Some of you may work in highly technical roles, with a slew of devices, complex systems to manage, and specialized software. Others of us may keep it simple–maybe just a laptop and O365. Either way, we all intersect at one point. Nearly all of us have a Google account and/or a Microsoft account. Gmail, Google’s email platform, is that magical place you can send all of your unwanted advertisements and solicitations when signing up for newsletters. It’s the account you use to sign up for your kids’ team updates or daily school notifications. Further, you may take advantage of other Google platforms (like the calendar), all of which are managed under the same Google login. Google is free, convenient, and allows you to keep your personal messages separate from work accounts. In fact, you probably set that account up right about the time you quit using Yahoo and have probably given its management an equal amount of thought. When you’re at work, though, you’re logging into Microsoft products, almost inevitably. In fact, your phone may sync with your Microsoft account, allowing you to edit a document while on the train, commuting to work, or check out a spreadsheet on the fly while eating lunch with friends. The widespread user base of these two account types, as well as the device and account interconnectivity most of use employ for our daily lives, point to why they are the two most frequently hacked account types. If you are a threat actor, you know how to leverage access to these accounts to do a lot–a LOT–of damage.
In our last blog for this series, TRUE Security Consultant, Steven Anderson, detailed the importance of personal security as paramount in working into professional security. Simply put, if threat actors can get into your personal account, it’s very simple for them to pivot into your work accounts, either through spyware, information they glean while reading your emails, or even something as simple as a reused password. In this installment, Anderson walks us through, step-by-step, how to lock down your Google and Microsoft accounts. Be safe out there, kids, so you can avoid that sinking feeling of discovering a breach.
Locking down your Google account
- Create a new, secondary google email account
- Never use this email account for anything other than recovering your main account
- Use your password manager (1Password, LastPass, KeePass) to generate a random password
- Recommended to use numbers, lowercase letters, uppercase letters, and special characters
- Recommended to create password with minimum of 12 characters
- Ensure credentials are properly saved in your password manager
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Ways we can verify it’s you”
- Click on 2-Step Verification
- Follow the appropriate steps to activate an authenticator app (use 1Password or LastPass – If you don’t have either of those apps, Google Authenticator will work as well) or voice or text message with your cell phone
- Set up recovery email in your primary Google account
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Ways we can verify it’s you”
- Click on “Recovery email”
- Change the recovery email address to the new secondary email address you just created
- Ensure your recovery phone number is set and correct
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Ways we can verify it’s you”
- Click on “Recovery phone”
- Change the recovery phone to your current cell phone number if necessary
- Update password
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Signing in to Google”
- Click on Password
- Use your password manager (1Password, LastPass, KeePass) to generate a random password
- Recommended to use numbers, lowercase letters, uppercase letters, and special characters
- Recommended to create password with minimum of 12 characters
- Turn on 2-Factor Authentication
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Click on “2-Step Verification”
- Click “TURN ON”
- Follow the appropriate steps to activate an authenticator app (use 1Password or LastPass – If you don’t have either of those apps, Google Authenticator will work as well) or voice or text message with your cell phone
- Update Google PIN
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Click on Google Account PIN
- Update pin to a unique pin that is not shared with other accounts or debit card
- Remove outdated and questionable third-party apps
- Navigate to https://myaccount.google.com
- Click on the “Security” tab in the navigational panel on the left-most portion of the screen
- Scroll down to section “Third-party apps with account access”
- Click on “Manage third-party access”
- Remove any apps that:
- You do not use anymore
- You do not recognize
- Seems to have access to parts of your google account that they shouldn’t
- Seems to have access to parts of your google account that they shouldn’t
- Remove questionable subscriptions
- Navigate to https://myaccount.google.com
- Click on the “Payments & subscriptions” tab in the navigational panel on the left-most portion of the screen
- Scroll down to section “Subscriptions”
- Click on “Manage subscriptions”
- Cancel any subscriptions that:
- You do not use anymore
- You do not recognize
- Check privacy settings and ensure Google is only managing data you would like them to
- Navigate to https://myaccount.google.com
- Click on the “Data & personalization” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Activity controls”
- Click on “Manage your activity controls”
- Turn off Google storage of personal info you don’t care for them to have access to
- Navigate to https://myaccount.google.com
- Click on the “People & sharing” tab in the navigational panel on the left-most portion of the screen
- Scroll down to “Choose what others see”
- Click on “About me”
- Modify each section appropriately
Locking down your Microsoft account
- Change your password
- Visit https://account.microsoft.com and login
- Scroll down to “Security”
- Under “Update your security info”, click on “Update”
- Click on “CHANGE PASSWORD >”
- Use your password manager (1Password, LastPass, KeePass) to generate a random password
- Recommended to use numbers, lowercase letters, uppercase letters, and special characters
- Recommended to create password with minimum of 12 characters
- Change your recovery email
- Visit https://account.microsoft.com and login
- Scroll down to “Security”
- Under “Update your security info”, click on “Update”
- Click on “UPDATE INFO >”
- Remove email addresses that you would not like to use for recovery purposes
- To add a new email address, click on “Add security info” and follow the prompts
- Turn on 2-factor authentication
- Visit https://account.microsoft.com and login
- Scroll down to “Security”
- Under “Update your security info”, click on “Update”
- Scroll to the bottom and click on “more security options”
- Under “Two-step verification”, click “Turn on two-step authentication”
- Follow the appropriate steps to activate an authenticator app (use 1Password or LastPass – If you don’t have either of those apps, Google Authenticator will work as well)