Matthew Prince, the CEO and Co-Founder of CloudFlare, reported that hackers accessed a customer‘s account last week as a result of a compromised CloudFlare Google Apps email account. This is notable, because Prince is technically savvy.
Prince configured Google Apps to require two-factor authentication. He would enter his username and password, and then be prompted to enter a six-digit number. He would receive this six-digit number on his phone (from an app, or via an SMS or voice call), then enter it to gain access to the account.
Prince also set his personal Gmail account - as a secondary account - to receive CloudFire Google Apps password reset instructions. Unfortunately, Prince had not configured his personal Gmail account to require two-factor authentication. This may have been a contributing factor in the attack.
Take measures to protect yourself
Securing systems is a never-ending task. But that doesn’t mean it is hopeless.
Here are several security settings to review for your Google Apps account. You’ll need to have administrative access to your Google Apps control panel to review and modify these settings.
1. Enable SSL
See: Domain Settings | General | Enable SSL
This is especially useful for users accessing Google Apps over unsecured networks, such as those often found in hotels and coffee shops. Enabling SSL encrypts the session traffic between the browser and Google Apps.
2. Increase minimum required password length
See: Advanced Tools | Authentication section
The United States Computer Emergency Readiness Team (US-CERT) suggests “a minimum password length of 15 characters for administrator accounts” and a “minimum password length of 8 characters for standard users.”
As far back as 2006, “The 60 Minute Network Security Guide” published by the U.S. National Security Agency (PDF) recommended a minimum password length of 12 characters for Windows domain users, and 14 characters for administrator accounts.
The usual “don’t use a dictionary word, variants of your name, address, pet’s name or the word password” guidance applies. I also recommend you not use “00000000″ as your password. The U.S. Strategic Air Command used that as the passcode lock on Minuteman missiles (PDF) until 1977. The military, though, had plenty of physical security to prevent unwanted physical access.
3. Enable and configure 2-step authentication for user accounts
See: Advanced Tools | Authentication section
Forwarding the above link and instructing people to set up 2-step authentication is not sufficient. Many people simply will not go through the setup process. Your organization’s tech support staff should walk people through the process, and then verify that 2-step authentication is setup for every user.
Tech support staff should also help users setup any application-specific passwords. Application-specific passwords will be needed for smartphone users attempting to use ActiveSync after 2-step authentication has been activated.
Note: The phone used for 2-factor authentication should be one which is company-owned, or one for which the employee receives reimbursement for work related use.
4. Designate two accounts as administrators OR set the secondary email address to that of an account also secured by two-factor authentication
See: Domain Settings | General
If there are two or more administrator accounts, the secondary email address may not be needed. Instead, another administrator could reset passwords and restore access. This can be effective even for small organizations. (I typically recommend that nonprofit organizations provide administrative access to both a trusted staff person, and a board member.)
If there is only one administrator account, then I recommend you create a separate Gmail account (e.g., firstname.lastname@example.org) with a strong password and 2-factor authentication enabled. This account would be used solely for password reset purposes. Be sure not to use this account as a standard “catchall” account for other tasks.
5. Keep your Google Apps customer and support PIN and phone numbers secured offline
Direct phone support is available for Google Apps administrators, should it be needed. If you encounter a situation that can’t be resolved with any of Google’s reset or restore methods above, contact Google Support via phone. I recommend you print the “Support” page from within your Google Apps Control Panel. Store this page securely, as it contains both your Customer and Support PIN numbers which will be needed when contacting support.
As Google demonstrated in the CloudFire incident, their team is eager to investigate and address security breaches when they occur. And they will occur - no matter what system is used.
The only truly secure computer is one that is never connected to a network and never powered on. However, such a computer is also useless. Instead of completely disconnecting, take prudent steps to secure your systems. But also recognize that when we increase security, we decrease ease of access.
What Google Apps security settings or practices do you recommend?