Slack is quickly becoming the most popular tool for organizations to communicate – but does it pose security risks?
Expert Insights / Jun 01, 2020By Joel Witts
Slack is a collaboration hub for businesses that has
exploded in popularity over the last five years. It now has 10 million daily
active users, making it by far the leading platform for live chat within
businesses. Slack boasts that it’s being
used by ‘65 of the top Fortune 100’ companies. Their internal statistics tell
us that 85,000 businesses, from SMBs to large enterprises, are now using the
paid tier of Slack within their organization.
This huge number of users represents an opportunity for
hackers to utilize the platform to infiltrate networks and gain access to
sensitive data. So, how secure is the Slack platform and should your
organization be thinking of security solutions to protect this attack vector?
When Slack first launched in 2013, it was branded as a
friendly alternative to Microsoft’s team tools. You could communicate instantly
using this platform, with group messages and full conversation logs. This made
it instantly attractive to businesses looking for an easy to way to instantly
share messages, with integrations with other business apps.
However, in 2015 Slack
was hacked, revealing the holes in its security. The company announced that
over four days it’s systems had been hacked, compromising some of its users’
data. This included email addresses, usernames, encrypted passwords. Slack also
noticed some suspicious actives on user accounts, suggesting at least some
accounts became compromised. A
compromised Slack account from a CEO or executive level position could cause as
many security issues as a compromised email account. This hack led Slack to
implement two-factor authentication.
Just this week, another security vulnerability was uncovered
in Slack that allowed hackers to remotely exploit a vulnerability in slack to alter
where files sent though Slack are downloaded, allowing them to inject malware
or alter information, as reported by Threatpost.
This bug has now been patched, but the attack surface for Slack remains large.
Open Communities and Phishing attacks
Slack features ‘open communities,’
which allow large groups of people to communicate easily. Channels can be
opened with any individuals, and a username is all a user has to verify the
identity of the person they are speaking to.
This means that like email, Slack
has become a platform where users must be vigilant about looking out for
phishing attacks and spam messages. Because Slack is invite-only, users assume
that their workspace is secure, but this is not always the case.
In 2017, a group of hackers used an account pretending to be a ‘Slackbot’, which sent out a phishing attack directing people to a fake site where their financial details were collected.
These types of phishing attacks
through Slack could be potentially much more damaging than a similar campaign would
be through email.
In an interview with Expert Insights, President and CTO of SafeGuard Cyber Otavio Freire argued that “people have learned to distrust what they see in an email. But with new technologies, they haven’t experienced that reason to distrust yet.”
Slack themselves, while removing the infected accounts, have put the onus on security teams to protect themselves from phishing attacks telling Ethnews “we encourage team admins and members to be vigilant, and to review and enforce basic security measures.”
So how can business protect themselves while
Security solutions for Slack
Like email, Slack is an
incredibly useful and productive communications tool for businesses. Also, like
email, businesses will not stop using Slack because of the security concerns.
Slack has provided security vendors a way to create security solutions for Slack using their open source APIs. This has allowed vendors to create multiple security apps for Slack that can be easily be installed straight from the app browser menu within Slack itself. These solutions are an ideal way for businesses to protect themselves from security threats while using Slack.
Avanan, a vendor known for
their CASB solution, has created a security platform for Slack that provides URL
filtering, protects businesses from malware, identifies and blocks accounts
that have been hacked, and provides a full administration dashboard. This can effectively
protect businesses from phishing links and compromised accounts on Slack.
Other companies, like SafeGuard
Cyber, have established a platform for compliance, archiving and security on Slack.
This provides businesses with cyber defence by evaluating all Slack messages,
images, attachments and links for malicious content. It also provides them with
real time compliance but archiving messages.
All businesses should be considering the security of Slack
and the steps they can take to make sure their employees and sensitive data and
financial information sent through Slack is safe.
Simple steps to enhance the security of Slack are to make sure that no employees share any sensitive business information or private account deatails through Slack. Everyone should also be using two-factor authentication, to minimize the risk of account compromise.
Businesses’ should also consider using one of the security solutions outlined earlier in this article. If Slack is replacing email for your internal business communications, having an established security solution in place will become vitally important in protecting your business data.
About Expert Insights:
Expert insights is an independent review platform for Cyber
Security services. They offer to readers detailed and meticulously researched
product information written by industry experts, and independent end user
reviews. This helps customers looking for cyber security services make an
informed buying decision.