Find out how we celebrated our value, “being worthy of trust,” during Trustober — and the #1 thing you can do to keep your data secure
From day one, security has always been our top priority at Dropbox, and at the heart of our mission and values. We’re not just a data storage company. We aim to be the place where you can put your invaluable family photos, your important medical documents, your artistic breakthroughs, your business plans, and everything in between — and trust that we will take care of it. The privacy of our users and their data as they create, collaborate, and work better from all corners of the globe is a focus that cannot be overstated.
We have an entire month dedicated to celebrating our culture of security and being worthy of trust at Dropbox through talks, workshops, and events that teach us how to best protect our users and each other. Held every fall, Trustober (a memorable combination of “trust” and “October,” our version of National Cybersecurity Awareness Month) is one way for all Dropboxers to learn more about why trust is so integral to our values. We’ve found that one of the best learning methods for all of us is a little more hands-on than your average webinar — which is where Senior Security Engineer of Offensive Security John Cramb comes in.
John said, “A couple years ago, we organized an operation called Project Papercut, which was our first big internal offensive security operation. The idea was to grant scary permissions to someone’s Dropbox via a non-scary workflow. Basically, could you do something that seemed benign, but actually would give an attacker complete access to all of your stuff?
So we sent a phishing email out that leveraged a fake new Dropbox feature. Employees would click on the ‘try now’ link, and a pop-up would say that Dropbox Paper is attempting to access your Dropbox, which of course seems normal. They would click ‘approve’ and then we would have complete access.
What we found was that this style of attack was actually too successful. It never got detected! We compromised six out of six targets, and the first target was compromised in about 45 seconds. As a result of that, we now have a completely revamped malicious app or developer app control flow in Dropbox. We even tried to do that attack again this year as part of a data breach tabletop exercise, and we weren’t able to do it. It was completely shut down right at the very beginning because of the changes coming from Project Papercut.”
Of course, since security is a 24/7, 365 focus at Dropbox and not just a fleeting concern, the testing doesn’t start nor end with projects like Project Papercut. We are constantly performing checks on our security standards to make sure we’re keeping ourselves and our customers safe.
Security Operations Manager OiFun Tse said, “We actually run internal campaigns more like once a month, but we cater the campaigns specifically to certain people or certain geographies. When they do click on our links, we’ll send them this email that says, ‘you fell for it.’ I think they feel embarrassed enough that they won’t make the same mistake again! But we actually will still target them again to make sure that they’ve improved, and they do.”
And as the year has seen us adapt to a Virtual First working environment, making sure that security is top of mind for all of us is more important than ever. Our Trustober programming is centered around four different pillars that each represent a connected, integral part of Dropbox: physical security, cyber security, reliability, and privacy. Dropboxers can get familiar with each of these aspects not only through more formal methods, like John’s virtual session about social engineering, but also through more creative outlets — all in all, we had over a dozen events to participate in this year.
Our Crustober contest encouraged Dropboxers to design a specially-themed Trustober pizza, while an online CTF (Capture the Flag) game, normally played by those in the cybersecurity space, was opened for all Dropboxers to participate in. And finally, specially designed Zoom backgrounds will help us carry the spirit of Trustober not only through the month but well beyond it.
John is eager to see how Dropboxers take their Trustober knowledge back into their jobs with them. He said, “One of the things which makes Dropbox as secure as we are is the people. We have a really wonderful collaborative culture where people feel comfortable reaching out and checking things that seem uncertain with other people. Even recently, when we were targeted by a real phishing campaign against Okta, it immediately got flagged and managed, and that was as a result of our culture.
If there were two takeaways I would give people out of Trustober, they would be to use a password manager and to enable two-factor authentication (2FA) whenever possible! Don’t ever reuse a password — it is one of the number one attack vectors. If you can patch your home router and then use a password manager, you’re doing really well.”
If being worthy of trust is a core principle that resonates with you, then check out our jobs page for open positions and information on applying.
