Re: [EXTERNAL] [SECURITY] Shared drives folders

[Scott Norton <dsnorton () UW EDU>]

Microsoft is also ahead on recovery from ransom attacks.  Users can easily role back files in ODfB to a state on a date 
before the attack.  Google doesn’t provide a solution for bulk rollback of files, so you have to build your own using 
the API.  The situation with Google is further complicated by API throttling and lots of common errors that need to be  
handled.

Also be forewarned that if you allow access to your Google Shared Drive outside your organization you will also be 
susceptible to transfer of ownership attacks whereby they make the only manager of a Shared Drive an external account.  
Though if it is moved to a consumer identity it is recoverable using the API.  (May also be the case with an identity 
from an outside enterprise service, but I have not been able to verify that is the case when the user it is transferred 
to has rights to use Shared Drives.)   In a recent incident, it took us about 2 weeks running a lot of script instances 
in parallel to regain control of around 3K shared drives.

We are using Microsoft Cloud App and Azure Sentinel to monitor our Google services, but unfortunately it is not 
grabbing the audit data we need to trigger alerts on this.  We are working on getting the shared drive manager change 
audits into Sentinel so we get alerted to when an external Google account is made a manager.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Nathan Phillips
Sent: Wednesday, October 7, 2020 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] Shared drives folders

We moved to Google Shared Drives.

However, I saw the Zero trust webinar yesterday sponsored by Microsoft and I thought it was very compelling.

It feels like they are ahead of google in security issues (at least in terms of what my institution could deploy). I’m 
curious if I am simply susceptible to good presentation or if there’s accuracy in my “feelings” (lol, maybe it’s 
obvious I’m not a security professional since I’m relying on my feelings).

But getting off-prem seems to be a good first step, regardless (all things being equal).

-Nathan


--------------------------------------------------------
Nathan Phillips, CIO
American College of Healthcare Sciences
Portland, Oregon
--------------------------------------------------------


On Oct 7, 2020, at 9:09 AM, Mark Reboli <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>> wrote:

That was the perfect answer.  Getting some push back so glad others are trying to do the same.

M

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
Jason
Sent: Wednesday, October 7, 2020 11:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [EXTERNAL] [SECURITY] Shared drives folders

External Email: Do not click any links or open any attachments unless you trust the sender and know the content is safe.
Perhaps not the answer you’re looking for, but in short:  Migrating them to Microsoft Teams.


Jason E. Smith, MS PMP CPHIMS CSM
Director of IT, Bon Secours Memorial College
8550 Magellan Parkway #1100, Richmond, VA 23227
[cid:image001.png@01D69C8C.A1CBA280]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Mark Reboli
Sent: Wednesday, October 7, 2020 11:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] [SECURITY] Shared drives folders

[Warning: This email originated outside our organization's email system. Be wary of links and attachments unless you 
recognize the sender. Never share your username or password.]
Looking to see how people are addressing shared drives on and off premise access in light of ransomware spread and 
cybersecurity requirements.

If you can provide any suggestion please let me know what you are doing from your perspective.  If you would like to 
discuss offline please know that I am more than happy and thankful for the discussion

M

Mark Reboli
Network/Telecom/IT Security Manager
Misericordia University
(570) 674-6753

This e-mail and accompanying attachments are confidential.  The information is intended solely for the use of the 
individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication 
by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this 
message to the sender and delete all copies. Thank you for your cooperation.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C1589821f51294ceca08408d86add0fc5%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C0%7C637376844973771569&sdata=mfuRZfk97B5ZfKCPcwoavpNnOUlh%2BqGUmqmuyT5OmgQ%3D&reserved=0>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C1589821f51294ceca08408d86add0fc5%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C0%7C637376844973771569&sdata=mfuRZfk97B5ZfKCPcwoavpNnOUlh%2BqGUmqmuyT5OmgQ%3D&reserved=0>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C1589821f51294ceca08408d86add0fc5%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C0%7C637376844973781564&sdata=m4o7zX9Kh5vxHNj%2B5yBc3R%2FBCoFqZ0puKThB%2FSPc1Xg%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C1589821f51294ceca08408d86add0fc5%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C0%7C637376844973781564&sdata=m4o7zX9Kh5vxHNj%2B5yBc3R%2FBCoFqZ0puKThB%2FSPc1Xg%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community