9 Google Apps Security Secrets For Business

  /     /     /  
Publicated : 22/11/2024   Category : security


9 Google Apps Security Secrets For Business


After journalists life hack, is your business protected against nosy rivals and even hacktivists? Its time to strengthen your Google security plan.



In the wake of the hack of technology journalist Mat Honan, many users of cloud-based services are running scared.
Forget
Twitter-hacking attackers
named Phobia who managed to compromise a well-known technology journalists Google credentials and
Twitter account
. What about competitive intelligence experts who might want to hack rivals Gmail accounts to siphon away corporate secrets? Or hacktivists seeking a reprise of the
Anonymous attack against HBGary
, which copied and then deleted the firms Gmail accounts?
To help stop life hack, competitive intelligence, or hacktivist attacks that come gunning for corporate data, all
Google Apps for Business
users--and especially corporate administrators--should pursue the following nine security strategies:
1. Create a Google security plan:
Anyone who uses Google for business should begin by detailing all related security processes and procedures, with an eye toward spotting potential weak points--especially single points of failure--and having a data breach response plan. As an example of what can happen without this type of plan, take the February, 2011 hack of HBGarys email by the hacktivist group Anonymous. Briefly, HBGary had threatened to reveal the identities of many group members. In retaliation, members of Anonymous used a stolen password to hack into HBGarys company-wide Gmail account, from which it copied and then deleted every email it found. According to
HBGary CEO Greg Hoglund
, he saw the attack unfolding, but wasnt able to convince the Google help desk of his own identity, in time to prevent all of the companys emails from being copied.
2. Use two-factor authentication:
Anyone who possesses just a Google account username and password can access that account and everything it sees, including documents and spreadsheets, unless Googles two-factor authentication system is enabled. Accordingly,
enabling it
is a no-brainer for every business user.
In the case of the Honan hack, for example, much of the story is about Amazon or Apples security practices, but I would still advise everyone to turn on Googles two-factor authentication to make your Gmail account safer and less likely to get hacked, said Matt Cutts, the head of Googles Web spam team, in a
personal blog post
.
Likewise, Gartner analyst John Pescatore said HBGary was at least partially to blame for the unauthorized access to--and deletion of--its Gmail accounts, because the security technology company
wasnt using Googles two-factor authentication system
.
3. Configure two-factor for external email accounts:
Googles Cutts also noted that while Googles two-factor authentication system is designed for browsers, POP and IMAP email clients can be
given unique passwords
for checking Gmail. Using such passwords makes it more difficult for an attacker whos compromised an employees Gmail credentials to surreptitiously and remotely listen in to all email communications.
4. Extend Google authenticator, where applicable:
Likewise, Googles two-factor authentication will work with additional sites, including LastPass, WordPress, Amazon Web Services, Drupal, and DreamHost, said Cutts. In the case of
WordPress
, for example, an administrator can set the blogging software to require two-factor authentication for specific user accounts.
5. Delete users after they depart:
As part of your companys Google Apps for Business security plan, ensure that processes are in place to
immediately change the passwords of departing users
--or better yet, to remove their accounts entirely. That helps prevent former employees from taking sensitive information or customer lists with them.
6. Respect HTTPS limits:
Using Google Apps offers numerous security upsides, especially for small businesses that may lack full-time--or highly experienced--staffers to handle all information security concerns. One of those benefits is that all communications between users browsers, and Google, is encrypted. According to the
Google boilerplate
: We also automatically encrypt browser sessions with SSL for Apps users without the need for VPNs or other costly, cumbersome infrastructure. This helps protect your data as it travels between your browser and our data centers.
But HTTPS security has limits. Really, thats only going to prevent someone from eavesdropping on the communication, while its happening, said the threat intelligence manager for Trustwave SpiderLabs, who goes by Space Rogue, speaking by phone. Its not going to stop someone whos able to brute-force your password.
7. Understand access control:
An attacker whos able to access someones Google account will see whatever the user can see. Users of Google Docs cant set their uploaded documents to be password-protected--only
designated as private
, or with access restricted to a designated list of people, based on their email addresses. Accordingly, if an attacker gains access to your Google account, any documents youve uploaded, or which you already have access to, can be seen. Likewise, if an attacker accesses the Gmail account of anyone with whom youve shared a document, the attacker can see that document--unless, of course, the documents are encrypted.
8. Encrypt docs before uploading to Google:
Accordingly, why not simply encrypt all documents before they get uploaded to Google? Unfortunately, doing so is currently cumbersome, although efforts are underway to make it easier. For example, two government-funded computer scientists at Trinity College Dublin in Ireland have created an approach dubbed
CipherDocs
, which can encrypt any document before its uploaded to Googles servers, via a browser plug-in. Allowing specific people access to the keys required decode the documents, meanwhile, is handled by their third-party KeyHub service.
The researchers hope to
extend their current prototype
by adding compatibility for Google spreadsheets, as well as Dropbox, and allowing it to work with Chrome and Internet Explorer. While the approach is untested, it suggests how another layer of security--handled by a third party--could be added to Google Apps to better control access to shared documents.
9. Maintain backup email accounts:
What happens if someone hacks into your Gmail account and changes the password? In the case of Google Docs, a lot of people have everything in Google, from the email accounts, to the documents and spreadsheets. And they have their password recoveries sent to Gmail. So once you gain access to someones primary email account, be it Gmail or others, you have access to everything else, said Space Rogue. If you want to get into someones bank account, you just send a password reset to the email, and youve got access. All that stuff is linked together.
So at the very least, have more than one email account, he said. That way, you can also see if someone has started resetting your passwords, especially for the primary email account. In the case of Honan, notably, the attacker controlled Honans Gmail account, and quickly deleted any password-reset notification warnings that might have tipped him off to the attack.
One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment arent exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our
Measuring Risk: A Security Pros Guide
report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
9 Google Apps Security Secrets For Business