Forget Twitter-hacking attackers named "Phobia" who managed to compromise a well-known technology journalist's Google credentials and Twitter account. What about competitive intelligence experts who might want to hack rivals' Gmail accounts to siphon away corporate secrets? Or hacktivists seeking a reprise of the Anonymous attack against HBGary, which copied and then deleted the firm's Gmail accounts?
To help stop "life hack," competitive intelligence, or hacktivist attacks that come gunning for corporate data, all Google Apps for Business users--and especially corporate administrators--should pursue the following nine security strategies:
1. Create a Google security plan: Anyone who uses Google for business should begin by detailing all related security processes and procedures, with an eye toward spotting potential weak points--especially single points of failure--and having a data breach response plan. As an example of what can happen without this type of plan, take the February, 2011 hack of HBGary's email by the hacktivist group Anonymous. Briefly, HBGary had threatened to reveal the identities of many group members. In retaliation, members of Anonymous used a stolen password to hack into HBGary's company-wide Gmail account, from which it copied and then deleted every email it found. According to HBGary CEO Greg Hoglund, he saw the attack unfolding, but wasn't able to convince the Google help desk of his own identity, in time to prevent all of the company's emails from being copied.
2. Use two-factor authentication: Anyone who possesses just a Google account username and password can access that account and everything it sees, including documents and spreadsheets, unless Google's two-factor authentication system is enabled. Accordingly, enabling it is a no-brainer for every business user.
In the case of the Honan hack, for example, "much of the story is about Amazon or Apple's security practices, but I would still advise everyone to turn on Google's two-factor authentication to make your Gmail account safer and less likely to get hacked," said Matt Cutts, the head of Google's Web spam team, in a personal blog post.
Likewise, Gartner analyst John Pescatore said HBGary was at least partially to blame for the unauthorized access to--and deletion of--its Gmail accounts, because the security technology company wasn't using Google's two-factor authentication system.
3. Configure two-factor for external email accounts: Google's Cutts also noted that while Google's two-factor authentication system is designed for browsers, POP and IMAP email clients can be given unique passwords for checking Gmail. Using such passwords makes it more difficult for an attacker who's compromised an employee's Gmail credentials to surreptitiously and remotely listen in to all email communications.
4. Extend Google authenticator, where applicable: Likewise, Google's two-factor authentication will work with additional sites, including LastPass, WordPress, Amazon Web Services, Drupal, and DreamHost, said Cutts. In the case of WordPress, for example, an administrator can set the blogging software to require two-factor authentication for specific user accounts.
5. Delete users after they depart: As part of your company's Google Apps for Business security plan, ensure that processes are in place to immediately change the passwords of departing users--or better yet, to remove their accounts entirely. That helps prevent former employees from taking sensitive information or customer lists with them.
6. Respect HTTPS limits: Using Google Apps offers numerous security upsides, especially for small businesses that may lack full-time--or highly experienced--staffers to handle all information security concerns. One of those benefits is that all communications between users' browsers, and Google, is encrypted. According to the Google boilerplate: "We also automatically encrypt browser sessions with SSL for Apps users without the need for VPNs or other costly, cumbersome infrastructure. This helps protect your data as it travels between your browser and our data centers."
But HTTPS security has limits. "Really, that's only going to prevent someone from eavesdropping on the communication, while it's happening," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It's not going to stop someone who's able to brute-force your password."
7. Understand access control: An attacker who's able to access someone's Google account will see whatever the user can see. Users of Google Docs can't set their uploaded documents to be password-protected--only designated as private, or with access restricted to a designated list of people, based on their email addresses. Accordingly, if an attacker gains access to your Google account, any documents you've uploaded, or which you already have access to, can be seen. Likewise, if an attacker accesses the Gmail account of anyone with whom you've shared a document, the attacker can see that document--unless, of course, the documents are encrypted.
8. Encrypt docs before uploading to Google: Accordingly, why not simply encrypt all documents before they get uploaded to Google? Unfortunately, doing so is currently cumbersome, although efforts are underway to make it easier. For example, two government-funded computer scientists at Trinity College Dublin in Ireland have created an approach dubbed CipherDocs, which can encrypt any document before it's uploaded to Google's servers, via a browser plug-in. Allowing specific people access to the keys required decode the documents, meanwhile, is handled by their third-party KeyHub service.
The researchers hope to extend their current prototype by adding compatibility for Google spreadsheets, as well as Dropbox, and allowing it to work with Chrome and Internet Explorer. While the approach is untested, it suggests how another layer of security--handled by a third party--could be added to Google Apps to better control access to shared documents.
9. Maintain backup email accounts: What happens if someone hacks into your Gmail account and changes the password? "In the case of Google Docs, a lot of people have everything in Google, from the email accounts, to the documents and spreadsheets. And they have their password recoveries sent to Gmail. So once you gain access to someone's primary email account, be it Gmail or others, you have access to everything else," said Space Rogue. "If you want to get into someone's bank account, you just send a password reset to the email, and you've got access. All that stuff is linked together."
"So at the very least, have more than one email account," he said. That way, you can also see if someone has started resetting your passwords, especially for the primary email account. In the case of Honan, notably, the attacker controlled Honan's Gmail account, and quickly deleted any password-reset notification warnings that might have tipped him off to the attack.
One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)