Cloud File Sync & Sharing: Risks and Solutions (Part 3)

Secure Cloud
This blog post is the third in a series on the data risks and solutions available for file sync and sharing services.

In the first two posts in this series, we focused on some of the risks and basic concepts for file sync and sharing services.  In this post, we focus on ways to mitigate risks.

Provide Employees with an Approved File Sharing Service. As we have noted in our prior posts, if you do not provide an approved service, employees will sign up for and use one of their own.  The difference?  With an approved services, you have access to your employees’ data and clear ownership of the information.  You can also monitor and manage for adoption, usage, and (if desired) adherence to policies.

Have a Clear Policy. Let employees know that personal and company data and systems are to remain separate, and why.  Provide a list of approved file sharing and sync services, as well as a clear an concise statement which other services may not be used (i.e., all others) and why.  The policy should include consequences for violations, along with a means for approved exceptions.

Block or Blacklist Unauthorized Tools. For many organizations without decent web filtering services in place, this recommendation will be difficult to implement.

Audit Workstations for Unauthorized Use.  Beyond application monitoring, when you scan workstations for application inventories, look to see if sync service agents have been installed.

With a moderate planning effort and reasonable monitoring and enforcement efforts, businesses can take advantage of the conveniences that file sharing and sync services offer, without exposing data to unnecessary risk and loss.

 

Cloud Backup: Small Businesses Hesitate at their Own Peril

Cloud Backup
According to a recent survey of IT service firms conducted by The 2112 Group, small and mid-size businesses (SMBs with up to 250 employees) do not respond to most marketing efforts.  The lack of interest appears to be due to underlying concerns about data security, bandwidth, availability, and recurring costs.

Not surprisingly, SMBs become interested in cloud backup after a data loss or downtime. Having experienced disruption or loss, SMBs better understand the cost of a failed recovery compared with the cost of adequate protection.

Businesses that move to cloud backup sited their primary motivations as:

  • Improved data protection and business continuity (34%)
  • Better overall IT reliability (20%)
  • Reduced IT costs (16%)

The challenge for us, as a cloud solutions provider, is to meet our customers’ objectives while addressing issues of security, bandwidth, availability, and cost.

The challenge for SMBs, as our customer or prospective customer, is to recognize the value of cloud-based backup before a crisis.  And, understand that by offering a range of solutions, we can ensure data integrity while keeping costs in-line.

 

Is Your E-Waste Part of the Solution?

4thbin logo
According to a recent report by “Solving the E-Waste Problem (StEP) Initiative”, a coalition of United Nations agencies, governments, non-profits, and science organizations, the amount of e-waste generated will increase by a third in just the next five years.

And, unfortunately, much of the e-waste ends up in poor countries, polluting water and food supplies and contaminating poor workers that strip the waste for precious metals without protection from the hazardous chemicals and materials.  If your e-waste is being picked up for free, chances are it’s being dumped.

Your, e-waste, however, can be part of the solution.  By only working with certified e-waste recyclers and handlers.  Look for the e-Stewards and R2 certifications, along with ISO 14001 credentials.

For our customers in the New York metro area, we partner with The 4th Bin for responsible e-waste recycling.  Not in the area?  Contact The 4th Bin; they will help you find an e-Steward certified e-waste processor near you.

 

 

The 5 Most Trusted & Banned 3rd Party Apps for Google Apps Domains

CloudLock
One of the benefits of Google Apps is the ability to integrate third-party applications.  One of the risks when using Google Apps, is that some third-party applications may request access to information and privileges that you do not want them to have.

In addition to letting you identify, approve, and block third-party application access to Google Apps data, CloudLock Apps Firewall provides a trust rating.  The Trust Rating lets you know what percentage of Apps Firewall users allow or ban each application.

Here are the top five Trusted applications:

  • Google Drive
  • www.google.com
  • Picasa
  • Google Chrome
  • Android Calendar

Here are the top five Banned applications:

  • Mailbox
  • Dropbox
  • 8 Ball Pool
  • Angry Birds
  • Chrysalis Animation

 

CIOReview names Cumulus Global a Top 20 Education Tech Solution Provider

The Navigator for Enterprise Solutions
Annual list showcases the 20 most promising education technology solution providers.

 

Boston, MA, December 13, 2013 – CIO Review (www.cioreview.com) has selected Cumulus Global (www.cumulusglobal.com) as one of CIOReview’s 20 Most Promising Education Tech Solution Providers.  The annual list, published in CIOReview’s December issue, identifies solution providers offering innovative, value-add solutions to the education market.  CIOReview’s selection panel and editorial board selected Cumulus Global after reviewing the company’s growing portfolio of cloud-based solutions for K-12 and higher education, as well as Cumulus Global’s track record of success.

“Cumulus Global is helping transform the in-classroom learning process,” stated  Harvi Sachar, Publisher & Founder of CIO Review. “Beyond helping schools move to Google Apps for Education and deploying Chromebooks in the classroom, Cumulus Global delivers the professional development and consulting services necessary to use the technology in a transformative way.”

Cumulus Global assists schools and districts with both educational and administrative computing initiatives.  The company’s services extend beyond the technology to include policy and administrative guidance for Google Apps for Education deployments, staff development, and 1:1 programs.  Examples of these services include: the company’s Google Guides program, which creates a peer-to-peer support team within the school, and 1:1 program policy guidance, asset planning, and financing services.

“We are honored that CIOReview recognizes our work with schools, nationally, as innovative and forward thinking,” noted Allen Falcon, CEO of Cumulus Global.  “We continue to learn from schools about how they want to improve the learning process and outcomes.  We will continue to find and deliver solutions that enable success.”

Cumulus Global is a Google Apps Premier SMB Reseller and an authorized reseller for Google Apps Vault and Chromebooks for Education.

About CIO Review
CIO Review (www.cioreview.com) constantly endeavors to identify “The Best” in a variety of areas important to tech business. Through nominations and consultations with industry leaders, our editors choose the best in different domains. Top 20 CIOReview Education Tech Solution Provider is a listing of 20 Most Promising Education solutions companies in the U.S.

 

How to Spot Phishing Emails

Secure Cloud
“Phishing” is the process through which criminals attempt to steal you from you by getting you to respond to an email that appears to be legitimate.  Here is what to look for to avoid the trap.

URL Mismatch: Hover the mouse over any URLs in the email message and see if the destination URL matches what is in the message.  If not, you have a mismatch and you won’t land where you expect.

Misleading Domain Name:  If the link has an awkward domain name that does not end in a domain you know and trust, be afraid.  Scam artists will use domains like apple.otherdomain.com, hoping you think the link is related to Apple.

Poor Spelling or Grammar:  Companies that send emails to customers proofread them for proper English.  While mistakes happen, if the message reads “we please to lower your car payment”, it is likely trash.

Asks for Personal Information:  If any message — from your bank or your best friend — is asking for personal information like account numbers, credit card numbers, or the answers to your security questions, you are being phished.  Banks and companies you deal with already have this information, there is no need to ask.

Seems Too Good to Be True:  If it seems to good to be true, it probably is.  Enough said.

You Did Not Initiate the Action:  If the email tells you won a contest that you did not enter, or is responding to a call that you did not make, hit the delete button.  Most of these scams will ask for money to pay for award fees or taxes on a prize you did not win.

Wild Threats:  Banks, and even companies trying to collect past due accounts, will not make threats with unrealistic or wild consequences if you do not respond in a certain way. Legitimate collection notices will ask for payment or for you to contact them, they will not ask for account or personal information and threaten to seize assets or contact the police if you fail to respond to the email.  Legitimate companies will also provide a means to call.

Email from The Government:  In the US, the IRS, FBI, and other agencies do not initiate communications via email, they will send you a letter (or a subpoena if it’s really serious).  Be extra suspicious if the message contains a threat or dire consequence.

Not Quite Right:  If the message does not look right — if your gut is suspicious — you are probably right.  Delete the message.

 

Microsoft Acknowledges Security Best Practice Failures


It was an easy post to miss in the run up to the Thanksgiving holiday.  On November 25, we posted the results of an Electronic Frontier Foundation (EFF) survey detailing how Microsoft fails to meet 4 out of 5 security best practices for its cloud service data centers and its customers’ data (Google and Dropbox were the only vendors surveyed that meet all 5 criteria).

This week, Microsoft acknowledged that not all customer data is encrypted in their data centers — at rest, or in transit within and between data centers.  In a ZDNet article dated December 5th, Chris Dunkett reports that Microsoft will not fully protect stored user data until the end 2014.

The article also quotes Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs, stating that Microsoft will work “…with other companies across the industry to ensure that data traveling between services — from one email provider to another, for instance — is protected.”  Microsoft is acknowledging that they currently do not run STARTTLS services, and industry security best practice.

While Microsoft is actively positions itself as the “enterprise knowledgeable” competitor to a “consumer-centric” Google, pointing out how Microsoft runs its own large data centers. Once again, however, Microsoft fails to realize that the methods and practices used to run their own data centers do not translate to multi-tenant data centers hosting customer data.

 

Why Security is About Humans, Not Technology


This warning and advice was posted this week by our local police department.  While this scam is targeting people at home, this type of scam could easily impact employees with laptops and could target workers at the office.  The scam depends on anticipated human behaviors; education and training of your team is the best defense.

The Westborough Police Department has received complaints by residents who received calls from someone claiming to be with Microsoft tech support and that the company detected a virus on the victim’s computer. The caller indicated he could help the resident remove the virus if he was allowed remote access to the computer. To ensure that no one falls prey to this scam, we would like to provide the following information from the Center for Internet Security at www.CISecurity.org.

The Threat: An individual, claiming to work for a well-known software, technology, or research company cold calls victims at random in an attempt to convince them that their computer is at risk of attack or infected with viruses, and that only the caller can remediate the problem. Victims who comply with the caller’s requests are highly likely to compromise their computer systems, as well as experience monetary loss. Victims may receive the calls at work or home, and on mobile telephones or landlines.

While there are variations of the scam, most follow a similar script.

  • Introduction: A caller claims to work on behalf of a well-known software, technology, or research company and informs the victim that their computer is sending out error messages, attacking another computer, or exhibiting behaviors indicative of viruses. The caller claims that only they can repair the problem for the victim or that the problem can be fixed with a software upgrade.
  • Gaining Trust: The caller will attempt to gain the victim’s trust. The caller may do so by instructing the victim to access the Windows Event Viewer, which displays standard messages about the computer’s operations, including general warning and error messages that are normal for the computer. The caller states these warnings and error messages are proof of malicious activity. The caller may use technical terms to confuse the victim or gain credibility. Callers are often forceful and attempt to create a sense of fear or urgency.
  • “Fixing” the Problem: The caller will offer to fix the problem by installing an update, or requesting remote access to the victim’s computer. The “updates” and remote access programs are actually malware.
  • Charging for Services: The caller may request the victim’s credit card information, or direct the victim to a website to enter their credit card number and personal information, in order to charge the victim for services rendered or for the software package provided.

In most cases, the main motive for conducting this scam is monetary gain, which could be achieved through two possible means:

  • Financial fraud: The caller may request monetary reimbursement for services rendered or for the software installation. If the victim provides credit card or financial information, the caller can charge the incorrect amount or make additional unauthorized charges.
  • Malware: It is highly likely malware will be installed if the victim provides the caller with remote access to the computer or installs unknown programs. Malware can be used to collect sensitive information such as usernames and passwords, which could lead to compromised financial institution accounts or additional malware being installed.

Individuals receiving a call that matches the description of any of these tech support scam calls, or those who previously participated in a similar call, should be aware of several security guidelines.

If you receive a call:

  • Do not rely on caller identification (Caller ID) to authenticate a caller. Criminals can spoof phone numbers so they appear to be coming from another location or entity.
  • Never provide passwords or bank account information over the phone; legitimate organizations will never call and ask for a password.
  • Be aware that software updates do not require the computer monitor to be off; legitimate organizations will never request the computer monitor be turned off during an update and will not call home users to notify them about an update.

If you receive an unsolicited phone call from a technology company, hang up and report the incident to either your local police department and/or Information Technology (IT) team.

If you previously received a call:

  • If you provided password information, change the password for that account. Never use the same password for multiple accounts.
  • Use a credible antivirus program, and enable automatic installation of software patches. If malware may have been downloaded, run an anti-virus scan on the computer.
  • If you provided credit card information and the caller charged the account, call the credit card provider and request to reverse those charges. Check financial statements for other unauthorized charges.

Courtesy of the Grafton, MA and Westborough, MA Police Departments

Google Groups & Calendars Get Dynamic

groups
Within Google Apps for Business, Education, and Government, Google Groups delivers much more than secure, managed distribution lists.  Groups can be used for threaded discussions, shared inboxes, and work flow collaboration.  Groups also provide an easy mechanism for sharing documents stored in Drive.

Now, Groups makes scheduling Calendar events easier.  When inviting a group to a meeting, the attendee list updates automatically as people join and leave the group.

When joining a Google Group, people are automatically added to existing meetings; when leaving a group, people are automatically removed.

While this change only applies to calendar events created after the feature rolls out, you can adjust previously scheduled meetings by re-inviting the group.  Automatic attendee changes works for events with up to 200 attendees.

 

Cloud File Sync & Sharing: Risks and Solutions (Part 2)

Secure Cloud This blog post is the second in a series on the data risks and solutions available for file sync and sharing services.

Your employees are using file sharing services. Ignoring reality or denying its existence will not change the fact that today’s tech users want to easily share files, and that they will circumvent IT if needed.

Understand the Technology.  Many organizations are using file sync services to share and backup files.  A poor understanding of how file sync services, however, can result in data corruption and loss.

Sync Basics. Most sync services keep a copy of your files on your local machine and in cloud storage, with synchronization happening for files saved in specific directories on your local machine.  In other words, you open and work on files locally.  When you save them in a sync folder (or folder tree), the file will be synchronized with the version in the cloud.  Files may also be used and saved using more traditional upload and download techniques. If you share a file with another person, they will download, or sync, a copy of the file to their local desktop.  This means that if you both are editing a document at the same time, you are both working locally on different copies of the file.  While some sync services offer basic file locking, most will allow the conflict to occur.  Data may be easily lost as each person syncs and overwrites the changes of the other. Better sync services offer multiple level or permissions, allowing you to restrict access to view versus edit.  Some services will also prevent downloading and printing.

Sync versus Backup. File sync is NOT backup.  If you overwrite or delete a file, those changes are synced to the server and to other users.  While some sync services offer version control with a limited ability to retrieve prior versions, most sync services quickly propagate errors and deletions. As such, sync is not a reliable technology for data restores.

When to Sync? Sync and sharing services can be part of a robust business continuity strategy. With near-real time updates, a local or remote service outage does not mean loss of access to files, or loss of operating data. Sync and sharing services are also useful for sharing files with outside parties, provided your users understand the limitations of the service. If you allow the use of sync and share services, however, make sure your team is using a company-owned and managed account and a business grade service.  We will discuss why this is so critical in our next installment.

Previous Post in the Series