Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/3/2020
02:00 PM
Lena Smart
Lena Smart
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Avoiding the Perils of Electronic Communications

Twitter, Slack, etc., have become undeniably important for business today, but they can cause a lot of damage. That's why an agile communications strategy is so important.

One of the more difficult and time-consuming exercises for security leaders is to analyze their company's electronic communications channels and work to codify and implement processes that take into account proper security hygiene. In my experience, there is no one-size-fits-all approach because every company communicates in different ways and uses different tooling.

Due to the proliferation of collaboration tools and social media applications, it's possible you don't even realize how many tools your employees are using to communicate. For example, your CEO's calendar probably shouldn't be publicly available to the entire company as there can be significant risks from free access to this information. Because a calendar is a trusted application, you likely wouldn't think twice about clicking on a link from a known source.

Evolution of Social Media
To be candid, social media applications have turned electronic communications into a difficult beast for CISOs to tackle. Take Twitter. This single application lets you reach global audiences instantly. While Twitter can be used as a mouthpiece to quickly disseminate news and spread awareness, there have been major downsides, and our society has yet to fully understand the ramifications of these.

One of the most notable incidents occurred in 2013, when a single tweet from the Associated Press's verified account shared that there had been explosions at the White House and President Obama had been injured. A hacking group claimed responsibility for the tweet and the resulting stock market nosedive erased over $136 billion in equity market value in the three minutes following the tweet. The fact that one tweet could do this much damage was a wake-up call that we need to think long and hard about how systems are designed to curb potential abuse.

Additionally, any organization with sensitive intellectual property should take into account the lengths that sophisticated actors will go to breach its electronic communications — especially social media — including the use of insiders. For example, in late 2019, it was reported that two former Twitter employees were working for Saudi Arabia to spy on targeted users. It's vital to account for these channels in employee training. While they might not associate Twitter, Instagram, or Facebook with a work-related threat, given the trust we place in our favorite social media apps, vulnerabilities in them can be leveraged by skilled adversaries as a foothold into an organization's network.

While some might think of traditional electronic communications threats as simply phishing attempts with your email, there are dozens of channels that a CISO must consider when setting company policies. Due to the impact of a single tweet or post, these applications for your C-suite and senior leaders should be locked down and access should be contained to as few people as possible. Additionally, best practices such as implementing two-factor authentication will help to protect your organization.

Communication Policies Must Be Agile
At MongoDB, our most-used communications tool is Slack. The Slack platform is vital to asynchronous work with a global employee base and, in total, over 50 people were involved in the process of writing our new policy before the final guidelines were shared companywide. We consulted representatives from different teams across the company to get feedback on policies and wording to make sure it would resonate with everyone.

This might not be a surprise, but feedback from members of our engineering teams was that there should be no ambiguity in the policy. It was important to write and set a policy that ended up being very prescriptive without sounding condescending. Additionally, we also incorporated different data retention standards for things such as attachments, direct messages, and all communication in public versus private channels.

It's important to educate our employees on data classification. Below is how we classify data into four groups as part of our company data security policy.

Classification Level

Summary

Damage to Company if Data Leaked

Public Data

Intended for public consumption

None

Internal Use Only

Intended for widespread company consumption, but not sensitive

Very minor to none

Confidential

Sensitive and intended for only limited persons

Considerable

Highly Confidential

Very Sensitive, need-to-know, and limited distribution.

Grave, severe


Having a prescriptive and thorough data security policy available as a living document to all employees can provide a valuable resource for asynchronous work. Engaging in ongoing education throughout the year helps build a secure culture and make sure this information is top of mind for employees. This can be as simple as a quarterly email for some people or addressing security-related questions at our monthly all-hands meeting.

Why Security Enables Innovation in Our API World
Given our roots as a developer company, modern tooling for software development is all through APIs. These integrate into Slack, which creates alerts and additional communication channels. While these integrations are hugely helpful, the best way to take into account security is to have each potential application vetted for security hygiene and assessed by our procurement and security teams before network integration.

Identity and access management with your APIs in the cloud is vital whether you're developing software or work on a different team. For instance, someone who isn't on an engineering team at MongoDB likely doesn't need access to our GitHub API in Slack. If there is an ad hoc reason, that can go through the proper protocols to authorize only that user.

We believe identity and access management not only keeps us secure but also fosters greater innovation. Being able to implement secure processes into workflows and maintaining agile policies for your organization's tooling is one of the key parts of a security leader's job, but don't be surprised at how difficult and time-intensive it is.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How to Prevent an AWS Cloud Bucket Data Leak."

Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining MongoDB, she was the global chief information security officer for the international fintech company, Tradeweb, where she was responsible for all aspects of cybersecurity. She also served ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It's the latest version of antivirus.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13775
PUBLISHED: 2020-06-02
ZNC before 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.
CVE-2020-12607
PUBLISHED: 2020-06-02
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a us...
CVE-2020-13764
PUBLISHED: 2020-06-02
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
CVE-2020-13760
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2020-13761
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.