Security issues with allowing Dropbox installations on client PC's in our organisation

Question

Does anyone know if there is any good reasons not to allow Dropbox installations on our client PC's? All the PC's have antivirus installed and running. I know it is an additional attack vector to spreading files, but the kind of risk I am specific worried about is automatic spreading due to synchronization of files.

Can potential virus on the dropbox spread easier once the file is in the cloud as it potentially could be synchronized to our client, and then automatically spread? Is there any security mechanisms to prevent this kind of spreading?

I am not taking into consideration that files may be infected when the user opens them. These kinds of risks are already considered in all the other applications that allow file sharing (email, USB dongles and so on).

The kind of risk I am specific worried about is automatic spreading due to synchronization of files.

Answer 1

Does anyone know if there is any good reasons not to allow Dropbox installations on our client PC's?

This depends on a number of factors such as your willingness to accept risks, classification (sensitivity) of data you store/process or otherwise manage and for example the potential for increased user productivity.

There have been a number of confidentiality related issues regarding Dropbox such as this, and this and the fact that data is encrypted server-side. There are arguments both for and against the use of Dropbox but it always comes down to your willingness to accept risk and hence compromise on security for the increased convenience.

Can potential virus on the dropbox spread easier once the file is in the cloud as it potentially could be synchronized to our client, and then automatically spread?

Yes, absolutely. Earlier versions of MS Office documents had macros enabled by default and many worms targeted those for spreading (later versions have however significantly improved in this area!).

But a worm/trojan could be specifically written to take advantage of Dropbox file sharing. When executed (for whatever reason) it could scan the computer and look for the Dropbox folder, replace files, rename or by any other means put itself in a place where the user is likely to execute it. It's clearly an excellent way of spreading malware to and from computers and networks.

Is there any security mechanisms to prevent this kind of spreading?

Depends on what you mean with spreading, but I'm assuming you're talking about the execution of a windows binary from one of your company managed computers. Then yes, there are several ways of doing that. Using Windows 7 applocker you could simply restrict what applications are allowed to execute, or use an application to monitor for "new" executable files and remove them/quarantine or whatever action you deem desirable.

Additionally our good old friend AV will catch whatever old malware lands in the Dropbox folder, assuming reasonable coverage by the product. Know that there are statistics that seem to indicate that the most popular AV-products are the worst, but that even the best ones aren't great either. (Nothing new there really!)

One of the more obvious difficulties with allowing Dropbox is to make clear the separation between company assets and private assets. It's inevitable that users will also use Dropbox on their private computers, hence storing company data on private computers over which you have no control.

However, this again all depends on your willingness to accept risk. The threats are clearly identified and it would be a fairly easy exercise to calculate associated risk for each threat and provide you with a list of quantified risks. There are also technical safeguards you can implement to reduce the likelihood of some risks related to what you were specifically concerned about.

I would argue however that spreading of malware shouldn't be your top priority, instead you should focus on how to keep a clear separation between private and company owned data assets. This is the real headache in using any type of file synchronization product or service between corporate and home computers. There are products that would also address concerns regarding information disclosure but I digress.

Perhaps you are willing to accept these risks in order to avoid the cost of implementing required safeguards?

Answer 2

With allowing file sharing sites like Dropbox, yeah absolutely, if you let a user use Dropbox you can almost be assured that their home PC is going to not be as well protected as the Enterprise PCs. So all those safeguards you've really put in place to minimize the damage ... such as Content Monitoring and Filtering are of little use.

There is a bigger problem though, in the possible exfiltration of proprietary sensitive information. I would be more worried about that than a common virus. If you have users that feel that they need Dropbox, figure out why and stand up a company approved and controlled solution.

Answer 3

Using Dropbox to share files widely does carry some risks, though it also has benefits, and it is important to keep these in context.

The primary risk is leakage of confidential documents. If users store many confidential documents on Dropbox, and access them from many machines, then you could have many copies of those confidential documents floating around (e.g., on users' home machines, which are probably less secured). There's also the risk that if users choose a poor Dropbox password, this may enable someone else to get access to their Dropbox files and steal confidential data. Therefore, widespread use of file-transport software like Dropbox creates increased challenge for control of confidential data. However, these risks can most likely be managed by policy: e.g., setting policy forbidding users from putting highly confidential data/documents in Dropbox.

You asked about a different risk: a risk that users' work machines get infected by a virus carried in one of the files stored in their Dropbox account. Personally, I wouldn't worry about this; I don't think it is a significant risk. Assuming you have anti-virus software installed on all your work machines, the AV software should catch any virus found in files that users access, even if they got those files through Dropbox. Therefore, I wouldn't worry about this one.

There are risks with banning Dropbox. One risk is the loss of productivity. Another risk is the loss of respect for your IT department, if the policy doesn't seem well-grounded; the more your IT department gets a reputation for being over-controlling and mindlessly banning technology, the less likely it is that users will be cooperative with IT security policy, and the more likely that users will look for ways to circumvent policies. This could cause more harm overall than any reduction in risk from banning Dropbox. I think many people get frustrated when their IT departments act irrationally and try to avoid all risks, when they should be approaching it from a risk management perspective. You'll have to assess whether banning Dropbox is truly justified in your organization, and the true level of risk from Dropbox, and the security posture and degree of risk tolerance appropriate to your organization.

I also want to second @M15K's parting advice. If you feel that Dropbox is an unacceptable risk to your organization, then @M15K's advice is excellent: "If you have users that feel that they need Dropbox, figure out why and stand up a company approved and controlled solution."

Answer 4

File share cloud based "consumer" solutions like Dropbox, are not meant for Business or Corporations. Microsoft said it best with Skydrive when they came out and said, that these types of products are not, and should not be used for Business purposes.

There are thousands of reasons why not that outweigh the reasons why one should.

Biggest LEGAL reason outside of the security risks (And the Terms of Use which specify that 3rd parties can have access to confidential files hence nothing confidential should ever be stored on such a service that is consumer based.. EVER..) is the fact with a service such as Dropbox, well. Let me ask this.. Where are those files stored? Where are those servers located? You can rest assured, with the lowest bidder, call in something called Data Export Rules and Laws... Should you have a single tiny file the "United States Government may deem as a risk or potential risk to U.S. security" (Could be something as small as electrical layout to a public gathering place, school, gym, passwords or a username to something like a Cisco account where you can download export restricted software, etc) up to classified documents, you are in violation of that law. You go to jail, you do not pass go.. I believe now, that is handled by FTC and Homeland Security..

The DB terms of use specify (basically) that if its installed on a business PC, (Dropbox assumes that person because the person installing in on the business PC guarantees they are by clicking through the TOU) that the "authorized" individual is doing so FOR THE ENTIRE COMPANY.. Period... (First section ion Dropbox.com/terms)

What stops me from using this outside of my server and work environment is simply ethics... You have a consumer product like Skydrive that in big letters says "No Business.. Don't! because they do not want to risk customer's data on a business level because they KNOW it is a risk! And then Flippin Dropbox who uses legal words in their contracts such as the word "stuff", who patty cakes the entire "security thing" and acts like its no big deal (would you want to lose profit and shares that valuable? Probably not...)....

It is a big deal.. The more security groups beg you and I to follow simple practices, the more big comps like dropbox come out and for money.. for profit, act like its no big deal...

What if your business stored a tiny piece of a single credit card number and a name and expiration date? Now say the PC the dropbox client was installed upon was uhmm "gotten into.." through a Dropbox security breech... Following me? Visa/Amex etc.. the ginormous bank companies WITH government support (because Payment Card Industry (PCI) Standards says so.. that's who...) WILL fine you.. get this... you may want to sit down.. a staggering $500,000.00 PER INCIDENT... It is enough to put a small or medium business out of the business they are in....

the ONLY way to get around it, is to locally encrypt that data using a PCI certified encryption product, BEFORE it goes to dropbox, purchasing licensing for all your remote devices, downloading the file you need, and de-encrypting it before you can use it.. (Nope don't sound like it aint no funs at all...) (Or encrypting data on your servers network, and clients at the gateway...)

With all that, for less than $20 a user (about $11 for the basic one) you can get an Office365 E series plan, that IS HIPAA, SOX, ISO, and PCI certified.. (Dropbox, hidden in there pages clearly states "at this time", they are not.... )

So ask yourself, albeit in your mind small... Is it actually worth the risk? and DO you want to do business with a company who I think, steps lightly or makes light, the risks associated with using their product....

Is it worth the risk to your career if you are in technology and you do get breeched and you DID allow dropbox? DO you think you are employable after your name is beside a breech and you make the news? As a CTO, I can promise you, not on my life would I even hear the excuse behind it.. I would never even interview anyone in technology who by their own actions or decisions, caused a breech of data on any sized network.. Yes we all make mistakes, which is why your job in IT is to eliminate any risk, big or small as best you can.. Not open up the worm hole and scream for Alice...) It is a disaster for PR.. for a business, (if a competitor found out and leaked who you are.. (gasp) what you did.. and an increased liability to hire someone because they allowed a file sharing service who publically acknowledged and stated they were not PCI, SOX, ISO, HIPAA, or PCI certified

Well.. That's for you to decide... Is it worth a career? Is it worth the loss of your company or customer data?

For me.. It is not... Consumers use consumer products, not businesses... Period.