But HTTPS security has limits. "Really, that's only going to prevent someone from eavesdropping on the communication, while it's happening," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It's not going to stop someone who's able to brute-force your password."
7. Understand access control: An attacker who's able to access someone's Google account will see whatever the user can see. Users of Google Docs can't set their uploaded documents to be password-protected--only designated as private, or with access restricted to a designated list of people, based on their email addresses. Accordingly, if an attacker gains access to your Google account, any documents you've uploaded, or which you already have access to, can be seen. Likewise, if an attacker accesses the Gmail account of anyone with whom you've shared a document, the attacker can see that document--unless, of course, the documents are encrypted.
8. Encrypt docs before uploading to Google: Accordingly, why not simply encrypt all documents before they get uploaded to Google? Unfortunately, doing so is currently cumbersome, although efforts are underway to make it easier. For example, two government-funded computer scientists at Trinity College Dublin in Ireland have created an approach dubbed CipherDocs, which can encrypt any document before it's uploaded to Google's servers, via a browser plug-in. Allowing specific people access to the keys required decode the documents, meanwhile, is handled by their third-party KeyHub service.
The researchers hope to extend their current prototype by adding compatibility for Google spreadsheets, as well as Dropbox, and allowing it to work with Chrome and Internet Explorer. While the approach is untested, it suggests how another layer of security--handled by a third party--could be added to Google Apps to better control access to shared documents.
9. Maintain backup email accounts: What happens if someone hacks into your Gmail account and changes the password? "In the case of Google Docs, a lot of people have everything in Google, from the email accounts, to the documents and spreadsheets. And they have their password recoveries sent to Gmail. So once you gain access to someone's primary email account, be it Gmail or others, you have access to everything else," said Space Rogue. "If you want to get into someone's bank account, you just send a password reset to the email, and you've got access. All that stuff is linked together."
"So at the very least, have more than one email account," he said. That way, you can also see if someone has started resetting your passwords, especially for the primary email account. In the case of Honan, notably, the attacker controlled Honan's Gmail account, and quickly deleted any password-reset notification warnings that might have tipped him off to the attack.
One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)
