Security guide covering WordPress, Google Workspace and Dropbox

Google Workspace Cyber Security cybergate

Security guide covering WordPress, Google Workspace and Dropbox


A short guide to Dropbox, WordPress and Google Workspace security.

Every professional has his preferred set of online productivity and collaboration tools that are essential to their day-to-day work. Some of the most popular tools include the likes of Dropbox, iCloud, Skype, Slack, Evernote, Google Workspace, Zoom, WordPress, Wix, Drupal and many others!

Productivity applications are a prime target for hackers!

In this article we will focus on two of the most commonly used productivity and collaboration tools and a content management system powering an increasingly-large percentage of the websites out there.

Under the spotlight we have: Google Workspace, Dropbox and WordPress.

Google Workspace

Developed by Google and launched in 2006, Google Workspace was previously known as G Suite – it is a collection of productivity, and collaboration SaaS tools deployed on the cloud. In a nutshell it includes Gmail, contacts, calendar, Meet for conference calls and chat for instant communication, Drive for storing your files and Google Docs suite for creating content such as documents and spreadsheets.

The number of freelancers, small companies and larger ventures that leverage the various Google services for communication and collaboration purposes is always increasing. When a web-based service is popular the more attempted hacks it attracts due to the large number of potential victims. Our security recommendations include the use of Google Authenticator for two-step authentication and the use of a password manager (for a strong password!).

Dropbox

Dropbox is a file hosting service offering cloud storage of your files and data and their synchronisation. It is regarded as one of the most successful tech startups in the world with a valuation that exceeds $10 bn. Since its inception in 2007 it has experienced both security breaches and privacy concerns, namely in 2011 they had an authentication issue that allowed accounts to be accessed for hours on hours without passwords and later they had a leak of around 68 million account passwords on the Internet (in 2016).

Being a popular tool, Dropbox remains a target for hackers, since it keeps high value data of a vast range of individuals and businesses. There is always the risk of hackers getting through to the encryption keys kept by Dropbox, but from an end-user point of view there are a few actions that can be taken to safeguard one’s data, namely:

  • do not use the same password for dropbox that is being used for other online services,
  • tweak your passwords with special characters,
  • manage roles and the respective permissions of shared folders (editor or viewer and the obvious owner roles) to prevent unauthorised access, and
  • set up email notifications to receive alerts of any ‘unusual’ activity on your account.

In addition, always delist linked devices if you no longer use them or if they are on devices of employees who left the organisation. Finally check your linked apps (and remove any ones that are no longer in use) on a regular basis.

WordPress

Released 17 years ago WordPress is by far the most popular free and open source content management system (CMS) globally. It is written in PHP and runs off a MySQL or MariaDB database.

WordPress relies heavily on the use of plugins and themes. It knows its origins as a blog publishing system but has evolved into a web framework that powers content-rich websites, news publishing portals and e-shops. WordPress is used by over 60 million websites worldwide including approximately 39% of the top 10 million websites. WordPress is either hosted on your business web server or at a hosting service provider.

The most common cyber threats targeting WordPress include brute force attacks, core, theme and plugin vulnerabilities, SQL injection attacks, cross site scripting attacks (known as XSS), uploading of malware and DDos attacks. To protect against these attacks:

  • always keep your core, theme and plugins up-to-date with the latest roll-outs of patches and fixes,
  • use very complex login credentials,
  • install SSL certificate,
  • activate a website application firewall,
  • use premium plugins that auto-block IP addresses that perform suspicious activities,
  • validate and sanitise data on submission, and
  • use unique names for paths and your database.

Always take regular backups and store them in a secure (and different!) location.

When an organisation has a security-first mindset it aids in the creation of a secure, reliable, and compliant environment which boosts productivity of all team members. Consult us for a penetration test of your cloud systems to assess any potential vulnerabilities that can be exploited by attackers.

    We are here to help




    Francesco Mifsud
    [email protected]

    I live and breathe cyber security and everything else in the discipline. With around a decade of experience in the industry I have had the opportunity to develop skills in penetration testing, cloud security, reverse engineering & exploit development, application security engineering, management and organisation-wide cyber security strategy. I hold a well-rounded set of security certifications such as OSCP, eWPTX and CISSP and have delivered training & workshops at some of the most prestigious hacking conferences such as DEF CON, BRU CON, BSides London and BSides Manchester.