Attacks/Breaches
8/14/2012
09:38 AM
Connect Directly
RSS
E-Mail
50%
50%

9 Google Apps Security Secrets For Business

After journalist's life hack, is your business protected against nosy rivals and even hacktivists? It's time to strengthen your Google security plan.

6. Respect HTTPS limits: Using Google Apps offers numerous security upsides, especially for small businesses that may lack full-time--or highly experienced--staffers to handle all information security concerns. One of those benefits is that all communications between users' browsers, and Google, is encrypted. According to the Google boilerplate: "We also automatically encrypt browser sessions with SSL for Apps users without the need for VPNs or other costly, cumbersome infrastructure. This helps protect your data as it travels between your browser and our data centers."

But HTTPS security has limits. "Really, that's only going to prevent someone from eavesdropping on the communication, while it's happening," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It's not going to stop someone who's able to brute-force your password."

7. Understand access control: An attacker who's able to access someone's Google account will see whatever the user can see. Users of Google Docs can't set their uploaded documents to be password-protected--only designated as private, or with access restricted to a designated list of people, based on their email addresses. Accordingly, if an attacker gains access to your Google account, any documents you've uploaded, or which you already have access to, can be seen. Likewise, if an attacker accesses the Gmail account of anyone with whom you've shared a document, the attacker can see that document--unless, of course, the documents are encrypted.

8. Encrypt docs before uploading to Google: Accordingly, why not simply encrypt all documents before they get uploaded to Google? Unfortunately, doing so is currently cumbersome, although efforts are underway to make it easier. For example, two government-funded computer scientists at Trinity College Dublin in Ireland have created an approach dubbed CipherDocs, which can encrypt any document before it's uploaded to Google's servers, via a browser plug-in. Allowing specific people access to the keys required decode the documents, meanwhile, is handled by their third-party KeyHub service.

The researchers hope to extend their current prototype by adding compatibility for Google spreadsheets, as well as Dropbox, and allowing it to work with Chrome and Internet Explorer. While the approach is untested, it suggests how another layer of security--handled by a third party--could be added to Google Apps to better control access to shared documents.

9. Maintain backup email accounts: What happens if someone hacks into your Gmail account and changes the password? "In the case of Google Docs, a lot of people have everything in Google, from the email accounts, to the documents and spreadsheets. And they have their password recoveries sent to Gmail. So once you gain access to someone's primary email account, be it Gmail or others, you have access to everything else," said Space Rogue. "If you want to get into someone's bank account, you just send a password reset to the email, and you've got access. All that stuff is linked together."

"So at the very least, have more than one email account," he said. That way, you can also see if someone has started resetting your passwords, especially for the primary email account. In the case of Honan, notably, the attacker controlled Honan's Gmail account, and quickly deleted any password-reset notification warnings that might have tipped him off to the attack.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
robert.bsn.ie
50%
50%
robert.bsn.ie,
User Rank: Apprentice
8/31/2012 | 4:24:26 PM
re: 9 Google Apps Security Secrets For Business
Probably the easiest security measure to take if you have a Google Apps Domain is download a Free Audit Tool for Google Apps from the marketplace. Most loss occurs from the inside. Audit helps prevent that.
seanacampbell
50%
50%
seanacampbell,
User Rank: Apprentice
8/16/2012 | 4:25:47 PM
re: 9 Google Apps Security Secrets For Business
Competitive Intelligence experts do not "hack" email accounts. Competitive Intelligence is an ethical, legal practice. See the Strategic and Competitive Intelligence Professionals (SCIP.org) Code of Ethics for more on this point.

Corporate Espionage is what the author is referring to in the article, not the ethical practice of gathering Competitive Intelligence on one's industry and potential and current competitors.

Thanks,

Sean Campbell
Principal - Cascade Insights
www.cascadeinsights.com
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.