Notes from an Expert: Google’s Field Insights on Security

Version 11

    Hello, everyone. Finally long hot Summer is gone and Autumn is coming to Tokyo. Autumn is one of my favorite season.

    Speaking of Autumn, leaves change color and go from being green to burning red, golden yellow and vivid orange. Harvest season has also started. It's a season of change.  Security is also about change. Today I am glad to have our security expert Theo talking about how to make the change based on his field deployment engineer experience.

     

    Yan

     

    ------------------------------------------------------------------

    Hi Everyone,

     

    I am Theo Lhomer, a Deployment Engineer from Google Professional Services based in Singapore and in today’s blog, I will give an insight on Security and what we see in the field. I would also provide you with some advice being myself a bit of a Security Geek :-)

     

    Let’s start with a field insight on security and what are the latest trends we see.

     

    The cost of data security breaches keeps increasing

     

    In 2015, the average cost of a data breach was just under 4 millions dollars ($3.79 millions) which represented an increase of 23% comparing to 2013 (source: IBM & Ponemon Institute).

     

    You will probably remember how data breaches stole the headlines over the past few years with famous names such as Sony Pictures, JPMorgan Chase, as well as T-Mobile or Carephone Wharehouse. While these attacks were highly publicized, there was plenty of other breaches that took place all around the world, resulting in the theft of over 1 billion records of personal identifiable information (PII)! More recently, the Panama Papers Scandal with over 11 millions records from various customers that were supposed to be protected highlighted the inability of Mossack Fonseca, to keep personal financial information private and highlighted the importance for any company to focus on how their vendors handle their PII. On this specific case, data security experts noted, that the company had not been encrypting its emails and was using unpatched and outdated email software that had a considerable amount of vulnerabilities..

     

    As you can see, security needs to be thought as a whole. Besides inside your company you need also review how your vendors, contractors and anyone around you handles PII and other confidential data.

     

    Security breaches can affect any organisation, large or small, from any industry.  The cost associated to it, particularly if customer records are stolen keeps increasing year on year since we clearly live more and more in a digital world. I am not even mentioning the brand damage it can cause…

     

    Phishing is highly effective

     

    Phishing is the most common attack vector for account compromises - brute forcing weak passwords are less of a concern from a Google perspective. But the old technique of phishing that consists to disguise yourself as someone else and trick a user is highly effective for any attacker and its cost is very low and doesn’t require hacking skills. That  is why it is highly popular among attackers.

     

    A Google study on Phishing performed from 2011 to 2014 collected a sample of phishing emails/pages reported from users, detected from Google safe browsing, and injecting fake credentials into phishing webpages (decoy accounts) showed that phishing manages to trick a high percentage of users as soon as the phishing web page is made believable enough. Even when a page is not, it would still trick 3% of users. Imagine the damage an email sent to 1 million people can do..

     

    Screenshot 2016-09-16 at 13.10.49.png

     

    Key takeaways are:

    • Phishing is the oldest attack technique and is relatively easy to do: it can be as simple as a mobile device stolen from a user, which, if not protected can easily send a message to users in the contacts directory.
    • The danger about phishing is that it is effective even against trained users - training does not prevent compromise.
    • Hijackers move fast when accounts are compromised - reactive measures are not sufficient.


    The good news is that you can considerably reduce the risks by:

    • Educating your users on phishing risks and provide them with sound advice such as checking the URL of a webpage, or generally, contact their IT department if they do have any doubts that they got victim of phishing.
    • Install the Google Password Alert extension on Google Chrome: if you enter your Google Account password or Google for Work password into anywhere other than Google's sign-in page, you’ll receive an alert, so you can quickly change your password if needed. Password Alert also checks each page you visit to see if it's impersonating Google's sign-in page, and alerts you if so.
    • Add an extra level of security on top of your password: 2 factor authentication and Security Keys considerably reduce the risk of being phished. Indeed, even with your password stolen, a hacker won’t be able to do much without a 2 factor code that changes every 30s.


    Why do IT fail to stop data breaches?
    The recent high-profile data breaches are a wake-up call to enterprises everywhere and they raise the question: why did my IT Department failed to stop the data breach?
    Well, first of all, the answer is not limited to a technology problem and is sadly an enterprise-wide issue with an increasing volume of data companies manage on an everyday basis.
    Also, because the threat to high-value information is ever-changing, it is important to have some measures in place in any companies of any size such as:

    1. Constantly monitor the threat environment and keep yourself up to date following sources such as the Google Online Security Blog, or our Project Zero blog that aims to identify software threats from major software providers. Other sources such as the Wired Threat Level page, Hacker News or KrebsOnSecurity are sources I usually consult on a daily basis.
    2. Understand who poses a threat, what are their motivations are and which methods do they prefer. Do you believe threat would be likely coming from an insider or someone outside your organisation?
    3. Build a stronger security posture. If you’re a Google Apps customers, I would say that the main 3 take-aways for today would be to:
      1. Enable 2 factor authentication for all your executives and IT department that have access to confidential/sensitive information.
      2. Review the security of any contracting agent handling your company data on a yearly basis. For example, do you use a lawyer company to handle PII, if so, what are their standards in security? Lately, Gmail can easily identify whether a recipient support or not email encryption by displaying a visual padlock which, if unlocked, means that the recipient doesn’t encrypt any of your emails...not great for handling PII
      3. Mobile devices: we’ve all been securing our laptops/PCs for a long time with antivirus, passwords for over 30 years now. But in an increasingly mobile world, how do you stand in terms of securing your mobile fleet? Do you enforce passwords on iPhone/Android or do you let your users having their mobile unlocked? The good news is that on Google Apps, we provide by default a Mobile Device Management solution, out of the box at no extra cost so it would be a pity not to use it!


    In conclusion, you can see that data protection is fundamental in addition to being a challenge for IT.  With new threats continually evolving, enterprises need to be prepared and be able to address threats across each aspect of their business so they can build a strong security posture that reduces costs, improves service and manages risk. Next time on our blog, we will focus on the security response plan.