In November 2009, as coach of a youth baseball team, I received a Google Sheet with the names, birthdays, contact information, and team names for about 30 kids born between 1997 and 2000. More than 14 years later, I still have access to that document.
Today, those players are in their early to mid-twenties. Presumably, many have bank accounts and jobs with usernames and passwords. In the hands of a skillful threat actor, the names and birthdates so carelessly exposed by the youth baseball organization can be used to conduct phishing attacks, manipulate trust, exploit security questions, and conduct identity theft.
Youth player PII (Personally Identifiable Information) isn’t the only data available in my Drive. Over the years, companies have shared hundreds of files with me. The spreadsheets, presentations, and documents contain sensitive information relating to strategy, customers, and personnel. Some were sent by users who are no longer employed by the company, making it incredibly difficult to revoke my access to the document.
Every document, folder, and file that I can see has two things in common. First, I should no longer have access to the materials in those files. Second, the companies that shared their information with me are probably unaware that I can still open, edit, delete, and share their materials, and lack any scalable process to deal with this issue.
In this blog, we’ll take a close look at the information included in the Data inventory and look at several use cases.
Introducing the Data Inventory
Adaptive Shield’s Data Inventory provides visibility into the share settings of files, dashboards, repositories, boards, calendars, and other data found in SaaS apps. Users can see which items are public with a link, and which are shared with external users.
Drilling down into the item provides additional data, including a link to it, who it was shared with, and the number of times it has been viewed.
The Data Inventory provides contextual information from each item, including data and metadata. When viewed as a whole, it helps security personnel recommend to the document owner whether access should be revoked or limited.
Data Inventory Use Cases
In the dynamic landscape of cybersecurity, safeguarding sensitive information and proprietary assets is paramount to organizational integrity. Here are three use cases to highlight the need for a Data inventory.
Safeguarding Proprietary Code on GitHub
GitHub repositories have a history of unintentionally exposing sensitive data, typically resulting from user mistakes or administrative adjustments to encourage collaboration. Notable brands have experienced GitHub leaks, where proprietary code and internal tools became public. These leaks often reveal confidential information like OAuth tokens, API keys, usernames and passwords, encryption keys, and security certificates.
The inadvertent exposure of proprietary code and company secrets poses a significant risk to business continuity. Therefore, prioritizing the security of code within GitHub repositories is crucial.
Unforeseen Security Threats of Public Calendars
Publicly shared calendars may not initially appear to be security risks, as they are not commonly associated with sensitive data. However, these calendars contain valuable information that organizations would prefer not to fall into the hands of cybercriminals.
Calendars hold meeting invitations, complete with videoconference links and passwords. Allowing this information to be accessible to the public can result in unwanted or malicious participants joining meetings. Additionally, calendars often include agendas, presentations, and other sensitive materials.
The data from calendars can be exploited in phishing or social engineering attacks. For instance, if a threat actor gains access to Alice’s calendar and notices a scheduled call with Bob at 3 o’clock, they might pose as Alice’s assistant when calling Bob and request sensitive information before the meeting.
Secure Collaboration with External Service Providers
While Software as a Service (SaaS) apps simplify collaboration with external agencies, these partnerships often team members who only require short-term access. Without proper management, shared documents and collaboration boards grant indefinite access to everyone involved, as happened in a recent Salesforce Communities breach.
Project owners commonly create a single username for the agency or share key files through easily accessible links, simplifying administration and potentially reducing costs. However, this approach relinquishes control over who can access and work on project materials.
Members of the external team often retain access even after leaving the company if they remember the username and password. Sharing resources with anyone holding a link allows them to forward it to their personal email account, providing ongoing access to the files.
Optimal Approaches to Secure File Sharing
Efficient resource sharing is integral to streamlined business operations. We recommend adhering to these best practices when sharing data with external users:
- Share files exclusively with individual users, requiring authentication for added security. Avoid using the “anyone with the link” sharing option, and, whenever feasible, administrators should disable this feature.
- Where supported by applications, incorporate expiration dates and passwords for shared files to enhance data control.
- Attach expiration dates to file-sharing invitations to maintain time-bound access.
- Prudently revoke sharing permissions for any public document that is no longer in active use.
Furthermore, organizations are encouraged to leverage SaaS security tools capable of identifying publicly shared resources and signaling them for prompt remediation. This functionality empowers companies to gauge the associated risks with publicly shared files and guides them in securing potentially vulnerable resources.
Book a demo to see Adaptive Shield’s Data Inventory in action