A Top G Suite Expert Shares His 31 Best Modern Security Tips
August 16, 2018
15 minute read
This was originally presented at the Google Washington DC HQ Tech Talk on August 7th, 2018. Kevin is recognized as a Google Developers Expert and G Suite Top Contributor.
Many of these tips are oldies but goodies to cybersecurity experts, but I’ve tried to include a few unique tips with my personal explanation for each. Some of the tips are even a bit controversial, but I’ve tried to give the important reason for “why.” And while there is a focus on G Suite security, I’m happy to answer questions about how to secure any system using these tips.
Tip #1: Passwords written down are inherently insecure, so I recommend using passphrases that are easy to remember but infinitely too complex to brute force.
For example, a password of “MyWeddingAnniversaryIsJan12018” is not only very easy to remember, but it can also help you remember your wedding anniversary.
Tip #2: Unless you are a hacker fluent in elite-speak, you probably find it difficult to remember passwords with those crazy complexity rules and letter substitutions (e.g., uppercase, special characters, numbers, etc).
It gets more complex in places like the United Kingdom where they can’t use common symbols like £ in passwords.
The answer? Use long passwords, which builds on my first tip, and ignore complexity.
This xkcd comic does a wonderful job of explaining the scientific reasoning, and it shows how password complexity is completely dwarfed by password length for security. Plus, the website https://xkpasswd.net/ has a great tool for passphrase generation.
Just in case you don’t trust a technogeek comic strip, the National Institute of Standards and Technology (NIST) Digital Identity Guidelines, SP 800-63B Section 5.1.1.2 paragraph 9, “recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected…”
Tip #3: June of 2017 brought a big change to password management. NIST no longer recommends routine password changes. In fact, they explicitly acknowledge that routine password changes make your systems LESS secure.
I can’t say it any better than NIST did in their Frequently Asked Questions:
“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”
So hopefully you’re now convinced that long passphrases without the need to routinely reset them provide better security.
Tip #4: Unique passwords are important.
I recommend using a simple cipher for a website plus a base passphrase. For the cipher, use something simple like a Caesar cipher, or just write the first and last letter of a website name in pig Latin. It doesn’t take much to avoid the damage from one compromised site.
Want to explain to your users why unique passwords are important? Sign up for https://haveibeenpwned.com/. They use information from data breaches to let you know if you have accounts that are affected on your domain, and they can give you ongoing alerts.
Here’s an example:
An email on a domain you’re monitoring has been pwned
You signed up for notifications when emails on [redacted] were pwned in a data breach and unfortunately, it’s happened. Here’s what’s known about the breach:
Breach: Exactis
Date of breach: 1 Jun 2018
Accounts found: 131,577,763
Your accounts: 10
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
Description: In June 2018, the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures, and extensive profiling data. The data was collected as part of Exactis’ service as a “compiler and aggregator of premium business and consumer data,” which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
You can see which of the accounts you’re monitoring were compromised by running another domain search.
Tip #5: Don’t use biometric protections. If they are compromised, you can’t change them, and they are pretty trivial to compromise.
First, as reported by The Guardian, hacker Jan Krissler used high resolution photos, including one from a government press office, to successfully recreate the fingerprints of Germany’s defense minister. Yes, I know that’s a picture of Chancellor Merkel, but it was hard to find a picture of Ursula von der Leyen with rights to use.
Second, fingerprints left on smartphones themselves have been used to trick fingerprint scanners using methods as simple as a black and white laser print and some Elmer’s glue.
Finally, my son’s face will unlock my Apple Face ID which, according to Wired, must not be all that rare.
Tip #6: Use multi-factor authentication (MFA). It is inexpensive, it works, and the cost savings are very clear.
In early 2017, Google required security keys for all 85,000 of their employees. Since then, the number of exploited accounts is zero.
Yubico has keys that are FIPS 140-2 validated and made in the USA. Google also has their own Titan Keys coming out. Just search FIDO U2F on Amazon for tons of options. Roll them out starting with your executives and administrators today.
Tip #7: Add Google’s employee ID login challenge.
Google just rolled out employee IDs as a login challenge. Looking for a simple MFA with a light lift? Find out more here.
Tip #8: If you can’t use security keys, use the Google Authenticator app. It’s free and available for Android, iOS, and BlackBerry.
However, please do not use SMS or text messaging for your MFA. Signaling System No. 7 (SS7) or Common Channel SS7 is the technology that connects one mobile phone carrier to another. It allows interoperability of texts between carriers, and it is highly insecure.
Reddit’s recent password breach is a textbook example of why (as Ars Technica put it) “phone-based 2FA is that bad.”
Tip #9: Try the Password Alert Chrome extension.
The Password Alert Chrome extension alerts users when they use their Google account password on a non-Google site and helps users avoid being phished if the site they’re on is impersonating a Google login page. It’s a very simple task to install!
Tip #10: Encourage help desk use.
Users are routinely called the weakest link in security. However, I believe users can be a very strong security link in the chain. As an administrator, I take the stance that users can do no wrong. It is my job to select, develop, and implement technology that protects users 100%.
This means I don’t look to “train” users to identify scams. That’s a false sense of security because as a security expert, I routinely see scams that take considerable time for me to identify. If it takes me even minutes as an expert, how can I expect users to do so effectively?
To me, the most important part is to 100% encourage help desk use. A user should do NOTHING if they feel something is amiss. Get the professionals involved early, and look for those users who are often early indicators of larger issues when they report a problem.
Finally, most scams try and impart a sense of urgency on their target victims. “Do this now or else!” They do this to separate your logical mind from your emotional mind. All it takes is a 10-second pause for a mark to think about things and realize they are being conned. The number one phrase I hear doing incident response is “I knew immediately I shouldn’t have done that.” Encouraging help desk tickets is one simple way that allows for this reflection.
Tips #11, #12 and #13: Set up DKIM, SPF, DMARC, and check out dmarcian and Virtru.
First, a conflict of interest disclosure. I am an advisor at Virtru. However, in 25 years, they are one of two board invitations I have accepted. Virtu’s email encryption uses nation-state grade security that was originally designed for interagency communications post 9/11. It gives users one-click simplicity to encrypt emails with unparalleled control. Even after you’ve sent the email, you can revoke access quickly and easily.
With that out the way, your first step is to set up DKIM and SPF. These technologies help prevent your domain names from being impersonated by bad actors. G Suite makes this incredibly simple. You can learn more about DKIM here and SPF here.
MXToolBox also has great tools to help create SPF records.
Next, after you implement DKIM and SPF, set up a DMARC record. The DMARC Inspector tool can help make sure it’s valid. Dmarcian also offers a reporting platform for ongoing DMARC monitoring.
Finally, Virtru provides simple and secure end-to-end encryption for email. You can get it in the G Suite Marketplace here and add the Chrome extension for automatic decryption and one-click encryption with Gmail here.
Tip #14: Know your #1 vector — email.
Nine out of 10 compromises occur through email. Give email security the tender lovin’ care that it deserves and Elvis intended. Here’s a report on enterprise phishing susceptibility and resiliency.
Tip #15: Out of office messages can be very dangerous. Not only do people tend to overshare information, but combined with signatures, they can give away tons of contact information!
HINT: Here’s what a bad actor sees in your out of office message: “Hi, I am out of the country. Please come rob my house and feed Mittens while you are there! Oh, and now is a great time to try and brute force my accounts since I won’t get any notices. Plus if you want to impersonate me, now is a good time, and here’s my contact information in my signature.”
If you use out of office messages, make sure you check off options like “Only send a response to people in my contacts” or just keep details sparse!
Tip #16: Bad actors impersonating people and attempting social engineering is a real risk. Money handlers are the number one target.
Above is a real example where the chairman of an organization was spoofed using free emails from zoho.com to try and get a payment made to the account of a money mule.
And while this example is not very elaborate, bad actors can use information from out of office messages and social media (more on that in the next two tips) for much more convincing attempts.
Tip #17: Be sensitive about what information, if any, you post publicly.
Nothing on the internet goes away anymore, and it’s very easy to find people’s pictures, birthdates, pet names, parents, home addresses, and more. One particularly worrying trend that helps bad actors is the ease of discovering maiden names due to the use of hyphenated last names on Facebook and similar social media platforms.
One urban legend* I am reminded of is likely from Operation Gold during the Cold War. The story goes that the Russians compromised the operation due to a mole; however, they did not want to compromise their source. So instead of using phone lines that were tapped for government and military correspondence, they instructed staff to use them for personal calls to keep the enemy busy. The end result is that the intelligence officers monitoring the phones were overwhelmed! Overwhelmed, that is, with personal information that they wouldn’t have otherwise had — which allowed them to map out personal details like gambling habits, spouses/mistresses, home numbers, relations, etc.
*Anyone have a source for the legend? I’ve searched to no avail. (You can find more photos and information on Operation Gold aka Operation Stopwatch here, here, and here.)
Tip #18: Business social media like LinkedIn is a big target as well.
Above are examples of several bad actors all impersonating SAIC employees and trying to connect with me.
I’ve even had a “founder at SAIC” try and reach out to me on LinkedIn. Which is pretty amazing since he died in 2014 at the age of 90 and was named J. Robert Beyster…
Tip #19: Bad guys are typically after money (or ways to get money). One way to watch for this is to monitor your personal credit.
There are lots of services for this, but my recommendation is to sign up for a Discover Card and use their security center. There is no annual fee, and there are no extra fees to monitor your FICO score and get SSN/new account alerts provided by Experian.
If you sign up at https://refer.discover.com/s/pwdup, I get a $50 credit which goes to the McGrail Foundation, a 501(c)(3) where we facilitate and advocate for the study, development, creation, and distribution of open source, private, and secure data communications.
Plus, PwdUp sounds like a security superhero catch phrase. “Password Up, Netizens!”
Tip #20: Embrace new ideas before you lose complete control.
This a tip I’ve learned the hard way. Except in the most controlled environments, users will just use the tools they want with their own personal accounts. And when they do that, you’ve lost complete control.
So while you may agree with Dennis Hughes or Bruce Schneier that “the only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one,” there is always a need to have good balance between security and usability.
Tip #21: I’m not saying you need to have a full computer security incident response team (CSIRT) on call, but have a basic plan for real-world issues: a successful phishing attack, unauthorized equipment found on network, cryptoware, fire/weather incident, lost equipment, compromised account, etc.
Even a basic framework of who to call can help bring some calm to an otherwise bad situation. Focus on how to limit damage, keep costs under control, and recover in the shortest time.
In most of these incidents, speed matters. Your CEO leaves his phone in a public place. Can you remote lock it? Do you need to remote wipe it? What’s your policy? How can you issue him a new phone and transfer his number?
It’s also important to keep a list of key phone numbers, account numbers, credentials, and privileged accounts. Do you have an inventory of assets and their location?
And once you have these items, make sure you have paper and electronic copies! Don’t get caught in a catch-22 where you need passwords and instructions that are only stored on a system to restore the system.
Good incident response planning is the difference between being a hero or a zero when a problem arises! And while I’d like to place a lot of emphasis on testing your plans, I’ll settle for at least having something in writing with a commitment to revise the plans after each incident.
Tip #22: I want to know about a problem before my users even know there is a problem.
If you are on the Enterprise edition of G Suite, the Google security center dashboard is an excellent resource. One useful tip is to use it for information on which of your users are being targeted by bad actors. Know your vectors!
Also, two must-have links are the G Suite Status Dashboard and the Cloud Connect Community. NOTE: The Cloud Connect Community routinely identifies outages before they are posted on the App Status page.
And I love commercial tools like AppNeta and Pingdom.
Tip #23: Show users some of the “why” without scaring them.
Every user is a target (if only from automated, brute force attacks). Show them reports from things like Have I Been Pwned.
And users love things like 2-step verification (2SV) after they’ve been compromised. Talk to them about Google’s zero compromised accounts statistics.
Using mobile device management? Show them that you can remote wipe a phone, and it’s just a piece of hardware that can be replaced.
Otherwise, tell them the wrong reason and hope that Cunningham’s Law works!
“The best way to get the right answer on the internet is not to ask a question; it’s to post the wrong answer.” — Cunningham’s Law
Tip #24: Who will guard the guards themselves?
As a member of the Large Install System Administration (LISA) group (formerly [sage]), I’m proud to follow the LISA Code of Ethics. This document, co-signed by LOPSA, USENIX, and LISA, is something I refer to as the “IT Ten Commandments” and strive to make sure every administrator follows it in everything that we do.
I strongly recommend every computer IT professional adopt this code. Here’s the full text of the System Administrators’ Code of Ethics.
Tip #25: “If you aren’t paying for it, you are the product.” —Ben Franklin
OK, Ben Franklin probably didn’t say this, but I like to think he would agree with the sentiment.
Many scams can be quickly interrupted by asking yourself the question of whether it’s too good to be true. If it’s yes, sit on it for a few days and ask some security people for advice. Nigerian princes are not donating their gold to needy people, Western Union is not holding a transfer for you, Microsoft is not calling you to help you with your computer, and the IRS does not take payment with Walmart gift cards.
So how is Gmail (not G Suite) free? It’s free because you are the product. Advertising and data mining-supported business models are a legitimate reality, and one that can be a win-win relationship if you understand what you (and they) are doing.
Over-the-air television is free in the US because it is an advertising-supported revenue model. Some people prefer to pay for streaming services like Netflix instead, which has no advertising. Both are legitimate business models.
In this day and age, barely a week goes by without a privacy concern with your data, so think carefully about the services you use and the companies you trust!
Tip #26: There are a number of invoice scams that revolve around sending advertisements that look a lot like bills.
This tip is fairly basic. Warn your accounts payable departments to watch out for these! In the fine print, they typically have something that indicates they are not an invoice!
Tip #27: Make sure you have a clear process for offboarding employees.
Don’t leave accounts active after an employee exits. And just changing the password won’t revoke access for programs with API access or a less secure application password!
Tools like BetterCloud can make you more secure by automating the process and also reduce costs by making sure your cloud licenses are recouped.
Tip #28: Data loss protection and encryption are essential for preventing damaging data loss.
If you are a G Suite Enterprise customer, Gmail DLP is included with tools like predefined content detectors for regular expression testing and geolocale-specific rules.
And the combination of DLP and encryption in Virtru for email can educate users on what they should encrypt by identifying issues such as tax IDs in email and prompting for encryption.
BetterCloud also provides DLP for Drive with both one-time audits and real-time policies.
Finally, as announced at Google Cloud Next ’18, Virtru is now Google’s only data protection partner, and end-to-end encryption for Drive is coming this year.
Tip #29: G Suite provides a number of alerts. Make sure you review your settings and turn them on!
Navigate to the Admin console at admin.google.com and go to Reports > Manage > Alerts. New alerts like the government-backed attack alert are disabled by default.
Tip #30: Chromebooks come in all flavors, sizes, and costs (from $100 to $1,800), but one thing remains the same. They are unbelievably secure. When combined with device management and a security key, they are without a doubt the most secure system available today.
And as my final trick for today, the Pixelbook has a U2F security key built in. See this article for more information: The Pixelbook’s power button can double as a U2F security key.
Tip #31: This is a bonus tip with two parts. First, join the Google Cloud Connect Community (CCC). Second, learn from others on the CCC.
I recently learned something new from a post by Steve Larsen on the CCC. His trick lets you have complete separation of privileges for your day-to-day account for all your admins without spending money on an extra license.
This lets you increase the security of your super admins. You can do so without incurring a license cost by using Google’s Cloud Identity Free licenses. This follows the security principle of least privilege.
To do so, first navigate to the Admin console via admin.google.com and go to Billing. Once there, activate the Cloud Identity Free product. After you do this, you’ll want to turn off automatic license assignment for your G Suite product billing.
Now you can create users and assign the super admin role without using a G Suite license. And as Jack Woodward comments, you can use G Suite address mapping to map the email address to another email account.
NOTE: You’ll need to remember to assign a G Suite product license to new users that you want to have a license.
