Enterprise Social Network (ESN) providers should be on alert in light of Slack's reported security breach last week.
ESNs are particularly vulnerable to database system hacks because their information is gold to corporate hackers, industry analysts told CMSWire.
“Social networking footprints are valuable to identity thieves because they come with all that biographical data like birth dates, localities and relatives, and all the additional descriptive stuff like your friendships that help to identify you,” said Steve Wilson, vice president, principal analyst and lead on digital privacy and safety for Silicon Valley-based Constellation Research.
“Skilled thieves,” Wilson added, “use this data to impersonate you at call centers and in online registration channels, to perpetrate fraud in your name. With workplace social networking, the game is much the same but the stakes are much higher.”
Hackers exposed the Slack database that stores profile information for platform users. That's bad news.
But Slack's not alone here, according to industry insiders.
Rickard Hansson, CEO and founder of Venice, Calif.-based enterprise social provider Incentive, told CMSWire the Slack breach “is not just a Slack challenge, but a SaaS challenge overall.”
“Slack, and other companies using the same deployment model,” he added, “will definitely experience another breach in the future and will have to add even more security measures.
"The reason is that in a multi-tenant environment, there is a 'master key' so a breach on that level can expose all of a company's clients and their data. With a single-tenant model, each installation is on its own.”
Simply, companies that store information that can be sold are at risk, said Edward S. Ferrara, vice president and principal analyst at Cambridge, Mass.-based Forrester Research.
And hackers are good at this. Really good.
“Hacking today is a ‘corporate’ effort,” Ferrara said. “By this I mean that the hacking groups are well-organized with well-defined business plans. They spend significant time and money developing target lists and move forward systematically and methodically to own those targets. Companies similar to Slack should be concerned.”
One insider, however, told us the vast majority of companies that store sensitive information are rarely hacked.
“Network and database security features tend to evolve with malicious intrusion methods,” said analyst Kevin Young of IBISWorld Procurement, based in Melbourne, Australia.
“But hackers have consistently demonstrated the ability,” he added, “to exploit previously unnoticed weaknesses in network architecture, as seen with Target and Home Depot, which were both highly protected.”
Other companies like Sony Pictures Entertainment had a vulnerable network structure and other weak features, Young said.
“They stored their passwords in a folder called ‘Passwords,’ and the password to access the folder was also ‘Password,'" he said. "With that said, it isn’t necessarily inevitable, but companies will have to take action by finding their vulnerabilities and investing in the proper protection early on.”
Forrester’s Ferrara called the Slack breach “common.”
But, he added, “what was uncommon was the information stolen was encrypted. Firms are just beginning to implement effective encryption on sensitive information assets, and the industry needs to do more of that.”
Did Slack Respond Well?
Slack officials said they made recent changes to their infrastructure and just released two new features:
- Two Factor Authentication (“2FA”; also known as “two step verification”)
- A “Password Kill Switch” for team owners, which allows for both team-wide resetting of passwords and forced termination of all user sessions for all team members
Young said Slack responded quickly, illustrating its “dedication to the security of user information.”
The provider “immediately rolled out Two Factor Authentication, which sends an access code to an authenticator program on a user device,” Young added. “Once the code is received, the user inputs both the access code and their original chosen password to access their account. The end result is that a hacker cannot obtain information with the password alone, thereby increasing barriers to entry.”
2FA the Right Call?
As for Slack’s response, Wilson said the provider’s transparency is “very welcome.”
“It looks like,” he said, “they've also communicated with affected users directly and privately.”
Wilson did question the 2FA decision, saying he was “not convinced however by the technical advice to use Two Factor Authentication. It's a good idea, but it's a distraction from what's really gone wrong here. 2FA protects people to some degree from direct replay of their passwords, if their plaintext passwords have been stolen from a database. But 2FA does nothing to protect the backend databases at Slack or anywhere else from further breaches. So the corporate metadata, the project teams, the intelligence etc. is still at risk.”
A Slack spokeswoman today responded directly to that charge in an email to CMSWire:
2FA is just one of the many security measures we have in place. Others include internal compliance processes, audits and physical access control, and continual review of our systems design and approach to technical operations. We launched 2FA and a password kill switch for team owners to help users and teams better manage the security of their own accounts. You can count on our commitment to the ongoing investment in and prioritization of Slack’s security.”
What should customers/potential customers know about these kind of providers as far as security concerns go?
Ferrara suggested asking how the company will store and use the information.
“They should ask if the information will be encrypted both ‘at rest’ and ‘in motion,’" he said. "They should also ask how the company plans to use the information and if they plan to share the information with any other company.”
Companies must take a step back and rethink security policies, Wilson said, adding, the security industry's methods for gauging and managing risk are “outmoded.”
“They're linear, formulaic, policy based exercises, born out of the ISO 9000 standard,” Wilson said, “and they cannot cope with the complexity of today's systems and the software stack. We're in an environment where speed to market is thought to be paramount. We even have this madcap ‘MVP’ movement which legitimizes corner cutting.”
Wilson is “pessimistic about security” in general, adding, "I fear that start up companies cannot have the same security establishments as traditional enterprises."
Title image by Dev.Arka