[BreachExchange] Dropbox Data Breach: When Human Error Trumps IT Security

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 12 18:35:28 EDT 2016


http://www.aim.ph/blog/dropbox-data-breach-when-human-error-trumps-it-
security/


Cybercrime has been making headlines these days, and the most recent of
which is the data breach reported on millions of Dropbox  accounts. Given
the circumstances, companies are reminded again to beef up their IT support
to pave the way for better network control and prevent customer data from
being compromised.

The Threatening Combination of Human Error and Passwords

Late last month, reports indicated that email and password data from over
68 million Dropbox accounts hacked from four years ago had leaked online.

Back in August 2012, Dropbox confirmed that a stolen employee password was
used to gain unauthorized access to a project document, which contained
user email addresses. The breach led to users receiving spam in their email
associated with their Dropbox account, prompting the company to put
additional security controls, along with a recommendation that customers
keep different passwords for each website or service they use.

For customers who have not changed their password since the 2012 breach,
Dropbox is sending them a prompt to update their credentials the next time
they sign in, although the company maintains that such accounts have not
been accessed illegally.

Interestingly, another breach happened in August 2012 when a hacker stole
6.5 million encrypted passwords from LinkedIn’s user accounts. Fast forward
to May this year, new reports indicated that a hacker was selling 117
million LinkedIn log-in credentials on a dark web marketplace. It’s not
known whether or not the new loot includes the records from the 2012
breach, but the sale was said to be going for about $2,300.

IT Security Best Practices in Managing Passwords

>From these data breaches, it’s safe to assume that companies need stricter
security controls to protect their users’ information. Here are some things
to do and remember:

 Introduce good password management policies.

Passwords are the first line of defense in accessing customers’ online
accounts. Therefore, authenticating them should be foul-proof as much as
possible. The Dropbox data breach is especially significant as the
company’s own employee failed to follow password management techniques.

Some customers refuse to use different passwords for different applications
mainly for convenience as a reason, so you should clearly define standards
on how they should choose their passwords.

You also need to have a good password management system by using password
hashing (transforming a string of characters into a shorter fixed-length
value that represents the original string) and two-factorauthentication
processes (read: the two authentication factors should be different from
each other) in your service applications.

Identify and safeguard critical systems or applications used by the company.

You could prevent unauthorized access to critical systems or applications
within your organization by enforcing strict controls such as using a
different authentication method for each, putting in encryption systems or
even data loss prevention facilities, based on their associated risks.

The same goes for setting access used for general purpose applications:
they should be different from access credentials used for critical
applications or privileged accounts.

Additionally, you could implement a multiple credential and authentication
policy for applications used internally and externally. The premise is that
if both internal and external applications use the same password, there
will be less security protection for the company’s systems.

Determine which of your systems has the same security features or
requirements.

For applications with the same security requirements, using the same
password may be allowed, as long as the security policies and guidelines in
using them are clearly defined as well as control systems are properly set.

To illustrate this, you may set up the same password for applications that
record your employees’ overtime work and absences since both are used as
HR-related systems, and apply common and additional security requirements.

No one could ever overemphasize the need for companies to put all the
proper measures in their IT infrastructure to detect and prevent threats of
data theft. Dropbox just had a wake-up call about this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160912/ac43704f/attachment.html>


More information about the BreachExchange mailing list