Attacks/Breaches
8/14/2012
09:38 AM
Connect Directly
RSS
E-Mail
50%
50%

9 Google Apps Security Secrets For Business

After journalist's life hack, is your business protected against nosy rivals and even hacktivists? It's time to strengthen your Google security plan.

6. Respect HTTPS limits: Using Google Apps offers numerous security upsides, especially for small businesses that may lack full-time--or highly experienced--staffers to handle all information security concerns. One of those benefits is that all communications between users' browsers, and Google, is encrypted. According to the Google boilerplate: "We also automatically encrypt browser sessions with SSL for Apps users without the need for VPNs or other costly, cumbersome infrastructure. This helps protect your data as it travels between your browser and our data centers."

But HTTPS security has limits. "Really, that's only going to prevent someone from eavesdropping on the communication, while it's happening," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It's not going to stop someone who's able to brute-force your password."

7. Understand access control: An attacker who's able to access someone's Google account will see whatever the user can see. Users of Google Docs can't set their uploaded documents to be password-protected--only designated as private, or with access restricted to a designated list of people, based on their email addresses. Accordingly, if an attacker gains access to your Google account, any documents you've uploaded, or which you already have access to, can be seen. Likewise, if an attacker accesses the Gmail account of anyone with whom you've shared a document, the attacker can see that document--unless, of course, the documents are encrypted.

8. Encrypt docs before uploading to Google: Accordingly, why not simply encrypt all documents before they get uploaded to Google? Unfortunately, doing so is currently cumbersome, although efforts are underway to make it easier. For example, two government-funded computer scientists at Trinity College Dublin in Ireland have created an approach dubbed CipherDocs, which can encrypt any document before it's uploaded to Google's servers, via a browser plug-in. Allowing specific people access to the keys required decode the documents, meanwhile, is handled by their third-party KeyHub service.

The researchers hope to extend their current prototype by adding compatibility for Google spreadsheets, as well as Dropbox, and allowing it to work with Chrome and Internet Explorer. While the approach is untested, it suggests how another layer of security--handled by a third party--could be added to Google Apps to better control access to shared documents.

9. Maintain backup email accounts: What happens if someone hacks into your Gmail account and changes the password? "In the case of Google Docs, a lot of people have everything in Google, from the email accounts, to the documents and spreadsheets. And they have their password recoveries sent to Gmail. So once you gain access to someone's primary email account, be it Gmail or others, you have access to everything else," said Space Rogue. "If you want to get into someone's bank account, you just send a password reset to the email, and you've got access. All that stuff is linked together."

"So at the very least, have more than one email account," he said. That way, you can also see if someone has started resetting your passwords, especially for the primary email account. In the case of Honan, notably, the attacker controlled Honan's Gmail account, and quickly deleted any password-reset notification warnings that might have tipped him off to the attack.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
robert.bsn.ie
50%
50%
robert.bsn.ie,
User Rank: Apprentice
8/31/2012 | 4:24:26 PM
re: 9 Google Apps Security Secrets For Business
Probably the easiest security measure to take if you have a Google Apps Domain is download a Free Audit Tool for Google Apps from the marketplace. Most loss occurs from the inside. Audit helps prevent that.
seanacampbell
50%
50%
seanacampbell,
User Rank: Apprentice
8/16/2012 | 4:25:47 PM
re: 9 Google Apps Security Secrets For Business
Competitive Intelligence experts do not "hack" email accounts. Competitive Intelligence is an ethical, legal practice. See the Strategic and Competitive Intelligence Professionals (SCIP.org) Code of Ethics for more on this point.

Corporate Espionage is what the author is referring to in the article, not the ethical practice of gathering Competitive Intelligence on one's industry and potential and current competitors.

Thanks,

Sean Campbell
Principal - Cascade Insights
www.cascadeinsights.com
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0560
Published: 2014-09-17
Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors.

CVE-2014-0561
Published: 2014-09-17
Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567.

CVE-2014-0562
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

CVE-2014-0563
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors.

CVE-2014-0565
Published: 2014-09-17
Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant