Did you know that you can use Gmail security settings to secure your domain from ransomware? 

When it comes to ransomware attacks, it is always best to take the time-tested method of prevention than seeking cure after the damage is done!

In this article, we have covered:

Objectives-of-Gmail security

Ransomware Is Alive and Well

On 29 May 2019, the City Council of Riviera Beach, Florida, discovered that they had just walked straight into a trap set by a ransomware attacker. The ransomware had infected the city council network, encrypted city records, disabled email systems, locked employee payment gateways, and prevented 911 dispatchers from recording call details! According to The Palm Beach Post, an unsuspecting employee had clicked a link in a phishing email costing the council a whopping $600,000 to get their data back and a lot of unwanted publicity to go with it.

If you think this cannot happen to you, think again!

A 2019 study by IBM and Ponemon Institute reveals some startling insights.

cyber attack statistics

That’s not all.

The Symantec 2019 Internet Security Threat Report shows that the percentage of users hit with malicious phishing emails have shot up in 2018, with employees in smaller companies and organizations facing a higher risk of being targeted by attackers.

Evolution of Ransomware

What really keeps security professionals on their toes is the shape-shifting ability of ransomware attacks that’s growing in sophistication and scale. The availability of anonymous payment channels and the proliferation of dirt-cheap cloud computing resources worldwide have given malicious hackers the infrastructure and the tools to launch a synchronized global campaign.

c_Evolution-of-Ransomware-timeline

Gmail Is No Slouch When It Comes to Email Security Settings

Google takes its security very seriously.

In the world of invasive cybercriminals, Gmail is a tough nut to crack even for the savviest cyber-criminal. But this reputation was not earned in a day.

Gmail was created to be more than just an email service. Soon after its release in 2004, Gmail made its ambitions clear. The ultimate prize was winning over business users even though it was conceived as a consumer email product.

c_Gmail-evolution-timeline

The increasing number of business customers called for more stringent security measures. That’s the only way Gmail could compete with Microsoft Office which continues to be the market leader for business emails and productivity apps.

In 2016, Google was able to successfully fend off the sophisticated Locky ransomware attack on Gmail that quickly escalated from 20,000 to 3 million Locky messages per hour. – eWEEK

Here is how Gmail security settings and features have evolved through the years.

c_Gmail-security-features-evolution-timeline

11 Essential Gmail Security Settings to Lock out Ransomware

Gmail Security Setting 1: Keep a Second Copy of Emails When Using Non-Gmail Clients

While businesses are embracing G Suite, email clients like Microsoft Outlook continue to dominate the market. It’s not uncommon to find businesses using G Suite apps along with Outlook Mail. Your G Suite domain may still have hold-out users who prefer non-Gmail clients like Outlook, iPhone or Apple Mail, or you may be routing outbound emails via SMTP for ticket tracking or notification systems.

This hybrid usage of Gmail with non-Gmail email services could be a potential minefield when things go wrong.

Just imagine what can happen if one of your non-Gmail users deletes an important folder and you don’t have a backup policy in place for non-Gmail accounts in your domain. But, fear not! Gmail allows you to keep a copy of all incoming and outgoing emails associated with a user who may be using a non-Gmail service.

How does it work?​

Gmail security settings-Keep a Second Copy of Emails When Using Non-Gmail Clients - How-does-it-work

Why should you do this?

If you are a business relying on G Suite, there is a good chance that you are dealing with Office 365 and Outlook fans. While G Suite has 4 million G Suite customers, Office 365 has 120 million business customers (source: The Verge).

How can you do it?

Click here to watch the video.

Gmail Security Setting 2: Stop Clever Attackers with Access to Compromised Accounts

Unethical hackers use social engineering strategies to trick users into giving out their account credentials. A careless employee is all it takes for a cybercriminal to gain access to your business data. The attacker can use the compromised account as a launching pad to corrupt other user accounts!

A simple solution that will help you stay one step ahead of attacks from compromised accounts is to let Gmail scan all internal emails as well for spam and suspicious links.

How does it work?​

Gmail security settings-Stop Clever Attackers with Access to Compromised Accounts--How-it-works

Why should you do this?

The FBI’s Internet Crime Complaint Center stated in its latest report that there were 20,373 complaints of business email compromises and email account compromises which amounted to over $1.2 billion in losses.

How can you do it?

Click here to watch the video.

Gmail Security Setting 3: Use Cryptographic Authentication to Verify Email Authenticity

Imagine your customers receiving a malicious email claiming to be from your organization. Thinking it as an important email, your customers may click on the malicious links which could compromise confidential data and also ruin your organization’s reputation.

Here is where DKIM (DomainKeys Identified Mail) can come to your rescue. DKIM is a form of email verification that allows an organization to claim responsibility for a message. DKIM works by adding a digital signature (private key) to the header of an email message. This signature can be verified by a public cryptographic key in the organization’s Domain Name System (DNS) records. Email servers that receive messages from your domain use the public key to decrypt the message header and verify the message source.

How does it work?

Gmail security settings-Use Cryptographic Authentication to Verify Email Authenticity--how-does-it-work

Why should you do this?

DKIM is probably the first step in your war against brand spoofing. According to a study done by Barracuda Networks, brands are spoofed in 83% of spear phishing emails and Gmail happens to be the most preferred email service for phishing attackers as well!

How can you do it?

Click here to watch the video.

Gmail Security Setting 4: Call out Legitimate Email Servers Allowed to Send Emails from Your Domain

Cybercriminals use every trick in the book to scam businesses. One of the most common online scams that popular brands are especially vulnerable to is the brand impersonation phishing attack. The aim of such attacks is to either gain confidential data of the targeted victim or to ruin the reputation of the targeted brand.

To prevent your organization from getting spoofed, you can create a Sender Policy Framework (SPF) record for your domain. An SPF record is a type of DNS record that identifies email servers permitted to send emails on behalf of your domain. Recipients can refer to the SPF record to determine whether an email claiming to be from your domain comes from an authorized email server.

How does it work?

Gmail security settings-Call out Legitimate Email Servers Allowed to Send Emails from Your Domain- how does it work

Why should you do this?

Phishing attacks that use brand impersonation are at an all-time high. While Office 365 apps and financial services brands are a popular choice for impersonation, even lesser-known brands can be spoofed to gain control of user accounts that can be spear phished. (Reference: TechRepublic)

How can you do it?

Click here to watch the video.

Gmail Security Setting 5: Leverage the Third Protocol to Give DKIM and SPF a Boost

While DKIM and SPF are useful tools to leverage the battle against domain impersonation attacks, there are three fundamental drawbacks with just relying on DKIM and SPF:

  1. There is no way for you to know if there are issues in authenticating your emails.
  2. You cannot tell the recipient what to do with your email (like send to the spam folder) in case the authentication fails.
  3. The receiver has no means to give you feedback on the authenticity of the received email.

Domain-based Message Authentication, Reporting and Conformance (DMARC) addresses all these drawbacks and can be configured for Gmail.

How does it work?

Gmail security settings-Leverage the Third Protocol to Give DKIM and SPF a Boost--How-does-it-work-

Why should you do this?

The US Government has mandated that all agencies implement DMARC policies by October 2018. While the actual implementation is not yet complete even after the deadline has passed, the Government directive makes it a critical configuration that businesses cannot overlook. (Reference: TechTarget)

How can you do it?

Click here to watch the video.

Gmail Security Setting 6: Enable Email Attachment Scans to Block Sophisticated Phishing Attacks

The phrase ‘Beware of Greeks bearing gifts’ is probably out of fashion! What IT Administrators should worry about is emails bearing attachments. One of the recent phishing techniques involves sending out emails containing HTML attachments. These HTML attachments host web pages on the recipient’s device itself to avoid detection. Opening such attachments are particularly dangerous in collaboration suites like G Suite.

With Gmail, you have the option to double down on attachment scanning by choosing the following automated scanning features:

  1. Protect against encrypted attachments from untrusted senders
  2. Protect against attachment with scripts from untrusted senders
  3. Protect against unusual attachment types in emails

For each of these Gmail security settings, the admin can decide to either quarantine the message, move it to spam, or send it to the user’s inbox with a warning sign.

How does it work?

Gmail security settings-Enable Email Attachment Scans to Block Sophisticated Phishing Attacks--How-does-it-work-

Why should you do this?

A gang of hackers – known as TA505 –targeted retailers and financial institutions with spear phishing emails that came with attachments that looked like legitimate files. Opening the attachment allows the hackers to take control of the victim’s device using a legitimate Remote Manipulator System (RMS) from a Russian company which allowed them to go undetected. (Source: CyberInt)

How can you do it?

Click here to watch the video.

Gmail Security Setting 7: Stay One Step Ahead of Domain and Username Spoofing Attacks

Business Domain Impersonation happens when an impostor creates a fake brand/company website to conduct activities that can harm the target brand and its customers. Recently, an employee of Disney fell prey to a phishing scam and sent over $700,000 to someone she believed to be a Disney vendor! Google scans all emails by default for malicious content. However, you can go beyond automated scans to leverage additional Gmail security settings:

  1. Protect against domain spoofing based on similar domain names
  2. Protect against spoofing of employee names
  3. Protect against inbound emails spoofing your domain
  4. Protect against any unauthenticated emails
  5. Protect groups from inbound emails spoofing your domain

For each of these settings, the admin can decide to either quarantine the message, move it to spam, or to send it to the user’s inbox with a warning sign.

How does it work?

Gmail security settings-Stay One Step Ahead of Domain and Username Spoofing Attacks--How-does-it-work-

Why should you do this?

According to a report by Threatpost, ‘The Internal Revenue Service (IRS) is warning taxpayers about an email attack that uses messages pretending to be legitimate IRS communications. The endgame for the effort is malware being installed on unsuspecting users’ machines; imposters may gain control of the taxpayer’s computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.

How can you do it?

Click here to watch the video.

Gmail Security Setting 8: Sanitize Harmful Attachments

Bomb disposal squads neutralize explosives by detonating them in a safe zone. G Suite’s Security Sandbox takes a similar approach to handle suspicious attachments. You can set up a Gmail Security Sandbox to automatically direct all emails irrespective of its origin (internal or external) to a secure sandbox for further inspection. Once the email and the attachment passes scrutiny, it is forwarded to the recipients.

Note: Scanning attachments in Security Sandbox might delay the delivery of some messages for up to 3 minutes.

How does it work?

Gmail security settings-Sanitize Harmful Attachments

Why should you do this?

Barracuda Networks stated in its latest report that document-based malware attacks are on the rise. Their recent email analysis shows that 48% of all malicious files detected in the year 2018 were some kind of document.

How can you do it?

Click here to watch the video.

Gmail Security Setting 9: Turn on Guaranteed End-To-End Email Encryption

The traditional Simple Mail Transfer Protocol (SMTP) protocol has two significant loopholes that can be exploited to eavesdrop on your domain’s email communication or even redirect them to an SMTP server set up by an attacker.

Wondering how this is possible?

While SMTP promises encrypted messages, the encryption is first initiated by an unencrypted message (STARTTLS) that attackers can tamper with. Yet another nightmare scenario involves changing the recipient’s email server address (MX record) and redirecting encrypted mails to the attacker’s inbox where the emails are unencrypted.

These loopholes can now be easily plugged with a Gmail setting that was launched in April 2019. Gmail now gives you the option to configure SMTP MTA Strict Transport Security (SMTP MTA-STS in short) protocol.

According to URIports Blog, “MTA-STS is a mechanism that instructs an SMTP server that the communication with the other SMTP server MUST be encrypted and that the domain name on the certificate should match the domain in the policy. It uses a combination of DNS and HTTPS to publish a policy that tells the sending party what to do when an encrypted channel cannot be negotiated.

Configuring MTA-STS addresses the fundamental issue with the SMTP protocol and definitely gives your email security an upgrade.

How does it work?

Gmail security settings-Turn on Guaranteed End-To-End Email Encryption--How-does-it-work-

How can you do it?

Click here to watch the video.

Gmail Security Setting 10: Add Spam Headers Setting to All Default Routing Rules

According to a recent report by F-Secure, spam emails were found to be the most common method used by cybercriminals to spread malware in the year 2018. Spam emails that seem to have come from a known person, spam with error-free subject lines, and spam that doesn’t emphasize an action seem to be effective. Gmail allows you to block this vulnerability in scenarios where a spam message is automatically forwarded, especially when the inbox belongs to a group or department.

Spam characteristics appear in two parts of an email:

  1. Message header
  2. In the message content

Headers are important because they show the history of the message delivery path as well as some common characteristics of spam. Attackers forge the information in the headers to bypass the anti-spam filters. A simple solution that will help you to avoid attacks through spam emails is to enable the spam header settings in all default routing rules that you may have enabled. This will ensure maximized filtering capacity of email servers downstream and will make sure that the spam headers are retained properly.

How does it work?

Gmail security settings-Add Spam Headers Setting to All Default Routing Rules--How-does-it-work-

Why should you do this?

According to Adam Sheehan, Behavioral Science Lead at MWR InfoSecurity, “Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018.” That’s a lot more effective than most marketing messages!

How can you do it?

Click here to watch the video.

Gmail Security Setting 11: Think beyond the Basic Two-Factor Authentication

Turning on two-factor authentication (aka 2FA) is a useful countermeasure among the many layers of security settings in Gmail. However, 2FA is not bulletproof and you are still vulnerable to specialized man-in-the-middle attacks (MITM) where the user is directed to a fake login page that collects the username, password, and the temporary authentication code!

Using a hardware authentication key such as YubiKey or a contextually-aware 2FA application like Okta can give you a stronger layer of security to thwart sophisticated phishing attacks. Recently, Google launched the Advanced Protection Program (APP) that uses a physical security key to verify identity and also strengthens the password recovery process to deter phishing attacks.

How does it work?

Gmail security settings-Think beyond the Basic Two-Factor Authentication--How-does-it-work-

Why should you do this?

In December 2018, Amnesty International reported that hackers are phishing for email accounts on Gmail and Yahoo! using automated systems that captures the login credentials as well as the 2FA tokens sent to the victim’s phone via SMS and uses the authentication information to log in to the email accounts.

How can you do it?

Click here to watch the video.

Human Error – Gmail’s Kryptonite

While Gmail gives you the option to dramatically improve your security stance against phishing and ransomware attacks, all security strategies have one major weakness: human error.

Yes, you read that right.

According to the 2019 study by IBM and Ponemon Institute, human error is the no. 1 cause of data breaches. Gmail’s security measures, even though sophisticated, is not foolproof.

Occasionally, a phishing email may get past Gmail’s spam filters and a careless employee – oblivious to all the telltale signs – may go ahead and click on the malicious link. There is only so much that Gmail can do to protect your domain from user errors.

Here are some real-world examples of how human errors unfold:

Gmail security settings-human errors-infographic

So, human error is the top-most reason to lose G Suite data. Did you know that there are also 11 other reasons why you might need a Gmail backup?

Data Backup and the Art of Dodging Bullets!

What fuels any ransomware attack is the desperate need of the victim to regain access to their data. Data backup simply eliminates this vulnerability by keeping a copy of user’s data that can be easily restored.

While we talk about successful ransomware attacks and the impact these attacks have on businesses, no one really talks about the G Suite Administrators who put in place tools and methods to successfully block phishing and ransomware attacks.

They are our unsung heroes.

So what is the silver bullet that can give IT Administrators a solid defense against ever evolving phishing and ransomware attacks?

The answer: There is NO silver bullet.

You will need a combination of solutions to build a security moat for G Suite. These strategies involve four components:

  1. Implement G Suite security best practices

    Here is a list of our recommended reading for securing G Suite

    Security checklist for small businesses (up to 100 employees)

    G Suite security best practices for medium and large businesses (100+ employees)

    10 Tips to better secure your organization using G Suite

    Leverage the Security Center for G Suite (available for enterprise plan)

    How to identify and secure compromised accounts

    Scan your email traffic using DLP rules – G Suite Admin Help

    Make your account more secure – Google Account Help

    Gmail security tips – Computer – Gmail Help

  2. Leverage backup to avoid downtime even when you are under attack

    The most overlooked aspect of a successful ransomware attack is the enormous loss in productivity because your data is now encrypted and no longer accessible.

    Having an up-to-date Gmail backup – along with a backup of all other G Suite Apps – gives you the option to restore data from the backup archives directly to your user accounts.

    Users in your domain will be back on their feet with limited or no major disruption.

  3.  Encrypt Gmail and Drive data

    The only way to make sure your data is secure in the event of a successful ransomware attack is to encrypt Gmail and Drive files. When encryption is used in conjunction with data backup, ransomware attacks can be rendered meaningless.

  4. Implement a DLP solution

    G Suite enterprise edition comes bundled with a DLP solution out of the box for Gmail and Drive. For Basic and Business plans, third-party apps like SysCloud offers a completely customizable DLP solutions to stop data loss based on rules and workflows.

     Implementing DLP is possibly the easiest solution to plug data leaks due to human errors and malicious user actions.

     Data backup in conjunction with encryption and a DLP solution can dramatically enhance your G Suite security posture against phishing and ransomware.

SysCloud G Suite Backup

Automatically back up Gmail, Drive (including Shared Drive), Calendar, Sites, and Contacts
SysCloud dlp application
SysCloud features

Gmail Security Settings – Frequently Asked Questions

1. Is Gmail secure?

Gmail ensures security by using 128-bit encryption for safeguarding emails at rest and TLS protocol for encryption during transit of emails. However, nothing is 100% secure. To protect against ransomware attacks, you can improve the security of your domain’s email communication with these methods.

2. Are my emails safe?

Although the security measures of Gmail have evolved a lot, it is still not completely shielded from ransomware and other phishing attacks. You can configure these settings to improve the strength of your security.

3. Is Gmail an encrypted email?

Gmail encrypts your emails by using Transport Layer Security (TLS) protocol, but this encryption works only if the email providers of both sender and email recipient always use TLS. You can also configure SMTP MTA Strict Transport Security protocol to add an extra layer of security. To learn how to do this, click here.

4. How do I send a secure email in Gmail?

To send a secure email, you can use the “confidential mode” option on Gmail. By using confidential mode, you can:

  1. Set expiry date for the email and attachments
  2. Revoke access for attachments
  3. Restrict email receivers from copying, pasting, downloading, printing, and forwarding the email text and attachments
  4. Set password for opening the email

To know more, click here.

5. How do I make sure my Gmail is secure?/How can I secure my Gmail account?/How can I secure my email?

You can use the standard email security measures:

  1. Set a strong password
  2. Enable 2-step authentication
  3. Check and remove access of high-risk apps to your account
  4. Do regular security checkups

You can also configure these eleven settings to improve the strength of your security.

6. How do I check my email security settings?/How do I change my security settings on Gmail?

You can access security settings on Gmail by clicking on your account icon at the top right-corner of the Gmail window and selecting “Manage your Google Account”→”Security.”

You can view the suggested measures by Gmail to improve your account security.

You can also check out these eleven Gmail security settings to improve the strength of your security.

7. Is Gmail secure for banking?

Gmail uses Transport Layer Security (TLS) protocol to encrypt your emails in transit and 128-bit encryption to encrypt emails at rest. However, it does not not guarantee complete protection against phishing attacks. Check out these security settings to strengthen your Gmail account security.

According to the Center for Internet Security, a regular data backup is recommended as the best method to mitigate the effects of a ransomware attack.

Try SysCloud’s Backup Solution

   
Start Free Trial

Leave a Reply