To better understand how Google is working to protect its users online, we sat down with the Google Security’s Director of Product Management Mark Risher. He shared some of the team’s success stories and offered further insight on the challenges the team is facing today.
With the growing number of threats around today, how do you view the current security landscape?
One important trend we’re tracking that affects user security is that attacks are becoming far more targeted and bespoke. Whereas attacks used to involve generic enticements sent at scale — think “Dear Sir or Madam, I write to you from the oil ministry of a far off land” — we increasingly see perpetrators customizing their attacks based on personal details of their intended victims.
For example, it’s not uncommon for phishing messages to be tailored based on information gleaned from someone’s social media profile, public records dumps, or even information from a friend or colleague who’s been compromised. This trend has led us to invest considerable attention into personalizing our security settings and advice — for example, through the Google Security Checkup, which now gives individualized advice based on the specific user threat model.
What are some of the main challenges your team is facing today?
An important challenge is how to provide the best security and privacy in the world without creating a usability burden for our users. There are a lot of myths out there, such as that two-factor authentication is a huge inconvenience, and we’re working to dispel them and get people into the best-protected state. A harsh truth that we have to accept in the security world is that people often prioritise convenience over security.
For instance, in most scenarios, people will take the risk of using the same password across all accounts rather than taking the time to some up with a strong and unique password for each account and storing that in a password manager. We continually think about how we can best keep people safe in a way that doesn’t compromise the convenience of using their technology. And we believe that we’ve done a pretty good job of it. A really good example is our ongoing investment in password management and the autofill features in Android and Chrome.
What are some recent triumphs or success stories from Google’s security team that we should know about?
We’re very proud of our Advanced Protection Programme, which we launched last year to provide our strongest security to our most at-risk users such as journalists, activists, business leaders, political campaign teams, and others who feel especially vulnerable. Advanced Protection places automatic limits on which apps can gain access to your Google data. It goes further than traditional 2-Step Verification, requiring you to use a physical Security Key to sign into your account on a new device, and it dials up the protections in our other products to ensure users are receiving Google’s strongest security offerings.
We are also very proud of our Security Check-up, where we encourage people to take the right steps to protect their account. By taking this check-up, people receive advice on specific steps they can take to better secure their accounts, as well as review information on the apps and devices they’ve chosen to share data with. This pivot to personalized advice has been tremendously effective in driving adherence; we’ve seen a lot of engagement with this tool, with more than two-thirds of users accepting the advice we give.
Android recently turned 10 years old – how has working on a mobile platform affected Google’s security outlook?
From the time that Android launched, mobile has quickly become the number one form factor used to consume data. And with over 2 billion users on Android, continually improving security without putting too much burden on the end user is critical. As I’ve mentioned, people don’t always take proactive actions to keep themselves safe, so we have to think about how to make our products “secure by default.”
An example of how we’ve achieved this is with Google Play Protect, which is built into Android devices and automatically takes action in the background; we’re constantly updating these protections so you don’t have to think about security – it just happens. These protections have been made even smarter by adding machine learning elements to Google Play Protect.
Another issue that we are continuously working on to protect people on mobile devices is from attacks that at first sight don’t appear to be. Potentially harmful apps (PHAs) are a huge problem on mobile devices and one of the ways in which they are so effective is disguising their malicious nature until they are on the device. So in Google Play, we ensure that all apps are rigorously analysed by our security systems and Android security experts – and after you install an app, Google Play Protect continues to regularly scan your device to make sure all apps are safe. If it finds an app that is malicious, Google Play Protect either notifies you, or simply removes the harmful app to keep your device safe. Through this method, it scans over 50 billion apps every day.
Collaboration with security experts in the industry is also very important in ensuring that we are up to date with the latest threats and how to defeat them. Google works with some of the best security professionals in the industry around identity, artificial intelligence / machine learning, vulnerability management, and incident response.
How can you ensure you continue to provide a safe and secure internet in the future / priorities for the future?
Security and privacy have been a priority for Google since the very beginning, and it’s wired into everything that we do. Looking to the future, we are increasingly investing in machine learning, both as a tool we can leverage for detection as well as a possible threat from adversaries. We train systems like our Gmail anti-spam detection on huge corpora of various types of malicious content, and have found this approach tremendously powerful at detecting subtle, emerging threats at large scale; at the same time, we are wary of attackers employing machine learning themselves to optimize their own techniques. That’s led to us approaching defense-in-depth via deterministic prevention techniques —such as the warning messages we display in our Gmail apps if a message is coming from a “near duplicate” to a known contact — as well as working across the industry to share trends and best practices.
Another area that we are increasingly focused on is the security of our cloud infrastructure, where our experience building platforms that are “secure by default” can help enterprise customers as well. Cloud continues to be one of the fastest growing areas in enterprise technology, and security is a key point of differentiation.
Our cloud platform is built using the most secure hardware infrastructure and identity services, and the proprietary technology that we use in Google Cloud Platforms is the same technology that we use in our own data centres. We also continue to invest in identity and access management, and in preventative and investigatory tools for enterprise administrators. In July this year, we announced a new investigation tool in the G Suite security centre that can allow admins to identify potentially infected users, see what files have been shared externally, and delete malicious emails.
We also continue investing in protecting people from state sponsored attacks.Since 2012, we’ve warned our users if we believe their Google accounts are being targeted by government-backed attackers. We send these out of an abundance of caution — the notice does not necessarily mean that the account has been compromised or that there is a widespread attack. Rather, the notice reflects our assessment that a government-backed attacker has likely attempted to access the user’s account or computer through phishing or malware, for example. Earlier this year we began sending these alerts to our G Suite customers if someone in their corporate network may have been the target of government-backed phishing, and just last week we enabled these by default. This is what an account warning looks like:
Mark Risher is Director of Product Management at Google Security