Why corporate communication tools are the new threat vector [Q&A]
In the new normal world where more work is being carried out remotely, corporate communications have increased in importance but they have also come under greater threat.
As the recent Twitter attack shows, communication tools offer hackers an attractive extra method of getting hold of sensitive information like login details.
We spoke to Chris Howell, co-Founder and CTO of secure collaboration platform Wickr, to find out more about why communication tools are coming under threat and how businesses can protect themselves.
BN: Why are communication tools particularly vulnerable to attacks?
CH: It might be surprising to a lot of people that in typical communications over the internet their messages aren't secure. Even when you see the little lock icon in the browser and things like that the content isn't secured all the way from person to person.
If you're looking at a Zoom type of teleconference you're looking at encryption that is just in place between your computer and the Zoom servers. But once the communications hit Zoom servers it's wide open, the audio can be listened to and the video can be viewed. And then when it gets pushed back out to other users it's encrypted again just for that leg of the journey, but the fact that it's exposed at the provider for the time period that it's there is really a huge opening and a huge vulnerability in communication tools that has led to quite a few breaches.
BN: Thanks to COVID-19 many businesses are going into things like like messaging and video conferencing for the first time. Do you think people have been caught out by the threat that these tools pose?
CH: Companies that were already used to doing teleconferencing had time to think about the security implications and do a little bit better product selection and vetting. But certainly the way that this pandemic has caught the world by surprise means there are a lot of folks who rushed to some type of a solution. We certainly saw it with Zoom in the US, and certainly there was some buyer's remorse there, it had some pretty impressive user numbers and adoption -- at the beginning of the pandemic especially -- but at the same time there's a lot of criticism. That led companies to realize that we did what we had to do in a pinch, but as far as long term operations go we need to do proper product evaluation to make sure that our security needs are matched by the types of products that we're using.
BN: Why has messaging become an attractive target for the bad guys?
CH: I think it's because of how messaging is being used. Before messaging apps the world used email and we saw here in the United States back in 2016 there was a pretty significant hack of an email account belonging to a gentleman by the name of John Podesta who was chief of staff to the Clinton administration and also working on Hillary Clinton's campaign. Just by virtue of of hackers getting into old email messages it became a weapon and, if nothing else, a public relations nightmare.
Part of the problem is that email, and now messaging, is being used as an archival tool and a repository of knowledge. A lot of products like Slack and other messaging products have kind of developed themselves as a product in that vein but businesses aren't realizing the risks that are associated with that.
The latest example of this I think is what happened with Twitter a few weeks ago. The hackers didn't get control through some vulnerability on the server or some other traditional means, they discovered the credentials for that system. How they discovered them was internal Twitter employees were sharing those credentials with each other over their messaging tool. And it just so happened that they did that over a tool that is designed -- and part of its reason for existence -- is the fact that it that it archives every message forever.
BN: How do you deal with the problem and ensure messaging is properly secure?
CH: Part of the answer is to be end-to-end encrypted. Then even the data as it sits on the provider systems is completely secure so even the provider itself has no way of viewing the messages at all. If you're looking from an attackers point of view then the worth, or the value of hacking the back end system isn't all that high because there's really not a lot of data to breach once you get there.
At Wickr we also want to push forward with an idea of ephemerality which is by default, so nothing is stored unless you really want it to be stored. This might mean drawing the line a little lower and defaulting a little bit more on the side of security, but it's a lot better to announce there are cupcakes during the break room over a secure system than it is to share passwords and credentials on an insecure system.
BN: Does having people working from home open up another layer of risk?
CH: Absolutely, the line is getting blurred as well, many companies are now reliant on cloud systems overall and cloud services. So there's not a well-defined border between the company's internal network, for instance, and the rest of the internet, more services are going cloud and certainly messaging services are among them.
I wouldn't say that you can't have a secure system in the cloud, I'm just saying it requires you to reach for a higher level of security than you might have otherwise reached for using a traditional solution that you host within your own business. Zero trust is something that's very important to us, it's starting with the assumption that the system is going to be hacked regardless of where you host it.
BN: Are we reaching a point where security will increasingly become a selling point for businesses?
CH: There's evidence that it's a number one primary driving factor of many companies. Certainly around messaging, but I think just overall information security. You have not only the kind of incidences we're seeing, like people learning from other people's mistakes, but you also have regulations changing. You have things like GDPR and other similar types of legislation gaining popularity. So I think there's an increasing awareness and a more stringent bar for companies to measure up to when it comes to securing their data as well as the privacy of their employees and customers.