Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9 Google Apps Security Secrets For Business

After journalist's life hack, is your business protected against nosy rivals and even hacktivists? It's time to strengthen your Google security plan.

In the wake of the hack of technology journalist Mat Honan, many users of cloud-based services are running scared.

Forget Twitter-hacking attackers named "Phobia" who managed to compromise a well-known technology journalist's Google credentials and Twitter account. What about competitive intelligence experts who might want to hack rivals' Gmail accounts to siphon away corporate secrets? Or hacktivists seeking a reprise of the Anonymous attack against HBGary, which copied and then deleted the firm's Gmail accounts?

To help stop "life hack," competitive intelligence, or hacktivist attacks that come gunning for corporate data, all Google Apps for Business users--and especially corporate administrators--should pursue the following nine security strategies:

1. Create a Google security plan: Anyone who uses Google for business should begin by detailing all related security processes and procedures, with an eye toward spotting potential weak points--especially single points of failure--and having a data breach response plan. As an example of what can happen without this type of plan, take the February, 2011 hack of HBGary's email by the hacktivist group Anonymous. Briefly, HBGary had threatened to reveal the identities of many group members. In retaliation, members of Anonymous used a stolen password to hack into HBGary's company-wide Gmail account, from which it copied and then deleted every email it found. According to HBGary CEO Greg Hoglund, he saw the attack unfolding, but wasn't able to convince the Google help desk of his own identity, in time to prevent all of the company's emails from being copied.

2. Use two-factor authentication: Anyone who possesses just a Google account username and password can access that account and everything it sees, including documents and spreadsheets, unless Google's two-factor authentication system is enabled. Accordingly, enabling it is a no-brainer for every business user.

In the case of the Honan hack, for example, "much of the story is about Amazon or Apple's security practices, but I would still advise everyone to turn on Google's two-factor authentication to make your Gmail account safer and less likely to get hacked," said Matt Cutts, the head of Google's Web spam team, in a personal blog post.

Likewise, Gartner analyst John Pescatore said HBGary was at least partially to blame for the unauthorized access to--and deletion of--its Gmail accounts, because the security technology company wasn't using Google's two-factor authentication system.

3. Configure two-factor for external email accounts: Google's Cutts also noted that while Google's two-factor authentication system is designed for browsers, POP and IMAP email clients can be given unique passwords for checking Gmail. Using such passwords makes it more difficult for an attacker who's compromised an employee's Gmail credentials to surreptitiously and remotely listen in to all email communications.

4. Extend Google authenticator, where applicable: Likewise, Google's two-factor authentication will work with additional sites, including LastPass, WordPress, Amazon Web Services, Drupal, and DreamHost, said Cutts. In the case of WordPress, for example, an administrator can set the blogging software to require two-factor authentication for specific user accounts.

5. Delete users after they depart: As part of your company's Google Apps for Business security plan, ensure that processes are in place to immediately change the passwords of departing users--or better yet, to remove their accounts entirely. That helps prevent former employees from taking sensitive information or customer lists with them.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
robert.bsn.ie
50%
50%
robert.bsn.ie,
User Rank: Apprentice
8/31/2012 | 4:24:26 PM
re: 9 Google Apps Security Secrets For Business
Probably the easiest security measure to take if you have a Google Apps Domain is download a Free Audit Tool for Google Apps from the marketplace. Most loss occurs from the inside. Audit helps prevent that.
seanacampbell
50%
50%
seanacampbell,
User Rank: Apprentice
8/16/2012 | 4:25:47 PM
re: 9 Google Apps Security Secrets For Business
Competitive Intelligence experts do not "hack" email accounts. Competitive Intelligence is an ethical, legal practice. See the Strategic and Competitive Intelligence Professionals (SCIP.org) Code of Ethics for more on this point.

Corporate Espionage is what the author is referring to in the article, not the ethical practice of gathering Competitive Intelligence on one's industry and potential and current competitors.

Thanks,

Sean Campbell
Principal - Cascade Insights
www.cascadeinsights.com
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21197
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.