Friday, July 29, 2016

How to prevent Phishing Attacks in your Google for Work domain

According to TechTarget, Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.  Attackers have a variety of tools in use to take advantage of unsuspecting victims, including social engineering that entices the delivery of a username and password.  An uninformed user can be dangerous to an organization, depending on the amount of data that the account can access.


The FBI received 16,594 reports of phishing attacks in 2015, and by indications are that phishing attacks were in decline later in 2015, but more sophisticated attacks are prevailing like spear phishing or whaling.  




Spear phishing is an e-mail spoofing fraud attempt that targets an organization, seeking access to confidential data. Spear phishing attempts are not typically initiated by "random attackers" but are more than likely carried out by cyber extortionists out for financial gain, intellectual property or information that is gained through social engineering attacks.  


Whaling, is a form of spear phishing that targets high level actors like C-Level staff, and high ranking officials.  Using the same tools to find personal information,  these types of attack are hard to detect and even undetectable by conventional spam solutions because of their narrow focus.


Combating phishing attacks can be daunting, below are steps that will help fight phishing attacks.  Implementation of these suggestions can lead a reduction of risk of data and financial loss for your business that utilizes Google for Work.  We encourage that these options be considered, we would be happy to setup a time to discuss the options with you and your staff.

Security Awareness Training

The unaware user can be as much a liability as that ones doing the attacking.  Perpetual security awareness training has become as much a necessity as ethics or sensitivity training.  A staffmember that knows what to look for, to protect the business will know that they are protecting.  Regardless of how much investment is made into equipment and devices to protect our businesses from exploits and threats, the bottom line is: the members of your user community are the weakest link in the security chain.  Security awareness training is as necessary as ethics training, providing a perpetual schedule of training will reduce the risk of having a threat that impacts your organization.


Development of a periodic security awareness program that gives the opportunity to remind and review any changes Acceptable Use Policy and covers the threats that could impact company operations.  Consider engaging in a program provided by Managed Security Services Provider that can provide training and provide metrics by performing phishing tests on your staff.  Repetitive training and testing can help to reduce risks and help to better understand where the weak points are with your staff.


Turn on 2-Step Verification for your Google Apps Domain

2-Step is a method of confirming a user's identity by using a combination of two different factors. These factors may be something that the user knows, something that the user possesses or something that is inseparable from the user.  


2-Step Verification helps protect a user's account from unauthorized access should someone manage to obtain their password. Even if a password is cracked, guessed, or otherwise stolen, an attacker can't sign in without access to the user's additional verification. This verification can be in the form of codes which only the user can obtain via their own mobile phone, or via an encrypted signature contained on a security key.


In this case, the factors are the username and password of the user and the something that is inseparable from the user is their cell phone.  Read more on the next post on additional options that can be leveraged to enhance security using 2-Step Verification and Google Apps for Work.




How to setup 2-Step Verification for Google Apps for Work

Steps to turn on 2-Factor Verification

Note: Before 2-Step Verification is turned on, there are considerations that should be made regarding communications and training.  Enforcing Two-Step authentication without letting your staff know may result in a stop in productivity that may not be a benefit to organization.

  1. In the Google Admin Panel (admin.google.com) select the Security settings and click Basic.
security.jpg

2. Click Allow users to turn on 2-step verification then click Go to advanced settings and enforce 2-step verification.

allow users.jpg

You can apply 2-Step Verification to the entire domain or to specific orgs using the left-side navigation.

2016-07-22_0911.png
Follow the steps below to set up 2-Step Verification.By default, the initial setup uses voice or text to a designated phone number.  

  1. Access the My Account settings from your account access in the upper right of your Gmail.
My Account.jpg
2. Choose Sign-in & Security
2016-07-28_1036.jpg
3. Under Password & sign-in method, select to configure 2-step verification. Then select, Get Started.
turn on.jpg

get started.jpg
4. Following the on-screen prompts, you may choose to have your code sent via text or phone call.

Follow the prompts to verify that it works!
text or call.jpg
5. You will see a confirmation of success! You can now select Turn On and 2-step verification will be applied to your account.

See tips below for using this new feature!
2016-07-26_2141.png
6. Take a moment to configure a backup set of numbers in the event you do not have access to your phone.

See here for detailed description on yubikeys.
2016-07-28_1040.jpg

2-step Verification FAQ’s
How long is a verification code good for?
The verification code you receive is valid for 60 seconds. You have the option to generate a new code at any time

Do I have to enter a code every time I sign in?
No. You have the option to Remember this computer for 30 days. Do not use this option on shared or public computers.

What happens if I do not have my phone or it is dead? How do I get a code?
Click on Try another way to sign in, this will give you other options that you may have setup to use as your second step of authentication.  There is an option to print out backup codes in the event that your do forget your phone, or device used as your second step of authentication.

We recommend that you consider Yubikeys for use with 2-Step Verification.  Yubikeys offers an innovative approach for strong authentication via FIDO Universal 2nd Factor (U2F), and with a simple tap or touch of a button. YubiKeys protect businesses of all sizes,  the benefit is that you don’t have to depend on people using their Cell phones for authentication or having to update your BYOD policy.

It is our goal to arm you with the best defenses to protect you from phishing scams and improve your experience with Google for Work.  If you have any questions or need help with deployment strategy, please reach out to us at secinfo@suitebriar.com.


See:  Google for Work Security Key Special Offer

Tuesday, July 19, 2016

Suitebriar Case Study: Glassdoor


For millions of job seekers Glassdoor is an essential stop in their job search and career. Offering critical insights into jobs and companies, their culture, salary and other essential information has helped make Glassdoor one of the most well-known brands in recent years.

The Challenge

With that growth came new challenges internally for Glassdoor. Having began as a small start-up they have quickly grown to a company of over 600 employees.  Director of Information Technology Umair Hamid quickly found that the initial investment in a hosted Exchange solution along with an organization using a 70/30 split of OSX to Windows devices was causing a lot of headaches.

“Our Mac user experience was not great,” said Hamid.

We were using Parallels to install Windows so we could use Office for Windows. The Hosted Exchange we used was also high in cost. Additionally, there were no collaboration tools offered with our hosted mail service”.

On top of the inherent cross platform flaws, reliability was also an issue.  

Any given month, we would have email issues for a few hours on top of monthly costs, days of downtime, lack of business continuity, etc.”.

Glassdoor needed a course correction in IT strategy that would provide a lasting, scalable, cost effective solution.  They found that direction in Google for Work.


The Solution


After a thorough discovery process weighing the benefits of both Google for Work and Office 365, Glassdoor found that the Google solution, in Hamid’s words, “integrated better with the tools we use on a daily basis.”

Teaming with Suitebriar’s expert deployment and change management specialists, Glassdoor set to replacing their legacy system with Google for Work in a manner that would not disrupt their day-to-day core business.

Change proved to be welcome as many of Glassdoor’s employees were already well versed with personal Google accounts to begin with.

“Google Apps is a platform everyone is familiar with from their personal email, our employees love Google” said Hamid.

“Using it in an enterprise setting is different and we found it contained quite a bit more more features but change management is absolutely critical in an enterprise environment. We’re now frequently utilizing Google Sheets and Hangouts. Anyone considering migrating to Google for work must also plan for the change management process to make it a big success”

On top of user satisfaction, Google has exceeded expectations when it comes to simple cost savings and efficiencies.

Hamid stated: “We’ve saved 40% on total per user cost, reduced IT hours spent maintaining our environment, have had 20% fewer email related tickets, and on top of that we’ve had almost no downtime in the last 9 months.”

“We absolutely think Google has reduced our risk while increasing our scalability and flexibility - for example we use Okta SSO for provisioning accounts and we are doing some cool things with Google Groups to streamline email distribution lists”.

Going Google is working for Glassdoor.

Email Security and Your Google Apps Domain

2016 has seen an unsettling amount of e-mail and web security breaches that’s compelling businesses all over the world to ask themselves how they can best prepare and prevent similar attacks on their own environments.  One such attack that we have noticed a sharp increase of in the past several months has been spoofing.  


Spoofing occurs when a malicious sender sends e-mail that appears to be from a high ranking staff member requesting things such as a wire transfer or sensitive company information in a very convincing, but false, manner.  


The internet was designed for information sharing and research while email was designed to send short messages to share information from server to server.  When it came to the process of delivering mail to the receiving email server, it was accepted to be whoever the email said it was trusting that the sender was using the honor system and was not falsifying information.  We can no longer afford have his option if we are to protect our businesses; it is now neccesary to define what servers and services are allowed to send on our behalf, our email systems are the front door to our business operating environments and it’s imperative that we protect them.


Email Address Spoofing

As we mentioned earlier, spoofing is when an attacker impersonates an email address from your organization in an effort to entice the recipient to open the email and share potentially sensitive information or resources.  This method of attack can be used to exploit and compromise unsuspecting staff, clients, and business relationships.


An organization's reputation is hard to recover from when damaged.  There are steps that can be used to protect your business and those with whom you communicate.  Implementation of Sender Policy Framework is an integral component in protecting your business from email impersonation.


Your business, and the security of your business is important to us!  If you would like to schedule a review of your email security settings.  Please contact us at secinfo@suitebriar.com, and we’ll go through the process with you!

Step 1 - Ensure all traffic is being scanned

spam_settings.png
It used to be standard operating procedure to bypass the spam filters from internal senders.  We now recommend scanning all traffic, so all emails emails including those that may appear to be internal, which are impersonations, are scanned the same as all incoming emails.  Please ensure that the box for Bypass spam filters for messages received from internal senders is unchecked.  




Step 2 - Setup Sender Policy Framework (SPF)

Define what servers are designated to send on behalf your organization’s domain name.  If this text record does not exist, any server or service with an Internet connection can be used to impersonate your email addresses.


Setup SPF:

In your DNS Zone you can use the Google Settings to ensure that the proper Google Servers are specified.


Add:  v=spf1 include:_spf.google.com ~all with a host name of “@” to your DNS zone.  (This may differ from different hosting providers.)


spf.png




Step 3 - Setup DomainKeys Identified Mail (DKIM)

DKIM is another to help identify that you are the originator of a message, and depends on SPF to be in place in order to work.


Excerpt from the Google Apps Administrator Help for DKIM:

To generate the domain key used to sign mail:

  1. Click Apps > Google Apps > Gmail > Authenticate email.
  2. Select the domain for which you want to generate a domain key.
  3. The name of your primary domain appears by default. To generate a domain key for a different domain, select it from the drop-down list.
  4. Click Generate new record.
  5. If your registrar doesn't support 2048-bit keys, change the key length from 2048 to 1024.
  6. Optionally, update the text used as the DKIM selector prefix.
  7. The selector prefix is used to distinguish the domain key that Google Apps uses from any other domain keys you may have. In most cases, you'll select the default prefix "google". The only reason to change the prefix is if your domain already uses a DKIM domain key with the selector prefix "google".
  8. Click Generate.
  9. The text box displays the information you need in order to create the DNS record that recipients query in order to retrieve the public domain key.
dkim.png
The Output of what is generated looks like this:  
dkimoutput.png


Add the DKIM to your entry like so:
dkimdns.png
11.  Once the DNS has been updated, leave time for it to propagate throughout the DNS and then click on Start Authentication in the Authenticate mail dialogue, that is identified in the example above.


Domain Keys can be obtained for most email providers, including systems like Mailchimp and Constant Contact and systems that send mail on behalf of your business.  You can find out more by doing a Google Search for the service that you use and SPF or DKIM.


Following the steps above can benefit your business's security by ensuring that only those that are authorized to send from your domain are allowed to send.  We will be adding more information that we hope that will beneficial as well.



Step 4 - Setup Domain-based Message Authentication, Reporting & Conformance (DMARC)



DMARC depends on the SPF and DKIM records to communicate to receivers mail server what the disposition of emails are if they do not meet the authentication requirements.  There is a caveat that must be considered that we we implement DMARC so that it does not disrupt normal mail flow.  Observation for the first week of implementation will indicated if there are valid emails that are being detected from servers that are receiving mail from your domain.


To setup DMARC for your domain:

  1. Set Up a Group in Google Apps that you can use for capture information from the receiving servers.  (Don’t bother assigning group members, the group contents can be reviewed after it has captured some information.)
  2. Log in to your DNS management console.
  3. Go to the DNS Zone where you'll be publishing the DMARC TXT record.
  4. Most DNS management consoles will ask for:
    • Hostname: this should be "_dmarc".  NOTE: the leading "underscore" character is required!
    • Resource type: this is "TXT", as DMARC records are published in the DNS as TXT resources.
    • Value: this is the DMARC record itself, of the form "v=DMARC1; p=none; rua=mailto:yourgroup@yourdomain.com"
  5. Save and you're done.
dmarcdns.png
  1. After a week look at the information collected in the Google Group, and determined if there was any valid mail that was reported that did not pass DKIM and SPF, and remediate any missing information.
  2. Adjust the p=from none to quarantine or reject.  We suggest that you use quarantine until you are sure that reject can be safely implemented.
We understand that your business communications are of the highest importance. If would like for Suitebriar to take care of making sure that your Google Apps Domain is up-to-date with these settings, please set up a time to discuss by sending an email to secinfo@suitebriar.com.

See:  DMARC.org
Dmarcian: DMARC Inspector

Thursday, April 28, 2016

Stay on task with today’s updates in Google Keep

How many times have you found yourself with a great idea, but no easy way to jot it down for later? Or maybe you’ve got lots of notes scattered around, without no central spot to find them. Having a single place to capture what’s on your mind and save your ideas and to-do lists is what Google Keep is all about, and today's updates give you a few new ways to collect and manage the information that's important to you.

Keep is ready when you are

The next time you’re on a website that you want to remember or reference later on, use the new Keep Chrome extension to add it—or any part of it—to a note in Keep. Just click the Keep badge to add a site’s link to a note, or select some text or an image and create a new note from the right-click menu.

Same goes for Android—you can now create a note while you’re browsing or tapping away in other apps—without having to open Keep. Just open the “Share via” window and choose Keep to create a new note.


Organize your thoughts with #Labels
One of your top asks has been for a way to organize and categorize notes, and now it’s as easy as using a #hashtag. This should help you keep track of to-do lists for a #trip or a collect your favorite #recipes, for example.


You’ll also notice that some of the menus have been moved around to group similar options together, as pictured below.
So whether you’re researching a project at work, putting together details for your Science Fair submission, or collecting inspiration for your upcoming home renovation, give these updates a try on the web, or with the Keep app on Android and for iPhone & iPad.