As messaging in forms as diverse as SMS, WhatsApp, and Facebook Messenger have become more popular, their use seems to have outrun IT security's ability to protect data sent over these various systems. As more employees look to messaging for their business communication, what should companies do to make sure that rapid communication doesn't equal insecure communication?
"The biggest challenge today is dealing with interactive and ephemeral content sources that are very difficult to process, review, and remediate with technologies designed for email," says Robert Cruz, senior director of information governance at Smarsh.
As IT security groups look to secure their organizations' data, two broad avenues can be taken for protecting messaging. They'll sound familiar. The first is to focus on the technology, how the systems work, and the protections they offer (or don't). The second is to focus on processes and procedures that include factors like the way employees use the services and think about the data they're sharing.
Acceptto CEO Shahrokh Shahidzadeh points out some basic considerations that cybersecurity professionals should keep in mind when evaluating messaging services and formulating security policies around them.
"First, it is best to pick apps that offer end-to-end encryption, including the encryption of metadata," he says.
End-to-end encryption is one of the factors many users cite when asked why they choose a messaging service like WhatsApp. And while that encryption is critical, it's not the only consideration, especially when an employee seeks to use one of these public messaging services to communicate with customers or partners.
"Knowing what data exactly is captured from your device is a key factor. Apps that harvest the contact list or store any metadata associated with communication are problematic," Shahidzadeh explains.
In addition, knowing how the messaging service itself protects the data (encrypted or not) it collects and that flows through its servers is important because of what NIST 800.53 calls "inherited risk." That is, security and privacy controls that cover a very broad range (the organization and its suppliers) may introduce risk that must be accepted by much smaller units (like a department). In this case, the service relationship and its security have an impact on every department that has an employee using the service.
Of course, even encryption can be of limited use when malware uses a messaging app to infect the device itself. A recent campaign of commercial malware using WhatsApp to attack smartphones is merely the latest example of attackers using the "security" of WhatsApp to increase the effectiveness of an attack.
Best Practices Emerge
Because organizations can use some of the process- and data-related security principles that have informed security of other technologies, best practices are beginning to emerge for securing messaging apps. Cruz says the first of these is simple: The IT security group must become actively engaged in evaluating messaging services and products before employees use them — not after they're already in wide use.
Next, "Policies must be updated to encompass new messaging, mobile and collaborative technologies — including explicit examples of acceptable and prohibited uses," he says. Those explicit examples will go a long way toward eliminating confusion about how policies are to be applied, though security has to be sure to point out they are examples — not statements of the policy's limits.
Cruz says training programs should be constantly updated to include permissible use of messaging for high-value organizational data. That training should include explicit language on scenarios when IT security should be engaged and brought into the conversation on new messaging services, he says.
That training also must include warnings against social engineering attacks that can use the special properties and relationships in services like WhatsApp for phishing campaigns, which are the latest variation of "smishing" attacks, making increasing use of mobile devices as an attack surface in the enterprise. These social engineering attacks can easily make even the comfortable confines of a restrictive "walled garden" like the Apple App Store ineffective against attacks and exploits.
Finally, Cruz points out, it important that IT security continually evaluate technology that can "preserve the context and metadata to track, inspect, and remediate security issues that can surface from interactive and non-text content sources." It is, as always, difficult to protect what you cannot see and define.
Cybersecurity professionals must remember that, as NIST states in 800.53, "There is no single set of controls that addresses all security and privacy concerns in every situation." As their employees look for new ways to stay in touch with colleagues, partners, and customers, security groups will have to continually evolve to stay if not ahead of their employees, then at least not too far behind.