Archive for the ‘Security’ Category

Continuously Improving FileCloud – 21.3.6 Release

FileCloud’s Commitment

FileCloud’s mission is “to build a hyper-secure content collaboration and processes platform that customers love to use.”

Part of making software that customers love is investing in quality assessment and continuous improvement. It’s a cohesive and collaborative process, roping in engineering, QA, sales, marketing, and leadership teams.

We also depend on our clients and users, who provide amazing feedback not only on opportunities for improvement but also desired features and functionalities.

These elements of the software journey are captured in our stated values:

  • Be Customer Centric – Without our customers, FileCloud wouldn’t exist. That’s why they’re always our top priority.
  • Get Work Done – We achieve great results through our resourcefulness, hard work, and drive for perfection.
  • Innovate with Global Mindset – We have a vibrant mix of cultures and ideas that constantly encourage growth and innovation.

Release Details

There are a few exciting developments in the pipeline for our upcoming 22.1 release, including highly requested functionalities.

In the meantime, FileCloud has been putting in a lot of work behind the scenes to harden security and functionality across the server, Sync and Drive clients, and ServerSync.

The 21.3.6 release in July included many improvements for the FileCloud server, including streamlining recycle bin deletion, optimizing processing by cutting out feedback loops, removing visibility on password entries, and ensuring the functionality of user workflows.

The Sync and Drive apps have also been improved. Issues with login and password processes in FileCloud Sync were resolved, and the centralized configuration option for selective sync was reinforced. In the Drive app, the file locking function was optimized.

You can review all the improvements we’ve made by visiting the 21.3.6 Release Notes.

 

 

Enable FIPS Encryption in FileCloud

enable FIPS in FileCloud

FileCloud officially supports FIPS mode with CentOS 7.x version. This post explains how to enable FIPS encryption in your FileCloud installation.

Important Note – 

Please make sure you have the FIPS component enabled in your FileCloud license. If you do not have the component, please contact our sales team at sales@filecloud.com for further help in adding the component to your license.

Step 1: Enable Dracut Modules

To enable FIPS encryption, you must first enable Dracut modules in CentOS; this can be installed by running the below commands:

yum install dracut-fips
yum install dracut-fips-aesni
dracut -v -f

It should yield the following results:

FIPS certification - enable dracut modules in CentOS

Step 2: Add the FIPS flag to the Grub Configuration

Once the Dracut module is configured, the next step is to add the FIPS flag to the grub configuration. To make the necessary changes, modify this file /etc/default/grub by adding fips=1 to GRUB_CMDLINE_LINUX.

GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1″

GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1 boot=UUID=34c96d6b-a43c-fec3-a2a6-e6593c977550″ #if /boot is on a different partition use blkid of the boot partition 

Step 3: Regenerate the Grub Configuration

After modifying the grub configuration, we will need to regenerate the grub configuration using the below command:

grub2-mkconfig -o /etc/grub2.cfg

If prelinking is installed in the server, you must first disable prelinking by modifying this file – /etc/sysconfig/prelink – and setting PRELINKING=no

Step 4: Reboot the Server

After the above changes are made, reboot the server and check this file – cat /proc/sys/crypto/fips_enabled – to ensure FIPS is enabled.

[root@cnfc ~]# cat /proc/sys/cryto/fips_enabled
1

Step 5: Install FileCloud

The next step is to install FileCloud.

yum install wget
wget http://patch.codelathe.com/tonidocloud/live/installer/filecloud-liu.sh && bash filecloud-liu.sh

Install FileCloud with the above script and configure the components required depending on your use case. Once completed, your FileCloud server will run under the FIPS mode.

Alternative Options

You can also download and install a FIPS-enabled OpenSSL.
NOTE: This is only needed if safelogic modules are required. Once FIPS mode is enabled, CentOS installs FIPS-enabled packages by default.

yum install unzip
wget http://patch.codelathe.com/tonidocloud/live/3rdparty/fipsopenssl/fipsopenssl.zip
unzip -q fipsopenssl.zip -d /root/fipsopenssl
rpm -Uvh –nodeps /root/fipsopenssl/*.rpm

We also recommend enabling strong ciphers and TLS 1.2/TLS 1.3 in your Apache SSL configuration:

#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol -all +TLSv1.2 +TLSv1.3
#SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
#SSLCipherSuite HIGH:!aNULL:!MD5
SSLCipherSuite HIGH:!MEDIUM:!LOW:!EXP:!aNULL:!MD5:!EXPORT:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!PSK:!SRP:!KRB5:@STRENGTH

Conclusion

For greater security and governance over your data, FileCloud supports FIPS encryption. With this step-by-step process, you can now enable FIPS on your own FileCloud installation (provided it is available with your license.) For additional support or clarification, please get in touch with our support team at support@filecloud.com.

 

Article written by Nandakumar Chitra Suresh

 

 

The Security Risks of File Sharing & Cloud Storage (with a solution!)

What is File Sharing and Cloud Storage?

File sharing and cloud storage is a way of storing and sharing files online that many companies and organizations are using. Some organizations have migrated entirely to the cloud. However, there still seems to be some confusion as to what the cloud actually is.

Essentially, the cloud is a digital space online where companies can store data, instead of on a company hard drive.

Why Are So Many Companies Using the Cloud?

Many companies and organizations are turning to the cloud because it is easier to use. In effect, all files and data are stored online and can be accessed by any device with an internet connect. In addition, in a world where huge numbers of people are working remotely and in different offices, cloud storage and sharing allows users to share files easily between themselves and clients.

What Are the Data Security Risks of File Sharing and Cloud Storage?

The cloud sounds great, right? And it can be, but there are risks involved in storing and sharing files via the cloud, which can lead to data leaks, loss of time, and even financial penalties. There are many reasons that companies use cloud technology, but some of those exact reasons can pose security risks if you’re not using a hyper-secure cloud storage and sharing system.

Cloud Storage Safety

Those risks include:

Employees Using Their Own Devices/Non-Secured Devices

One of the benefits of storing files in the cloud means that users can access those files anywhere they have an internet connection—on any device. However, this can also be a security risk. Employees using company computers is one thing, but policies like BYOD (bring your own device) often result in employees using personal laptop or cell phone. Security is often not up-to-date on these devices, and if they’re hacked, lost, or stolen, that could lead to a data breach for your company. It’s best to look for a system that has a robust device management dashboard, along with the option for admins to remove devices from the system at any point.

One Size Fits All Sharing

Sharing permissions are a vital part of using cloud tech. After all, you don’t want just anyone having access to your data, right? If you pick a system that doesn’t offer advanced sharing permissions and simply sends all shares publicly, you could be in trouble. You’ll want to look for a cloud storage and sharing system that has advanced and customizable sharing permissions.

Unrestricted Sharing

Data leak prevention (or DLP) is a necessary part of any cloud system that stores and shares data. Essentially, DLP stops leaks before they happen (whether from malicious or accidental user error). A system without DLP in place can cost you time and money, especially where compliance regulations are in place. Look for Smart DLP that is flexible and rule driven, with admins having complete control.

No Centralized Fail-Safe for Document Retention

Retention policies are a way of managing data, like having restrictions on data being deleted in the case of HIPAA, or restrictions on files being deleted in case of a lawsuit. These regulations are increasingly needed in a world where compliance regulations are being added and updated yearly. Regulations like GDPR, ITAR, and HIPAA have strict requirements for data security, safety, and storage. A cloud system without a top-notch retention policy system likely won’t comply with expanding regulations and could lead to a huge loss of money, and even the ability to operate. Finding a cloud storage system that also has robust retention polices is vital.

Lack of Audit Logs

Audit logs are the best way to know who is using your system when, and how. This can help keep data secure and compliant, but many cloud systems, especially consumer-grade solutions, won’t have these audit logs available. Ideally, you want the ability to have a complete audit of the whole system with easily-downloadable logs for audit and regulatory overview.

How FileCloud’s Hyper-Secure System Helps Companies Avoid Risks

FileCloud is a hyper-secure cloud storage and file sharing system that was created to help companies avoid risk, keep data secure and compliant, while making files easy to share.

It has all the necessary features we talked about above, in addition to other amazing tools like workflow automation, a compliance center, and advanced security.

To learn more about FileCloud, take our quick tour here.

Cloud Computing for Banks

Cloud Computing Tailored for Banks

We are living during times when adoption of technological solutions is skyrocketing. Emergency situations, such as living and working during the COVID pandemic, require increasing the efficiency of systems to enable remote work on a much larger scale. Migration to the cloud, as part of the overall adoption of tech in various industries, is a global trend that is getting stronger every year.

Banks are also taking part in this trend. For banks, the cloud yields not only tangible financial benefits, but also an opportunity for technological development and practical use of opportunities offered by the market in the form of blockchain technology, artificial intelligence, or chatbots. Thanks to the availability of cloud solutions, banks are able to adapt to trends that can be observed in the booming fintech area. Thanks to the virtually unlimited possibilities of building partner ecosystems and extending the portfolio of services provided, banks have become more flexible and respond better to market needs.

The Cloud in the Banking Sector

In 2018, Accenture conducted a global survey of retail banking in terms of the implementation and use of cloud services.

The report was prepared based on surveys from directors of 35 banks – European, American, African, and Asian. The vast majority of representatives of the banking sector admitted that there is no developed strategy for cloud applications. Nearly half of the respondents confirmed that such a strategy is to be prepared within the next year. 31% of the respondents had a strategy for cloud adoption already. This shows that the market opportunity for the banking sector is only starting to grow.

A minority of banks could boast a mature strategy for implementing cloud solutions. This was indicated by 1/4 of the respondents. In the vast majority of cases though, these strategies were still at an early stage of development. 40% of bankers admitted that basic practices had been agreed upon and appropriate tools had started to be implemented.

Challenges and Benefits – a Local Perspective from Poland

Accenture, in cooperation with the Polish Bank Association, conducted a survey among the largest banks on the Polish market. (The full report in Polish can be accessed here.) These banks were familiar with the subject of the cloud, but enterprises are still at a relatively early stage of cloud advancement and face many challenges.

For banks, the biggest unknowns are issues related to regulations that banks have to comply with, as well as the lack of appropriate experience in processes related to the implementation of cloud solutions. There seems to be no standard, go-to approach when migrating banks to the cloud. Banks indicate unclear or incomplete legal provisions, as well as regulations that do not facilitate or even limit the implementation of the cloud.

Another problem that banks face is the little to no experience possessed by their IT teams in implementing advanced solutions. Rebuilding or migrating applications to run in the cloud – (i.e., big data set migrations) requires significant effort. Adjusting to the cloud transition as part of investment cycles in the IT department for a given company can also pose certain challenges.

With the advent of cloud technology in the banking sector, risk and security management are becoming another important element of cloud implementation strategy. In this area, the analysis of large data sets (in terms of risk identification and fraud detection) becomes extremely crucial. Sharing sensitive data also falls under regulatory compliance, which poses a significant burden if done manually.

The entire banking sector today faces the challenge of processing, analytical support, and monetization of huge data resources. Such datasets can be inferred upon to discover patterns of customer engagement among other operations. Thanks to technologies available in the cloud, what in “analog” mode would take several days is possible to achieve in a few minutes.

The available advanced analytical functions enable the analysis of structured and unstructured data and can provide a specific inference engine/subsystem from many vendors – be it AI cognitive services or natural language processing.

When used only for the duration of data processing, these inference engines reduce the need for very expensive and complex analytical solutions in banks, limited to systems processing extracts from data processed in the cloud. This leads to transparent cost models because it enables fast and efficient provisioning of services. The implementation of IT infrastructure and services is faster, the application development cycle is shortened, and, most importantly, it allows for the introduction of new, more innovative products and services to the market based on a proven vendor.

Cloud Banking and Security – Facts and Myths

Cloud Tech Myths vs Reality

In practice, the cloud for customers turns out to be a safer solution, while taking away the pain of setting up everything by the organization. Companies using this type of solution are only a part of the entire ecosystem, which also includes many other enterprises. Thus, a potential attack on a specific company or data collection is difficult.

Implementing Cloud Technology for a Bank

Many banks are still using cloud solutions opportunistically, mainly to improve or supplement their current systems and services. Primarily, this is due to the fear of launching a major change program that will impact virtually every element of the bank’s organization, thus incurring large expenditures on transformation projects and generating the associated risk of failure.

One of the relatively simplest methods is to purchase SaaS packages from vendors. The choice of such services is so large that banks are free to choose a product tailored to their needs. The migration process is relatively simple, focusing mainly on data migration and integration with the bank’s other systems. The process of cloud implementation in a bank may also require the migration of existing systems.

This can be done by moving applications to the target cloud platform, without major changes in their configuration. In this process, it is possible to use traditional migration methods, just as is done during data center migration. Of course, applications can also be customized and updated to be platform-compatible and cloud-ready (standardizing operating systems to versions supported by the cloud operator).

Private and Public Cloud Pros and Cons

The most difficult method, but with the most potential benefits, is migration using PaaS technologies. This method consists of adapting the application architecture to the cloud-native model, which enables the use of advanced cloud services, e.g. automation, scaling, containers, serverless functions, API mechanisms, and others. Regardless of the choice of cloud migration method, the goal is common – gain a business advantage through the use of modern technologies.

Such an implementation model is convenient for banks because it grants them the freedom to choose which resources are used. This is possible thanks to the implementation of Cloud  Content Management Platforms in banks, integrating private public resources, and in the case of integration with more than one public provider, the implementation of a multi-cloud strategy. Additionally, this model allows for easier management of regulatory requirements, such as user anonymization or data requests.

Summary

Major companies and cloud providers are committing more and more resources to streamline, develop, and create new services. As demand continues to grow, enterprises are recognizing new trends, significant opportunities, and economic benefits. By migrating to the cloud, they are replacing traditional IT usage models in an as-a-service direction.

The ongoing changes are also affecting the banking sector, though the integration of cloud technology is on the more conservative side. This is due to the characteristics of this heavily regulated sector, to which the highest security standards have always been applied. The new reality for the banking sector becomes not only a challenge but also an exciting opportunity to benefit banks in many different ways.

 

Article written by Piotr Slupski

 

Security Recommendations, Part 2: Encryption at Rest

Continuing our 2022 Security Recommendations series, in this post, we will discuss why it’s important to use encryption at rest in all your devices.

What is Encryption at Rest?

In simple words, encryption at rest is the process of securely saving all your files on your devices. This typically means that the files stored on your computer, your phone, tablet, or other devices can only be accessed by you and anyone else who has the encryption key.

Though it sounds complicated, it is transparent to the user in practice. You will continue to use your device as usual but with added security –files saved on your hard drive or other memory cannot be easily accessed by other users.

Let’s use some examples to explain this better.

Example 1:

  1. Your computer has encryption at rest enabled.
  2. All your files are saved on your hard drive.
  3. Your computer is stolen/lost.
  4. If anyone tries to read the files from the hard drive by connecting it to another computer. However, the files cannot be decrypted, meaning all your files are protected against unauthorized access.

Example 2:

  1. You save your files on your mobile device.
  2. Encryption is enabled on your device storage.
  3. Your device is lost/stolen.
  4. No one can read your files from your device, regardless of their method to extract the files since they don’t have the encryption key.

Important note: encryption at rest will only make sense as a security measure if your computer/device has login protection with a strong password or a secure access method that no one else possesses.

How to Enable Encryption at Rest

Depending on your device and operating system, the instructions may vary.  This article will focus on Windows/macOS and Android/iOS.

Enable Encryption on Windows 10/11

To encrypt your data at rest in Windows, you must enable BitLocker Drive Encryption. Depending on your hardware, this may not be possible on your device.

The basic requirements to enable BitLocker Drive Encryption are the following:

  • The computer must have a TPM 1.2 or later. (If your computer doesn’t have a TPM, this can still be possible by saving the key to a removable device, such as a USB Flash Drive.)
  • The hard disk must have at least two partitions.
  • The operating system drive must be formatted with the NTFS file system.

You can review the BitLocker System Requirements page in Microsoft documentation for more details.

If your Windows computer supports BitLocker, you can launch the configuration window by opening it from your Windows menu.

BitLocker in Windows Control Panel

This will open the BitLocker Control Panel; from here, you will be able to enable/disable and save your recovery key. However, if your company provided your computer, the IT department typically has BitLocker enabled already.

Encryption managed by IT department

Enable Encryption on macOS Devices

Similar to Windows, macOS has an encryption tool built into the system called FileVault. Similarly, all your files will now be encrypted when FileVault is enabled. To open FileVault on your Mac, choose the Apple menu > System Preferences > Security & Privacy >  FileVault.

Enable encryption with mac FileVault

Check the FileVault help page on macOS documentation for more details on how it works and how to enable or disable it.

“Note: If you have an iMac Pro or another Mac with an Apple T2 Security Chip, the data on your drive is already encrypted automatically. However, turning on FileVault provides further protection by requiring your login password to decrypt your data.” Encrypt Mac data with FileVault, macOS Monterrey User Guide

Enable Encryption on Android Devices

Encryption at rest is not enabled by default on new devices; you must enable it manually.

Like Windows/macOS, the first step is to enable PIN/password protection to access your device.  Even though this doesn’t automatically encrypt your data, it will ensure that no one gains access to your files by unlocking the screen.

Depending on your phone brand and OS, you can open your settings/security and look for the Encryption option. Once enabled, your files will be securely saved on your device storage.

Enable Encryption on iOS Devices

Unlike Windows/macOS and Android, since iOS 8, personal data on iPhones are encrypted by default, as long as the phone is locked with a passcode or Touch ID.

Depending on your iOS version, the passcode/Touch ID/Face ID location may be located differently, but generally, you can find it under General Settings>Passcode Lock. Use a solid passcode to ensure your data is not easily accessed.

Enable encryption on iOS

Final notes

Enabling encryption at rest is one of the top recommendations to improve the security of your files. In a previous article, we explained how to protect your personal information. We will continue to provide you with general recommendations to protect your information online and offline.

 

Article written by Daniel Alarcon

 

Security Recommendations, Part 1: Protect Your Personal Information

Many of the topics that we will cover in this new series are common sense; however, every year, we need to revamp our personal security practices in person and online.  This installment will cover how we can protect our personal information throughout our day-to-day actions.

 

Don’t Share Your Personal Information Freely

This may seem like an obvious action, but this is also one of the most common mistakes.  This wasn’t such a high-risk problem in the past (some 5-10 years ago).  Nevertheless, we are in 2022, and your data like SSID, date of birth, full name, preferences, etc., comprise essential security access information.

For example, you may be invited to share your personal information with a store to win a prize or become eligible for a discount code.  It doesn’t matter if it’s handwritten at a physical store or if you enter your details on an online form; submitting this kind of information is no longer an innocent thing to do. The store could share or sell your information unless you specifically opt out of this kind of third-party interaction. The store could also be the victim of a hack, in which case your information would be compromised. The best way to protect yourself is to be wary of sharing your information; anyone can use it to steal your identity, hack their way into your online accounts, or any number of unsavory tasks.

In summary, don’t give out your identifying information unless you need to.

 

Separate your personal information from your work ID information

What does this mean?  Basically, for any personal matters (online shopping, social media, communication with friends and family, etc.), use your personal information, private email, private phone, etc.  For work-related communications, only use your work identity to communicate with co-workers and external contacts (vendors, customers, partners, etc.)

The objective is to separate your identities and keep them separated in every interaction.

This applies to your computer usage as well.  Most internet browsers can save multiple profiles (like Google Chrome).  This will help you keep your data where it belongs, so you can avoid mixing your identities and help categorize your information.  Your search history, open tabs, browser extensions, and more can be saved to distinct profiles and easily accessed or updated if you have “Sync” enabled:

Creating and maintaining this separation in your mobile device can be somewhat challenging, but you can still apply the same principles and set up profiles for web browsing and apps.

 

Secure Your Information on Your Mobile Device

Security on mobile devices is a major topic on its own, but you can take certain steps to protect your personal information by following some simple recommendations:

  1. Always enable security to unlock your phone. Even though face ID is replacing the fingerprint scanner, choose the fingerprint scanner when possible.
  2. Don’t store important information in notes on your phone. Even though it may be practical, never store personal information on messages, pictures, notepads, or similar apps on your device. If you want to keep this information at hand, use a secure application or database for storage and access, like KeePass.
  3. The device and its content should be encrypted at rest. Always enable encryption, when possible, even with microSD storage. In the event of a lost phone, no one will gain access to the information stored in the device.


These are just basic recommendations to protect your personal information. In future articles, we will go more in-depth on encryption at rest, email communication, sharing private data securely over the internet, and other topics.

 

Article written by Daniel Alarcon

 

Cybersecurity Trends in 2022

In an increasingly online world, cybersecurity has become more critical than ever. This is particularly true for companies and organizations that handle personal or sensitive data of consumers and citizens.

Why is Cybersecurity so Important?

With the huge prevalence of remote work during the COVID-19 pandemic, businesses and organizations are increasingly doing their work online. No matter if all business is done in the cloud or completed on a company’s VPN, this method of working needs to take in a whole new consideration of cybersecurity. Is your client’s personal information secure? Have your employees been trained in common phishing and social engineering attacks?

man in front of screen with cybersecurity icons

Increasingly, clients and organizations look into a company’s cybersecurity protections to determine if they want to give them their business. In fact, Gartner reports that, “By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.”

Not only do businesses need top cybersecurity strategies to keep their own organizations secure, they also need it to attract and retain clients.

Of course, cybersecurity changes year by year, so it’s important that companies focus on it and make sure the tools and software they use have top security features and options. To that end, let’s look at some top cybersecurity trends for this year.

Top Five Cybersecurity Trends for 2022

Ransomware

Ransoms have less to do with kidnapping now and more to do with cybersecurity. Hackers are creating malware that threatens to publish private information or permanently encrypt important data unless they’re paid a ransom to remove the malware.

Many hackers now use RaaS (Ransomware as a Service)—ransomware that’s already been created to perpetuate attacks more easily.

Ransomware is being used in large attacks too, like it was for the Colonial Pipeline attack in 2021. The pipeline supplies gas to about 50% of the East Coast of the US and caused panic buying along with spikes in gas prices. Colonial had to pay $4.4 million to have the ransomware removed. Attacks like this will only become more prevalent as hackers become more sophisticated and go after bigger and bigger targets.

Internet of things

The IoT (Internet of Things) is an aspect of cybersecurity many people don’t consider, but in our increasingly tech-focused world, the IoT applies to the physical “things” in our lives filled with sensors and software that communicate and send data online. These “things” can be anything from the smart devices that turn on your lights and music to smart-driving cars. IoT will only increase in everyone’s daily life and make us more reliant on the internet and our devices. What many people don’t realize is that all these devices can be hacked as well. Devices and the companies that create them need to focus on increasing their cybersecurity as well.

Attacks on the Cloud

Increasingly, companies are using the cloud to store their data and files. At a time when WFH is here to stay, the cloud is an important tool that allows employees to access data and files from anywhere at any time. However, hackers are also taking note of the increased reliance on the cloud, which means they’re increasing their attacks on it as well.

Phishing/Social Engineering

Phishing and social engineering use employees against their own companies by sending malicious links and messages to employees to try to gain access to their passwords or devices. These techniques have been around for years, but they are consistently one of the top ways hackers gain access. Many believe that these schemes will only become more targeted and sophisticated, so it’s important that companies have training in place to teach their employees what to look for.

Increasing Regulations

We’ve talked a lot about the ways in which hackers are becoming more sophisticated and problematic. Countries are trying to tackle these emerging issues by enacting laws to increase cybersecurity protections. Regulations like the GDPR (a data protection law) requires certain security protections for EU residents/citizens’ information. Failure to comply with this regulation and the many others like it can result in huge fines for companies, possibly even civil or criminal charges, if they don’t take cybersecurity seriously.

Thankfully, companies and organizations are not alone when it comes to protecting their data.

FileCloud as a Hyper-Secure Solution

FileCloud is a file storage and sharing tool that allows companies to keep track of and protect their data.

Security has always been a top priority for FileCloud, and with the increase in hackers and malicious software, FileCloud understands that now is the time for a hyper-secure file sharing and storage tool that companies can still use with ease.

FileCloud’s Compliance Center helps organizations achieve and maintain compliance with ITAR, HIPAA, and GDPR tabs that provide best practices and easy-to-enact rules.

In addition, FileCloud has many excellent security and compliance options like:

  • Robust DLP, content governance, and permissions
  • Content Classification Engine (CCE) and custom metadata
  • Antivirus and ransomware protection (along with the option to enable detection of files with encrypted payloads to block and warn when ransomware enters the system)
  • Digital rights management
  • Granular folder permissions
  • 256-bit AES SSL encryption at rest
  • SSL/TLS protocols for data in transit
  • Active Directory integration
  • Two-factor authentication

Cybersecurity is not something companies and organizations can ignore or put on the back burner anymore. The trends show that hackers are only getting more sophisticated and malicious.

However, it is possible to keep your company or organization secure and compliant by using a hyper-secure file sharing and storage solution like FileCloud. FileCloud helps protect your data so that you can continue focusing on important work, knowing that you (and your clients) are secure and compliant.

3-2-1 Backup Strategy – Part 3: External Backup via Cloud Service

Now that we have covered backing up your computer and mobile devices locally using an external hard drive or a NAS, we can now set up our final security measure: backing up data via third-party cloud service.

There are many options available:

  • Drive
  • OneDrive
  • iCloud
  • Box
  • FileCloud
  • NextCloud
  • AWS

And many more…

Choosing the Best Fit

While you have many options available with a wide variety of prices, I recommend carefully evaluating your storage needs and privacy concerns to determine the best service for you.

Drive, OneDrive, iCloud, and Box are among the least expensive options. However, these options don’t offer precise user control over where files are stored or granular settings for privacy and reliability. For those who prioritize autonomy, security, and flexibility, a service like FileCloud or NextCloud may be more suitable.

To maximize privacy, running your own on-premises server with a cloud service (Digital Ocean, AWS, Google Cloud, Azure, etc.) is an ideal solution. You can fully control your data storage, but this control comes with a price. Running your own server is often the most expensive option. With that expense comes the ability to configure several layers of access barriers and encryption standards.

For example, you can run FileCloud on-premises on AWS, set up your S3 Bucket, and apply asymmetric encryption standards to your saved files. With these layers in place, if for any reason someone gains access to your S3 Bucket, your files will not be readily available–they would need the encryption keys or direct access to your FileCloud Server to decrypt the data.

The Cost of Running a Server

For users running their own FileCloud Server, we can apply some basic parameters to compare pricing, using calculators provided by cloud service platforms.

  1. Medium size computer
  2. Linux OS (Ubuntu)
  3. Additional 500 GB disk
  4. FileCloud Community Edition (sold separately)

For this example, we used the Google Cloud calculator:

Screenshot of Google Cloud calculator

With our initial parameters, the calculator has estimated that it would cost around $45 per month to run an independent server.

However, if your company already runs a FileCloud server or pays for FileCloud Online, you can take advantage of FileCloud’s backup option at no additional cost. This feature uses your existing cloud space; you can rest easy knowing your critical data is backed up in the event of a disaster (mobile device gone, computer gone, hard drive gone).

Backing Up Hard Drive Data to FileCloud

FileCloud includes an end-point backup solution that can help you back up specific folders from your local computer (like your hard drive) to your FileCloud account.

To add your local hard drive to FileCloud, open the Sync application and select “Backups” under the Configuration menu:

Screenshot of Backups Tab in FileCloud

From the “Backups” tab, you can select a folder, including that of your connected hard drive device:

screenshot of FileCloud Sync app, add a folder

FileCloud will then sync content found in the designated folder to your user account. I recommend enabling the “Email notification after the backup completes” option. This way, you can track when and how often your files are backed up.

screenshot of FileCloud Sync - backed up folders

Once configured, the FileCloud Sync application will back up your hard drive data to your FileCloud backups folder. This also completes your external source for backups, which cover the basics of your 3-2-1 backup strategy.

Article written by Daniel Alarcon

Security Monthly: Company Data in the Cloud

This article is the first entry in the Security Monthly series, where we will discuss recent and important events regarding security incidents, data protection, notable attacks, and related topics. To kick off our series, we will cover four attacks that demonstrate different aspects of how modern security breaches are operated.

Critical Infrastructure Needs to be Cyber-proof

There has been an increasing trend of critical infrastructure (emergency call centers, grid line controls, power plants, etc.) migrating service operations to the cloud. This migration leaves certain infrastructures vulnerable to cyberattacks. A European Union study highlights the need for a more organized approach toward securing critical infrastructure, similar to what is seen in technology companies. The report shows that a systemic approach to protecting institutions and organizations critical to a larger population must be considered from the ideation phase. Cybersecurity considerations thus become operational requirements – it is a crucial part of any business or endeavor.

With cloud adoption rising, the associated risk of being attacked is also increasing. There are many types of issues in software that can be exploited by hackers – as developer tooling and experience rises, so does the number of new developers and hackers. Armed with knowledge of which attack is most popular, we can better prepare for a security incident.

The list of top ten important vulnerabilities for 2021 is available on the OWASP website, along with in-depth analysis and context behind each of the vulnerabilities depicted below and the methodology behind how this list was calculated.

Fig 1. OWASP Top 10 Vulnerabilities Shift 2017 to 2021

Consequences for Poor Cybersecurity

With the need to protect critical infrastructure comes the need to immunize infrastructure (or at least have a backup plan) against the most typical vulnerabilities. Broken access control can lead to disaster scenarios such as losing control over nuclear reactors or leaking millions of credit card information or a billion users’ passwords online. All these attacks exploited one or more of the known, popular vulnerabilities.

In this introductory article, we will take a look at some of the more popular and recently talked about attacks from around the world. First, we will review the recent attack mitigated by Azure Cloud. We’ll follow with another Microsoft company, LinkedIn, which fell victim to an attack that leaked 700 million users’ data, only two months after a breach that leaked 500 million users.

We will then examine a leak of 1.1 billion users’ information from Alibaba, where a malicious actor was scraping the platform’s data containing sensitive information over a period of eight months. The last piece will show an infrastructure attack on npm (Node Package Manager) by publishing a package with crypto-mining malware.

The need to protect critical systems will become more prevalent in the systems that engineers create. Consider the current possibility: an attack on your local home server running your IoT doorbells can lock you out of your home; imagine what can happen if a nuclear power plant is hacked.

We hope to never know.

Azure Cloud Mitigates 2.4 Tbps DDoS Attack

Graph showing bandwidth spikes registered by Azure during 2021 DDoS Attack

Fig 2. UDP bandwidth mitigation timeframe by Azure

In the last weeks of August, Microsoft’s Azure service was able to save a customer hosting his data in Europe – it was the biggest attack to date in terms of volume, with over 70 thousand hosts sending requests. The inbound traffic was 140% larger than the impressive attack from 2020, also mitigated by Azure.

Though the blog post covering the incident does not share details, other news outlets state the attack was a type of DDOS known as UDP reflection.

“Reflected amplification attacks are a type of denial of service attacks wherein a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests so as to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure unavailable.” thehackernews report

Azure was able to fend off this attack due to the massive scale of the cloud, applying specific logic that could siphon the huge data wave before it ever arrived at the customer service. The solution was implemented behind the scenes, with customers experiencing no issues during the attack.

With services delivered over the internet, the risk of disruption is high – especially for high-risk targets. The abundance of IoT devices that form new botnets is such that protection against denial of service attacks must be considered when working on a critical system.

It is not an easy task, as DDoS mitigation happens at a very low level – not every company is able to invest in precautions. Even fewer companies are able to build in-house solutions to handle data floods of such volume.

Slow Yet Thorough – How to Scrape a LinkedIn Profile

The news of the attack came via email from a concerned author at PrivacyShark, who saw a list of LinkedIn user data for sale on a hacker forum. Due to the hack, private emails and phone numbers were hosted online, available to malicious actors for spam and identity theft.

The issue of identity theft is serious, as it leads to losses on the order of 56 billion USD, as reported by CNBC. The total number of US citizens hit by an identity fraud attempt is on the order of 45 million. If there is one thing we can take for certain, it is that data in circulation is being put to use by criminals at ever faster rates. Furthermore, attackers are using new approaches to access user data, which may occupy a legal grey area, such as automated scraping.

This activity does pose some interesting legal questions. LinkedIn is currently involved in a Supreme Court case that seeks to define online scraping as illegal. If the ruling is in LinkedIn’s favor, scraping their or other social websites could be deemed as criminal activity.

man in front of screen with cybersecurity icons

An Alibaba Hack Leads to New Laws in China

The attack on Taobao, part of Alibaba, had led to criminal prosecution and jail for the attacker as well as his employer. Personal data was siphoned out of the system for over eight months by an employee of a consultancy firm.

The data was supposedly not sold online. The judge ruled jail terms of three years, with fines totaling 70K USD. In the aftermath of this case, China introduced new data protection laws, granting the state the ability to shut down services at will or fine companies found mishandling core state data.

Subsequently, a personal information protection policy is also in the works as the government is heavily invested in IT infrastructure. This law will give immense power to officials running the country.

It is worth noting that security issues can lead to significant changes in federal and global laws. With IT security being considered at legislative levels, cybersecurity is an increasingly important subject for lawmakers to understand. After all, if those crafting and implementing new laws do not understand what they are doing, how can they make an informed decision on the matter?

npm Hosting Crypto Mining Malware

With over six million weekly downloads, UAParser.js is a popular package used by developers all around the world. However, malicious versions of this package entered the registry, likely through a hijacked account.

All computers running the package version served as open hosts to malware and trojans, starting a vicious cycle of infestation – this was an attack placed deep in the supply chain.

 “The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner.” Hackaday

 The response to the attack was immediately put to public attention, and users could mitigate the issue once seen. It’s not yet clear how big of an impact this caused in the real world.

The important takeaway from this story is that supply chain attacks that lead to ransomware are easier than ever (remember Kaseya?) and do real harm. It only shows that even developers, who supposedly know a thing or two about security, can be vulnerable too.

An important element of this story is that once the attack was confirmed, the npm registry pulled all infected packages. Swift action can be a deciding factor in how well cybersecurity issues are resolved and how companies recover.

Conclusions

Data safety, compliance, and security for sensitive information are prime topics for every industry touched by digital transformation. To create a secure ecosystem, it is important to know not only the systems we create but to also understand the attacks and outcomes for end-users. It’s crucial for users and designers to tread carefully when securing a system.

A leaked email may be relatively mild on the scale of hacking worries. Leaking credit card data or social security numbers, on the other hand, has real-world implications. Since the pandemic and the global drift toward remote work, hackers have developed new methods of stealing user data and money with each passing month.

Several organizations were not prepared to move toward digitized platforms and the predators lurking in the network. With cyberspace full of technologically advanced attackers, it is ever more important to stay on the safe side, with multiple layers of protection and strong IT practices.

The next entry in the Security Monthly series will describe ransomware attacks, as well as new attacks that use AI – stay tuned!

Article written by Piotr Słupski

3-2-1 Backup Strategy – Part 2: Mobile Devices

Banner for part 2 of 3-2-1 Backup Strategy series (Mobile Backup)

Back Up Your Mobile Device

Following our first article on the 3-2-1 Backup Strategy, we are now going to discuss backing up your mobile devices (smartphones, tablets, etc.).

While both Android and iOS devices have their own cloud storage backup solutions (Drive and iCloud, respectively), we will focus on local backups. These services can act as your third device/location backup solution. I normally prefer not to depend on third-party services, since these typically offer less user control over data and may pose privacy concerns.

Android Device

With Android devices, we have a few options to back up files with a hard drive:

  • If your phone supports USB OTG, you can connect your hard drive directly to the mobile device.
  • Connect your mobile device and your hard drive to your computer, creating a bridge between your devices.
  • Wirelessly connect your hard drive or NAS to your local network (preferred option).

While the first two options are simple enough, they do require you to manually copy your data to your hard drive on a regular (daily or weekly) basis.

The third option, wirelessly connecting or “syncing” your hard drive or NAS, enables you to implement an automatic backup process; this process can grant you peace of mind without needing to rely on manual backups. With a NAS, the storage device is readily available. However, if you only have your desktop/laptop and an external hard drive, you can still automate backups.

How to Wirelessly Sync Android Device Files

The first thing you need to do is to make your hard drive available to access in your local network. First, connect your hard drive to your desktop/laptop computer. Next, go to Windows Explorer/Finder (macOS) and “share” your hard drive device over your local network. (This process may vary depending on your operating system version and type.)
Screenshot of Microsoft Advanced Sharing Dialog Box
Then sync your files from your Android device. I recommend installing Folder Sync on your device to initiate the sync process. There are Free and Pro versions, with the Pro version offering more control over synchronization. Add your hard drive as a device (while connected to the same network as the desktop/laptop hard drive). Usually, you can do this by adding a new SMB (Server Message Block) device:

Screenshot of Dialog Box to add new SMB device

Simply fill in your computer username/password and enter the computer IP address (local network):

Screenshot of dialog box to Identify/name an SMB device

You can test the connection to verify and save your information. That’s all you need to do to connect the hard drive. Now, let’s create a sync pair:

Screenshot of dialog box - create a sync pair between hard drive and local network

Here is where “Sync in the background” can be configured. I recommend the following settings:

  • Sync Type: Remote folder. (If you change anything on your backup device, it will not delete the file on your mobile device.)
  • Remote Folder: Chose a path on your hard drive that will store your backup files.
  • Local Folder: in the screenshot, I chose to use the default DCIM folder to back up my pictures. I recommend adding different folders for other content (e.g., Downloads, Screenshots, Pictures, etc.)
  • Use Schedule Sync: Yes/Daily. Ensures the Sync operation happens every day.
  • Sync Subfolders/Hidden Files: Yes. Make sure you back up everything in the folder.
  • Sync Deletions: No. Very important – if you create large data files (like 4K videos) on your phone, then sync these files to your hard drive to save space, you can then choose to delete the files from your phone, knowing you have a backup of that video on your hard drive.
  • Connection Settings: Sync only over Wi-Fi. If you want to be more specific, you can write your Home Wi-Fi SSID to ensure Sync will only run over your home network.

Screenshot of network settings to enforce syncing only over same wi-fi

Once you complete your configurations, from then on your mobile device will sync to your hard drive when connected over the same home local network and Wi-Fi.

iOS Device

For iOS devices, your options are more limited for local backups:

  1. Connect your device to your computer and back up using iTunes (over USB or wirelessly).
  2. Use third-party applications or services to connect to local NAS.

iOS makes things simple for you to back up your device to your local computer using iTunes; connecting your device and choosing “back up to local computer” will copy your entire device.

Screenshot of iTunes Backup menu

Unfortunately, this will sync your files with the local computer, not the external hard drive. You will need to manually back up your data to the hard drive by copying/syncing your folder from the AppData directory “%appdata%\Apple Computer\MobileSync\Backup”. On a macOS computer, you can retrieve data from “~/Library/Application Support/MobileSync”.

Syncing with a third-party application varies widely since different NAS brands often use proprietary software included on the drive. For example, if you have a Synology NAS, you can use the Synology Moments application to back up your pictures (though not other files). As a result, we will not cover this topic in this article. In our next and final article related to the 3-2-1 backup strategy, we will cover syncing backups with third-party cloud storage.

Article written by Daniel Alarcon