Posts

Best Ways to Protect Your Google Apps Account from Being Hacked

/in ,

We have seen an alarming increase in the number of Google Apps accounts that have been “hacked” across both our business and education customers. Securing your Google Apps account is crucial to protect your sensitive information and prevent unauthorized access.

Google Apps platform security is NOT the issue.  ALL of the hacked accounts are due to compromised user identities.

In every case we have encountered, the users have used their Google Apps email address and password with another service that has had a breach, or has had malware on their computer that provided username and password keystrokes to the hackers.

In both types of incidents, hackers then log in as the user and cause mayhem.

Essential Steps to Make Your Google Apps Account More Secure From Hackers:

1) Educate your users that they are not to use their Google Apps password for any other account not explicitly authorized. Users should also not use their Google Apps email address as the username for personal accounts with other services. It’s also critical to understand the risks of using third-party apps.

2) Check Your Systems for malware and make sure your endpoint protection is up to the task. If not, we recommend Webroot Endpoint Protection and Web Security Services (the link is to our edu site, but the service is available to business and government customers as well).

3)  Implement Two-Factor Authentication (2FA).  In business environments, users should be using 2FA to secure their accounts.  Implementation can be involved if you have other services linked to Google Apps, as you will need to generate service-specific passwords.

4) Use Strong Passwords: Create a strong, unique password for your Google account. Avoid using easily guessable information and include a combination of upper and lower case letters, numbers, and special characters.

5) Review Account Activity: Periodically review the recent activity on your account. Google provides a “Last account activity” feature that allows you to check for any suspicious login attempts.

6) Check Account Permissions: Regularly review the apps and services that have access to your Google account. Remove access for any applications or devices that you no longer use or trust.

7) Beware of Phishing Attempts: Be cautious of phishing emails or websites that attempt to steal your login credentials. Always verify the authenticity of emails and URLs before entering your Google account information.

In education environments, 2FA is not practical for all users, as students and many faculty members may not have mobile devices available to access the Authenticator.  For schools, we recommend any user with partial or full administrative privileges have 2FA active.

FAQs About Keeping Your Google Account Safe from Hackers

Activating 2FA is covered by our support agreements.

For customers and others without support agreements, mention this blog post and we will discount our hourly support fee by 10%; W

We will discount Webroot deployment fees by 50%.  

Both offers expire on December 31, 2014.

Please contact our Service Desk for 2FA assistance; contact Sales regarding Webroot.

 

USPS Data Breach: What SMBs Can Learn

/in


As a small or mid-size business, you probably do not worry about hackers and data breaches. Your information is safely stored in-house or in a secure cloud service.  You do not have trade secrets or intellectual property coveted by foreign governments or industry. You accept credit cards, but those transactions are processed, saved, and secured by the credit card processor … you do not even have credit card numbers in your files or systems. It is not unreasonable for you to think that you are not a data breach target.

You are wrong.

The recent data breach at the US Postal Service should, however, serve as a wake up call. Hackers breached USPS systems not for customer data or credit card information; the hackers stole HR records for hundreds of thousands of postal employees and retirees (customer data was just a bonus). And, while the hackers were not able to go on an immediate debit-card spending spree, they captured all of the data necessary to steal identities — names, addresses, social security numbers, and more.

Regardless of your size, any personally identifiable information in your possession is an incentive for criminals. And you don’t need to be big to be caught. A stolen laptop, compromised account, or lost USB stick can enable data breaches in systems you think are secure.

Malware is the inbound marketing tool for hackers and identity thieves. 

When malware spreads, it makes its way onto business computers that the hackers may never have known existed. Malware often sits in wait, capturing passwords or other information and communicating the information to servers half way around the world. Hackers can then use this information to assess the value of the target and to gain more access to even more data. Hackers may also sell this information to other criminals.

Your business needs protection in place, and awareness of the scope of the problem is the first step.  Permissions monitoring and management, web filtering, device protection, endpoint protection, mobile device management, and user data protection may all be components of your solution.

Please contact us for a complimentary review of your current data protection coverage.

 

Beware of Marketplace Apps on the Move

/in ,


Last week, Google announced that the Google Apps Marketplace was open for business to all Google Apps users, not just administrators.

While this move opens up a wide range of personal productivity applications to Google Apps users, it is not without risks.

  • Your users can now commit you to paid apps and services that you may not want as part of your environment.
  • Apps may require permissions to data in your Google Apps environment that needs to be, or you want to be, private and secure.
  • Not all apps are from well-known vendors.

As we have written in the past, third party apps can present a risk to your data and your business.  And while Bring-Your-Own-App (BYOA) can be beneficial to staff efficiency and effectiveness, Google Apps administrators should careful and should understand the security health of the domain.

As such, consider turning off marketplace access to all users.  (Customers with a support plan: Ask us and we will do this for you).

We also recommend that you consider a Google Apps Security Health Check (special offer through Sept 30th) to ensure that Marketplace, mobile, and other third party apps are not already posing a risk.

If your current Google Apps reseller is not providing guidance on best practices, security and other important issues, contact us.  We would love to have you join us as a client. 

 

 

 

The Google Apps / Gmail Breach That Isn’t

/in ,

News over the past few days that hackers have posted almost 5 million email addresses and passwords on an online forum has caught the media’s attention in large part because about 4.7 million of the addresses appear to be gmail accounts.

This is NOT, however, a breach of Gmail or Google Apps.  

The information appears to be from other sites and sources for which users provide their email address as their login.  In fact, several people that have found their address on the list report that the information is not their login information for Gmail or Google Apps.  As reported by Mashable, your risk is low.

Given it is not a Google Apps or Gmail breach, are you at risk?

Maybe!  Google has already analyzed the list and found some users that may be using their Google account password for other sites.  Google has notified these users and is forcing them to change their passwords. For the bigger picture:

If you use the same username/email address and password for all of your services, and one service is breached, then you are at risk of hackers gaining access to some or all of your services.

If a service is breached and you have granted the service access to your Google Apps environment, your data may be at risk.

Recommended Actions

Step One:  It is not easy, but avoid using the same password for multiple services, sites, or accounts.  And don’t write passwords down to remember them.

Step Two:  Be careful when and how you allow services to connect with one another.  For example, LinkedIn needs your gmail.com password if you are going to import contacts. While this may be safe to do, other services may not be as trustworthy.

Step Three:  Read and understand security permissions when you install apps on your mobile devices.  Many apps recognize and request access to other apps and services already on your phone.  Human nature is to say “grant” or “allow” without reading or fully understanding the implications, risks, or the trustworthiness of the app’s creators.

Note for Businesses, Governments, and Schools running Google Apps: Users installing 3rd party apps, particularly on cell phones, may be granting access to data stored in Google Apps.  To see if you have a risk, we offer a Google Apps Security Health Check that will document access rights and evaluate your level or risk, if any.  

Click Here for Information

 

5 Security Threats SMBs Should Not Overlook: Malicious Web Sites

/in

Security Puzzle
As more services move into the cloud, users bring their own apps to their work environment, and we see more integration and interconnect between systems, the nature security risks and threats are changing.  

This blog series looks at some of these threats, why the should be of concern to SMBs, and how SMBs can mitigate the risks.

Many small and mid-size business owners look past security threats in the belief that their businesses do not have trade secrets or other information coveted by hackers.  This view is naive.  Small businesses are ripe for attack because they often have personal, credit, or medical information about their customers and their employees.

Your business may at risk even if you are not a deliberate target. Hackers and thieves cast wide nets to capture personal information for identity theft. For identity theft, your business IT is no different than home computers.

Many businesses respond that they have security in place.  A well managed firewall, a big name malware suite that updates periodically, and spam/virus protection for their email service.

Unfortunately, users are 20 times more likely to suffer a malware attack from a corrupted web site or a phishing attempt then through the “traditional” means of email and file transfers. While traditional malware tools may catch these types of attacks, web-based malware often behaves more like acceptable code.  The recent outbreak of “crypto locker” malware, which encrypts your data and holds it for ransom, is an example of just how ineffective traditional malware prevention alone can be.

The overlooked solution to closing the web-enabled malware threat is known and simple: web filtering.  Web filters not only track sites known to be risky, insecure, or containing malware, they analyze web traffic and behavior in real-time, identifying sites that may be compromised, including those hacked without the site owner’s knowledge.

For most SMBs, adding web filtering to the ecosystem is an affordable increase in IT spending, typically less than $3.00 per employee per month.   Given that a single malware event can take 20 to 60 hours to mitigate at a cost of thousands of dollars, web filtering is a value-add component for most IT ecosystems.

Cumulus Global can assist in selecting a web filtering solution for your business.  Please contact us, or complete the form below, for more information.

Security Breach? There are Apps for That

/in

 

security-checkHere’s a Story …

Emily tells Dan about a cool app on her iPhone that helps her stay organized when she is out of the office.  Dan looks it up and downloads it to his Android phone.  The App is cheap and has great reviews.  When Dan installs the app, he gets a screen about permissions with only a few items listed.  He scans the list.  Dan is not a techie and the list seems reasonable; he clicks “Allow” and the installation finishes.  Dan uses the app and is happy.  Over the next few weeks, Dan has trouble finding docs he saved in Google Drive.  Some were uploaded Word and PDF files, while others were created in Google Docs and Sheets. Asking IT for help, they find some documents in the trash, others appear gone for ever.

Here’s the Lesson …

When Dan installed his cool new app, he granted the app full access to the content of his Google Drive account and to other content in Google Apps.  The app had a bug (we do not want to assume malice) that set all of Dan’s files to public on a periodic basis.

Third party applications, including mobile apps, create a security and privacy risk for your Google Apps environment.

Here’s the Offer …

Partnering with CloudLock, we will conduct a Google Apps Security Health Check for your Google Apps for Business or Government Domain.  Normally costing $1,000 to $5,000 (or more!), through September 30, 2014, we will perform the check for $300 (or less!).

Please click here for more information or to request your Google Apps Security Health Check.

Chromebook SSO Eases Access Administration

/in ,

Single Sign-On (SSO) enables users to access multiple systems and applications with a single username and password, and a single login screen.  And while many schools and businesses use SSO for Google Apps and related solutions, Chrome devices have always required a separate login.

To easy access administration and simplify user logins, Google has launched SAML-based SSO login for Chrome devices.   Organizations running current versions of Chrome on devices registered via Chrome Management licenses can now extend their Google Apps SSO login to the registered Chrome devices.

Feel free to contact us if you would like more information or assistance with your setup.

 

Assessing Your Google Apps Security Threats

/in ,

accept button
The power of Google Apps comes from the variety and scope of its collaboration features.  Unfortunately, the same tools we use to share and to work more efficiently can be used against us. When users set permissions, they may accidentally (or intentionally) over-share, resulting in data leaks, disclosures, policy breaches, and regulatory violations.

With the easy to select and connect 3rd party mobile and web apps to your Google accounts in just a few click, employees can easily and unintentionally grant access to non-trustworthy apps.

How do you protect your users from threats they do not know exist?

Assessing and managing information security within Google Apps warrants a multi-faceted approach.

  1. Education. Make sure employees understand your organization’s privacy and security policies, and any regulations and laws you must follow.
  2. Education. Make sure your users understand the basics of how permissions work within Google Drive and Sites, and how to use settings to comply with policies.
  3. Education. Make sure employees know that 3rd party apps can be dangerous and cause problems.

Beyond Education, many organizations look to deploy data protection and security solutions that support policies, that monitor the Google Apps environment for risks and violations, and that can respond and remediate potential data sharing violations.

Before you invest, however, understand your risk.  By reviewing Drive content and permissions and analyzing the inventory of 3rd party apps accessing your Google Apps domain, you can best assess if and when additional security and administrative tools are warranted.  While this can be time-consuming, tools and services exist that can automate the process of gathering and analyzing Google Apps security threat information.

Through September 30, 2014, Cumulus Global is partnering with CloudLock, the Google Apps collaboration security company, to offer a comprehensive Google Apps Security Health Check, which will analyze both Drive content and the risk from 3rd party mobile and web apps.  Normally a service costing $1,000 to $5,000, we are offering the assessment for $300 or less.

Click Here for more information and/or to speak with a Cloud Advisor.

 

Avoiding Real Drive Security Threats

/in


Are Your Users Letting Data Thieves in Through the Front Door?

When most organizations think about protecting files in Google Drive, they focus on Google’s security certifications, whether or not to allow external sharing, and setting up groups to make assigning permissions easier. Too often, they fail to consider the bigger risks to data: users and apps.

Users typically have the ability to share Drive content within your domain and externally. A simple user error (and the occasional intentional act) can expose sensitive data, creating headaches and potential liabilities.

Apps, whether browser extensions or on smart phones, can be installed by your users without your knowledge. These apps often request broad access to data ranging from contact lists to Drive content and can expose data before you know the apps even exist. Human nature tells us that if person wants an app, they “Allow” and “Accept” without necessary reading or understanding the permissions being granted.

Critical to securing data in Drive, organizations should monitor and manage both user permissions based on policies and content and third-party apps with access to data. An understanding of the access granted each App and whether others have deemed the App trustworthy, gives you the power to allow Apps that help your team work efficiently while blocking Apps that pose too much risk.

The First Step to closing user sharing and Apps permission risks is to audit and assess your environment. Audit user assigned permissions and third-party Apps with access and review the results for potential data security issues.

With an understanding of the scope of your risk, you can best decide if you should further investment in your Google Apps ecosystem.

In partnership with CloudLock, we are offering great discounts on our Google Apps Risk Assessment service. Normally a $1,000 per audit service, we will examine collaboration and permission settings as well as the 3rd party Apps that already have access to your domain for $300 or less.

Contact us for more information or to request a formal quote.

Lots of Bots; Not so Many People on the Internet?

/in ,

bot-traffic-report-2013
As recently reported by CloudTweaks, a recently published analysis tells us that only 38.5% of Internet traffic is from humans.  The rest is from Bots — good and evil.

Good Bots are primarily search engines and data aggregation services.  These represent 31% of Internet traffic.  This leaves 30.5% of traffic originating from Bad Bots.  

What are the Bad Bots?

  • Scrapers: These bots scrape web sites, capturing text to steal email addresses for spam purposes or to reverse-engineer pricing and business models
  • Hackers: These bots break into sites to steal credit card data or inject malicious code
  • Spammers: Email addresses are the target for these Bots, enabling billions of useless and annoying email messages and inviting “search engine blacklisting”
  • Impersonators: These bots specialize in intelligence gathering, DdoS attacks and bandwidth consumption

The result?  Web sites, email systems, and other online activities should be secure.  Our defenses must continue to evolve and all technology users should have a basic understanding of the threats at hand.

Focusing on protecting users and data, rather than devices, creates a mindset that enables a more integrated approach and solutions.

Contact us to explore solutions that fit your business and budget.