While we’ve posted about the dangers of USB drives when it comes to their use as a means to steal data (truth be told we’ll revisit again in the future as they will continue to be pervasive), there are also several “online” ways which we find people take (or keep) things that don’t belong to them. Starting with the “keep” element, we’re finding more and more businesses are moving their storage online. Whether small, medium or large, businesses are moving to the “cloud” for cost factors as well as features and convenience. I won’t be a huge naysayer with this as I recognize the business environment has changed. The days of everyone working in a single office tethered to a local server are long gone. Since most larger enterprises have robust network security departments, most of my comments in this regard will be focused on small and medium businesses. However that doesn’t mean the concepts can’t be applied everywhere, including on a personal or family level. How does this relate to forensics? I’ll focus on the latter of the reasons folks are moving to the cloud (features and convenience) to explain that.
Given that the perfect “nuclear” office environment largely doesn’t exist anymore, the location of the office nowadays runs the gamut from a handful of folks in an actual office location and a similar amount “remoting” in, to a completely “virtual” office where everyone works remote from their homes, coffee shops or even the beach. Regardless of the topology of the office (and ensuing network), the need to allow access to shared data from disparate locations exists certainly. This is where the “central” storage of the cloud is fantastic, especially from a convenience as well as a features perspective. How simple is it to log into a website, setup a new user and bam, they have access? Especially in the SMB (small to medium business) environment. Even 
better if the employee is using their own computer right? Not quite, but I’ll get to that later. Previously, the process entailed an IT professional being tasked to setup the new users account, issue them a laptop, ensure their networking was configured properly, allow them access to the proper shared directories (ok they’re called folders now) and setup their email account among other things. Now it’s just a few clicks and a bit of typing and they’re up and running. Truth be told, I glossed over a number of other steps that sometimes would occur. I say sometimes but depending on the size of the organization and tech savviness, it could be oftentimes. Getting more to the point (about time right?), in today’s process, most of the focus is on the features and convenience, and security is an afterthought. And this is a liability when it comes to securing a company’s data from those that are closest to it on a daily basis. Security has to be baked in to the overall environment. And not merely security as in “can we be hacked”?
Where is the importance in this (and again, where’s the forensics in this?) you’re asking? Proper access control is where I’m going with this. If not planned and implemented at the outset, then there are really a lack of rules which turns it into the wild west with respect to data. However, most don’t stop to think about it until after the fact. Most are focused on whether their data can be hacked from some foreign entity or by some kid in their mom’s basement when the reality (especially from a business data protection perspective) is that there needs to be better control. Coinciding with this should be auditing of account access/activity (another fun thing that’s not often talked about) with respect to the folks that “legitimately” have access to it. I can’t tell you how many times we’ve worked matters where the employees didn’t take data via USB drive, they didn’t print stuff out and they didn’t email themselves the crown jewels. They had access to an online central storage location from a personal computer at their house and accessed the data that way. Isn’t there some
kind of logging that would catch this you might be asking? And if you’re not, you should be. Yes there typically is, but if someone has access to data via the proper credentials (username and password) there’s typically not much follow up to show that it was a personal computer and not an official company resource. It’s even worse if the employee uses their own computing device (as eluded to earlier) because when they leave, you’re not too sure what they have, and don’t have with them still. At that point, if Elvis has left the building, we’ll typically have to engage an attorney and then ultimately need to have a judge compel them to turn the laptop over for analysis. All of this is much more costly than just providing them with company owned resources in the first place. Not to get into a BYOD (Bring Your Own Device) rant. More to the point, more businesses are using online storage locations which make it difficult to properly control who has access, what local copies they have cached on their computers and finally what’s not being secured when folks leave. As already stated, this data can typically be accessed from a different computer (even if they’re issued a company computer) with little control available on what can be copied to other devices out of sight and control of the company.
All is not lost however. Forensic analysis can be done on cloud data to see what data was touched locally on a machine and where it may have been copied to. We can compare this access to legitimate devices, and if 
there are other accesses, establish that it’s been accessed via other means. For example, if we review a log and it says Bob accessed 123.xls on a particular date and his laptop doesn’t have access on that date, how did it happen? Either Bob shared his credentials with someone else or he’s accessing from somewhere else. We usually discover it’s the latter. What’s more, several of these services that sync that local cache of information to the cloud have logging data to see what was
synced and what was deleted. Having said all that (and if you’re reading this thinking it might apply to you), allof your access to the company’s online accounts should be evaluated immediately. Those employees that don’t need access shouldn’t have it.
Now that we’ve discussed a business storing their information in the cloud and the risk associated with this, especially when it comes to intellectual property theft, what’s the next twist on this? Simple-the employee, now proficient in the use of online storage, thanks to the company’s use of OneDrive, 
Google Drive, Dropbox or another such setup, simply thinks, “Hey, why don’t I setup my own account and transfer data to that?”. It’s so simple to do, it’s absurd and we have found is to be a common progression. What’s the take away from this post? Monitor what is put in the cloud, make sure there is an actual need to have online accessibility to that particular data, identify which employees need access, and when access is no longer needed. Finally, always make sure that when they leave, the door securely closes behind them to protect your data from being inappropriately accessed. In the next post, we’ll continue building the case with more employees’ online misdeeds with the information they don’t own. #InsiderThreat #SMBSecurity #DataTheft