SSN Detection Alert with GAT Shield

To set up an alert rule in  GAT Shield for Social Security Number detection

Within GAT Shield you will find a template rule for detecting Social Security Numbers on any website you users visit or if they themselves type it into a webpage.

  1. In the Configuration Area, Alert Rules click on ‘Add a template rule’ and choose US SSN entered.
  1. Take the following actions:
  • Check the box to activate the rule.
  • Select the users, groups or Org Unit you want this rule to be applied to, If you leave the Scope blank all users with GAT Shield extension will be covered.
  • (Optional) Show a warning message or take no end user action.
  • (Optional) Report matched Text – will send you the text they typed attached with the email you receive.
  • (Optional) Check the box ‘Report Screen Capture’ to take a screenshot of the page.
  • (Optional) Check the box ‘Report Webcam Capture’ to take a web picture of the user behind the device.
  1. Click on Save.

The reg. ex. Inside of this template matches any valid SSN and by default, it has a weight of 1. If other keywords occur on the same page they each have their own weight. If the total weight is equal to or above 3 the rule will be fired.
You can also add your own keyword, or edit the regex, to exclude numbers like local area codes as an example (345,214,526,732)

The regex option we have is:
\b(?!000)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b

We can edit this to exclude your local code:
\b(?!00)(?!000)(?!345)(?!214)(?!526)(?!732)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b

Once you select the scope you would like to cover the rule will be active and alerts will be sent to an Admin every time the rule is violated.

Example of an email received by a super admin.


Chrome ‘Device Usage’ Alerts in GAT Shield

Do you want to track down a missing device? Do you know the serial number? Or know the last person using it? If yes, you can use GAT Shield Device Usage alert to get notified.

How to Configure this Alert.

1.Launch the GAT Shield tool.

2.Enter the Alert Rules section.

3.Select Device Usage from the ‘Add a rule’ drop-down menu.

4.Give the rule a meaningful name. Check the box to activate the rule. Now, enter the user’s email address and/or serial number. If both are entered one of them will take precedence if detected first when the rule is triggered on the device.

5.Check the box Report Screen Capture to take a screenshot of the page they were browsing at the time the rule is fired.

6.Optionally you can take a webcam picture of the person behind the device.

7.There is an option to display a message to the user if you turn ON End user action.

Once the alert is triggered an email is sent to the G Suite Super Admin.


When GAT  Shield receives a signal that the device is active, the admin will receive an email with a screenshot of the page opened, and location on a map where the device is located.
The Device Usage rule will be switched to disabled once the rule is fired to prevent getting multiple alerts for the same user or device.

Block Messaging in YouTube with GAT Shield

Google has introduced a new messaging feature inside of Youtube. This creates a lot of headaches for school districts who have disabled Google Meet and Hangouts chats in their school district through the G Suite Admin Console.

Now, students have an alternative way to chat between themselves through Youtube.

How does it work?

Students can generate a unique link to connect to other users, they share this link through other means. Once other students click on the link and accept the invitation then they can begin chatting.

Blocking Youtube messaging for Students

In GAT Shield Configuration area enter the Youtube Message Access section.

To activate this feature check the box for Block Youtube Message Channel. Now, decide which students will have this rule applied to them. For the scope selection, you can choose Users, members of Google Groups, or Org Units of students.

Expected Outcome for Students

Students will no longer see the Youtube Messaging Icon to begin a chat or to read existing chats.

Before

After

Note that the messaging icon is no longer visible.

Block Whole Categories of Websites with GAT Shield

GAT+ Shield – Sites Access control, Admins can block whole categories of websites that they deem are not suitable for their user base. In addition, Admins can create and edit custom categories which include exception sub-pages.

For example, you can block Site domain but allow access to subdomains. So below we create an example of how this can be achieved. First we create a rule to block site.

GAT Shield's "new user defined sites access category"

Once the Site rule is created activate it by selecting the arrow and moving the rule to the Active Site Access rules

the "user defined site access categories" in GAT Shield

When we select the arrow we are prompted to a window to select the scope for this rule.

An admin can select time restrictions, leave a warning message to the users, select a scope (the scope can be Chrome device only) and save.

"new site access rule for 'block domain example' category.

The rule will be active and moved to Active Sites Access rules and users will be blocked from the pages you select.

"user defined site access categories" gat shield

The same way we can whitelist the subdomain page. All we have to do is choose the subdomain and add it as a whitelist. Select to +Add a Site Access Category and add a rule as a Whitelist and activate the same way as blacklist.

GAT Shield's "edit 'allow sub-domain example' user defined site access category.

Once the Whitelist is applied and moved to Active Site Access rules it will take a precedence over the Blacklist and allow the users to open the page, but they will be blocked on the pages from the Blacklist.

Here’s how to automatically block and approve URL sets with GAT Shield.

Automatically Block and Approve URL Sets with GAT Shield

Automatically block certain Sites during specific times of the day.

For example, you can block Facebook between the hours of 9 AM and 6 PM Monday through Friday. This feature is very flexible. It allows you to create a list of sites that automatically become blocked at certain times. It’s totally customizable and you can add multiple sites to this blacklist. You can also choose to block all sites apart from ones within an active ‘Whitelisted’ list.

"new user defined site access category" GAT Shield

When the blacklist is defined and edited and the sites you want to cover are added, click on Save.

Now this blacklist will appear on the left-hand side below the heading Site Access Categories (This lists out the blacklists and whitelists you’ve created). To activate the blacklist rule we have to move it to Active Site Access rules (Right-hand side) area.

"User defined site access categories" tab

We select the arrow next to the listed blacklist which in our case will cover facebook.com. A new window will be prompted.

Configure the following settings:

  • We select the scope-users we want to be covered by this blacklist
  • (Optional) Redirect users when they’ve been blocked to another website (Blocking Page)
  • (Optional) Show a custom warning message which appears above the website being viewed. The pop-up message will completely cover the current website.
  • Setup a time restriction if there is no time restriction (the sites will be blocked while the rule is active).
    The rule will not be active outside the setup time-range.
"new site access rule for 'block pages - facebook' category" tab

Editing existing blacklists

An admin can modify the rules applied and add new sites to the list by selecting the ‘Pen’ icon under the action bar in the User defined Site Access Categories area. You can add multiple sites to your blacklist while the blacklist is in operation.

"user defined site access categories" action bar.

Here’s how to block whole categories of websites with GAT Shield.

View How Users are Spending Their Time

Leveraging the activity tracking features of the GAT Shield extensions super admins can analysis any users timeline of activities throughout a selected date.

In the GAT Shield Reporter, there are two sections that allow you to see activities of users behavior on devices.

The Browsing Summary area shows you an in-depth analysis of the users browsing activity for a selected time range.

The Browsing Summary area shows you an in-depth analysis of the users browsing activity for a selected time range.

The User Activity area reflects a chronology of users browsing behaviour for a given day.

The User Activity area reflects a chronology of users browsing behaviour for a given day.

Combining the information provided in both sections allows super admins to paint a clear picture of any users activity on the Google Chrome browser.

Access Scope of Delegated Auditors

Education, business and enterprise domains usually have a few G Suite super admin roles within their organization. For security reasons, they may want to delegate responsibilities to other users to have super admin like privileges within GAT+ or GAT Shield without having G Suite super admin roles. This is why its critical for them to have a feature called Delegated Auditors that allows them to distribute responsibilities to normal users while securing the number of users who have access to the G Suite Admin Console.

delegated auditor

Delegated Auditor has very similar scopes comparable to super admin within GAT+.

They have full access to all of the Auditing areas.

"users" audit

In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.

  • They can modify permissions/download files/view file content.
  • They can download emails, view emails and remove emails from users Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.

In Drive Audit they can’t use the Remove Permissions functionality yet. We will let you know when this feature is available to them as well.

In Drive Audit they can't use the Remove Permissions functionality yet. We will let you know when this feature is available to them as well.

Currently, Delegated Auditors will not have access to the Configuration areas unless they are a Security Officer then they will only see the SO section.

Delegated Auditors will not have access to the Configuration areas unless they are a Security Officer then they will only see the SO section.

Future Improvements: In the coming weeks, we will be releasing features that give Super Admins more controls over the scopes of delegated auditors. Super Admins will have the option to switch on certain areas of Configuration section, it will be up to the super admin’s own discretion.

You can read more about G Suite Audit delegation here. 

Audit Google Hangouts Chat with GAT Shield

With GAT Shield you can monitor who your users are chatting to on Google Hangouts Chat, you can gather information about how long the conversation lasts for and see the chat participates. The chat contents itself is not shown for security reasons.

Select 'chats'

You can quickly analysis whether your users are chatting with external domains. To do this click on the funnel icon on the top right of your screen. This button is called the Apply custom filter, it allows you to apply specific search criteria.

e

select apply in the 'chat filters' tab

Once this is applied all external chats will appear in the search result.

GAT Shield does not track the contents of conversations, however if these conversations are on record (that is, the participants have not enabled the ‘History Off’ feature), then the contents are recorded under email audit and the contents can be seen by following the Security Officer approval process in GAT+, view email contents process.

Prevent MP3 files and other file types from being downloaded

Using the real-time alert rules within GAT Shield an admin can set up a rule to prevent certain file types from being downloaded to a user’s device.

To set up a download rule, go to the Configuration section of GAT Shield. And enter the Alert Rules section.

Click on the Add a rule button, and select File download.

Click on the Add a rule button, and select File download.

Once the menu appears, do the following:

    • Give the rule a meaningful name, in my case, I will prevent mp3 and mp4 files from being downloaded.  
      Admin can add many more extensions such as ‘mov’, ‘zip’ ‘pdf’ and so on

 

    • Make sure to enable ‘Active’ so that the rule will be active once the rule set up is complete.

 

  • I entered mp3;mp4 I used a semicolon to separate the two file extensions. A semicolon is not necessary if only one file type is being covered.

Tick the boxes next to "active" and "cancel/delete download"

    • You have an option available to block files based on their file size as well. Anything equal to or above the value you have entered. For example, I can enter 20 MB. That means any mp3 or mp4 equal to or greater than 20 MB will be blocked from being downloaded others which are less won’t.  

 

    • The Cancel/delete download will be enabled because we want this rule to block and prevent downloads if left unchecked it would only notify you and not take any action.

 

  • Site exclusions are useful if you have some educational sites where downloading of mp3 or mp4 are allowed.

    • Now we need to indicate which users will be covered by this rule. I have used the OU option, and I’ve selected the root user OU / and I have also included sub. Org units. This means my entire domain is covered by this rule (well actually users who have Shield deployed on their accounts). You can indicate a sub OU like /Students and enable the option to cover its sub-OUs if you wish.

 

    • You can also take actions like shutting the webpage down or showing a custom warning message to the students.

 

  • The last 3 options allow you to report the file name, capture the screen the user was on and take a picture of the user using the webcam of the device (if Shield Companion app is deployed as well).

All alerts will be sent to you via email and you can also find them in the Shield Alerts section.

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.