue or you can't login to your account anymore - report it immediately. It's better to report a false positive than miss opportunity to stop an attacker.

If you're using a mobile application to access the data, you should have at least a couple of additional things to check(differs between vendors):

1. Setup a solid passlock/password for your application.
2. Enable the option to delete all local data after X login attempts and logout you from the account if someone grabs your phone and try to guess your passlock too many times.
3. Enable encryption for synced data. It's usually called a "local/offline data storage encryption".
4. Enable session timeouts so if you leave your phone somewhere it'll automatically log you out after a set period of time.
5. Explore, explore, explore. Mobile apps' settings are usually tiny, it's easy to get a solid grasp of available functions in few minutes.
6. Remember about remote wipe option when you lose your device. If you lost your device, login to web application, go to account settings and terminate session from your phone + initiate erase of synced data.

For desktop applications I have only one EFSS specific thing which most users is not aware of because they're so used to clicking "Next" button during software installation. Some FSS apps ask if you want to limit access to locally synced data only to the system user who installed app or make data available to all computer users. So beware if you're sharing your computer with other users, because if you chose wrong option - other users can access your corporate data.

Except of that you should just protect your computer in regular ways - set solid login password, enable screensaver which requires logging in after X minutes of inactivity, enable disk encryption, use AntiVirus software.

When it comes to on-premise appliances a checklist contains a slightly different things:

1. On-prem appliances comes usually with web, SSH and FTP access to ease the configuration process. As soon as you get it out of the box, change the default credentials and set strong passwords for those services.
2. After you're done with configuration, block unnecessary services and make sure to disable guest access. Nmap will be very helpful here to ensure you did a good job in turning off redundant services - if you're not into this kind of stuff, just download a GUI version and it'll become trivial.
3. Install patches and upgrades as often as you can. Your corporate data is going trough that appliance so you must ensure you have the latest security patches for underlying OS and a product itself.

And that would be it. While it can differ between vendors or I could have simply missed something(did my best), this guide should help you significantly improve safety of your data.

Okay vendors, I did quite solid piece of work. It's your job now to take this draft and describe your products in more detailed and approachable by regular human being way.
It would be awesome if each EFSS vendor taken their time and wrote an easy guide into their products' security functions.
I'm sure this effort would be greatly appreciated by users, so sounds like a win-win to me, even marketing-wise if that drives you the most.

No comments:

Post a Comment