Confidentiality, Integrity, Availability

Confidentiality, Integrity, Availability

WhatsApp: skepticism of remote communication tools is healthy

Every day, as a remote, distributed workforce, employees are busy firing off communications between themselves, customers, other businesses, and the board…  Communications are the nodes that move plans into actions, ideas into growth, leads into customers. Digital communications, simple and reliable as they are, turn our communications into pockets of permanence. This essential nature of communications makes them a direct target for attack—every time information is communicated, it becomes a potential vulnerability; a record to be accessed. Consider Slack channels, for example. While Slack channels may feel like behind-closed-doors conversations, they’re actually a record of that conversation. It’s like having every room in the office mic'd up and set to tape—there’s a record of it somewhere, even if Slack’s cloud is (hopefully) harder to access than a pile of tape behind a locked door. Permanence. In Slack, companies can, however, set file-retention policies that expire after a set amount of time to solve for this. Do all corporate communications tools have such policies? More pertinently, what’s the actual privacy policy of each of those tools? And so we come to
WhatsApp’s terrible new year. A poorly communicated update (ostensibly designed to enable better communications channels for B2C interactions) has caused mass introspection amongst users about how their metadata is handled by WhatsApp (or more accurately, how their metadata might be shared with Facebook, which owns WhatsApp). Many users have decided they no longer trust WhatsApp to maintain their privacy, and have sought  what they perceive as more trustworthy alternatives. Signal and Telegram have reported a massive uptick in active users in the past couple weeks—so much in Signal’s case that it temporarily went down under the weight of all the new users. WhatsApp has since paused the update and scrambled to fix the damage, but convincing the public to reinterpret the subtleties of their privacy policy might be a lost cause.  Given that it’s the CSO/CISO’s job to inspect third-party privacy policies, is the business world undergoing a similar introspection about their communications tools? According to research conducted by Pulse, most IT executives aren’t using encrypted messaging to communicate confidential information. When asked, “What tool(s) do you use to communicate confidential information?” the highest response by far was email (42%), with relatively few mentions of encrypted email services (such as ProtonMail) (11%) or encrypted messaging apps (6%). That sound you can hear right now? That’s the collective shudder of CISOs around the world. CISOs have a fight on their hands: to convince the business of the necessity of secure communications. It’s a fight on multiple fronts, as CISOs must also scrutinize vendors’ security protocols. The pressure can yield results—Zoom has made great strides to address security concerns raised by businesses and consumers (here’s a regularly updated history of Zoom security flaws and fixes).  Remote work was forced upon many of us. We’ve all had to adapt and learn new tools. And the onus is on each of us to understand the tools we use—whether that be for the sake of our business or our own privacy. Ultimately, when it comes to cybersecurity, communication isn’t just about what you say, it’s also about the medium in which you say it. The medium we choose is up to us.

Are you concerned about the security of your business communications?

Top Answer : Not much, we avoid using unsanctioned channels and keep a rather conservative approach (email)

Related Tags
How has GDPR and CCPA changed your use or procurement cybersecurity tools?

Top Answer : Not much directly but in some situations avoiding an agent, a plugin, or something that requires a cookie will mitigate privacy risks.  Many security technologies in how they are architected, deployed, and how the vendor gathers and shares information actually is generating a substantial amount of privacy risk

If these companies were affected then the foundation of computing could be at risk. If you could manipulate at the hardware layer via the firmware, BIOS, ect then a threat actor could weaponize well below the operating system which brings in to question the integrity of the entire computing stack and everything above it.  The firmware and bios are like the rebar and concrete for a building. If that foundation is weak then the entire structure and anything dependent on it is at risk. We cannot underestimate the potential or the severity of these companies being potentially affected by the SolarWinds hack and what that means for the foundational computing hardware they provide to the world.  What do others think ?  How could this impact your organization ?   Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack - The Verge

Top Answer :

Pulse Flash Read: Password(less) Passwords are rubbish, aren’t they?  We’ve all asked for someone else’s Netflix login, only to break out in a cold sweat when you see that their password is something like: basketball (yeah, they finally signed up to watch The Last Dance). And, let’s be honest, you didn’t feel great about them sending it over iMessage either. I’ve literally turned down free access to Netflix because of this. And cybersecurity experts like NordPass agree: they’re sick of telling us how rubbish passwords are.  Letting humans stay in control of those crucial windows of access that passwords reveal will always be problematic. The bad actors awaiting in that password-generated web traffic are experts at exploiting human faults. Take the recent Twitter hack: Two-Factor Authentication (2FA) seemed like a great extra layer of security until a fatal flaw in the thinking was revealed: all it took was some social engineering and the implicit trust users feel with 2FA was turned into a classic bit of phish bait. What if the answer is in the problem? Password-related attacks happen when human meets internet. Can we remove either or both of those issues? Turns out we can. Hardware Security Modules (HSMs) are secure pieces of hardware for containing digital information, lock and key in a discreet piece of machinery that fits neatly on your desk. (Actually, they’re pretty small nowadays, the main issue might be losing it, SD-card style.) They generate truly random keys, unlike computers, that exist outside of the internet’s nefarious reach, providing what’s known as Root of Trust (RoT); trusted nodes within a cryptographic system, a critically important element for any IoT network (and much more reliable than human secret-keepers). If you’d prefer not to ship out HSMs to all your remote staff, there are simpler options that, while not as cloaked as HSMs, at least bypass the password problem. Both AWS and Microsoft Azure offer OTP (One Time Password) access via SMS (yes, it might seem annoying at first but it takes less time than resetting that password we forgot 30 seconds after creating it), plus others such as Okta, OneLogin, Acceptto and Hitachi ID offer robust solutions. We produced a white paper with Microsoft you can read here about IT execs’ experiences with FirstLine Employee remote login.  Magic links are another option. San Fran-based Magic (formerly Fortmatic) promises ‘customizable, future-proof, passwordless login with a few lines of code’. All you have to do is embed Magic on your site and apps, clients receive an email link they click to sign in, and that’s that. The link, like that 5 of hearts you were watching, vanishes and the hijacking opportunity along with it. (Incidentally, Magic uses HSMs to handle your data.) Here’s a guide of how to add Magic to your apps, including a more in-depth discussion of both HSMs and Magic. The demise of the password comes with an acceptance of our own limitations. We forget. We enjoy simplicity. We share. So, accept that your team are human and find a password alternative that fits your needs. Because if you don’t, those clients, and your investors, might end up being another thing you’re scrambling to retrieve. What startups/tech are you excited about in the passwordless space?

Top Answer : This is our first editorial piece by our community editor Aaron Towlson. Would love your thoughts on it and if you'd like to see more of these to spark discussions  . Thanks!