What You Need To Know About Slack’s Security Vulnerability And What To Do Next

What You Need To Know About Slack’s Security Vulnerability And What To Do Next

As your users shift to new tools like Slack, your IT security processes need to keep up. Specifically, Slack security vulnerability assessment and management activities have become more important than ever as more people use this tool.

Slack Security Vulnerability In The News

Recently, a significant Slack security problem was reported by Computer Weekly. Security researchers found the following problem:

“The vulnerability centres on Slack’s incoming webhooks, which let users post messages from various applications to Slack. If the user specifies a unique URL, a message body text, and a destination channel, they can send a message to any webhook that they know the URL of in any workspace, regardless of their membership.”

In this way, one might be able to circumvent controls relating to access rights. Even worse, there are more than 100,000 public webhooks for Slack on GitHub as of today. That means there are a few steps needed to assess and mitigate this security problem.

Start by assessing your organization’s Slack usage. If there are few or no Slack users in the organization, then there is little you need to do at this point. On the other hand, if Slack is a crucial collaboration tool for most employees, then you take further action. Specifically, review the technical findings mentioned in the Computer Weekly article. You should also search public sources like Github to determine whether or not potentially sensitive data from your organization’s Slack implementation are in public view. If those are in public view, consider removing them from the public domain.

Finally, you may need to review and refresh your company’s IT security training. Some organizations choose to provide a high-level principles-based approach to IT security in training materials. That approach has the advantage of rarely requiring updates. However, it puts more strain on employees to use their judgment and imagine different kinds of security risks. Therefore, you may wish to provide a “security tips and tricks” focused training session to employees with administrative oversight for Slack.

Using the above methods will help you measure and address this recently discovered Slack security vulnerability. However, eliminating a single instance of a security vulnerability is not good enough. Eventually, Slack is likely to release a security update to reduce this particular risk. Further, new security issues are likely to emerge in Slack, Microsoft Teams and other software you rely on. Instead, you need to adopt an evergreen process that will help you cut the impact of any given security vulnerability.

Security Vulnerability Minimization: Reduce The Potential For Damage

While addressing specific Slack security vulnerability problems is helpful, it is unwise to focus entirely on one product. After all, you can experience security problems in any software or part of your infrastructure. That’s why we recommend developing a comprehensive process to minimize the impact of security vulnerabilities.

With this approach, we start with the assumption that we will never be able to detect and prevent every security issue. For example, SaaS apps purchased outside of the central IT process may not be monitored closely. As a result, you need a process that limits risk and the potential for problems like data loss.

To minimize the impact and likelihood of a security vulnerability hurting your company, use these steps.

1) Create an inventory of your top 10 most heavily used applications

This listing will initially focus on your critical applications. For instance, if your entire team uses Slack every day, Slack needs to be on the list. Likewise, you might decide to add Zoom to your list if that is a crucial tool.

2) Assess the security vulnerability and update processes available for each tool

Technology companies vary widely in the quality and quantity of the security updates they provide. On the one hand, Microsoft is known for providing a regular stream of updates. Other companies may not have that level of discipline. For companies with a regular security update schedule, make a recurring calendar note to check for updates on their website.

What about those applications and tools that have no defined process for releasing security updates? The next step is simple: Reach out to your contact at the company and ask some questions! For example, share the Slack security vulnerability highlighted in this article to start a discussion. Ask them if they will communicate and provide security updates to you.

3) Apply a second line of defense with access management

In the Slack security vulnerability mentioned above, there is one way you can mitigate the damage. Augment the security controls in Slack by adding a second, company-wide layer of access management. For example, you could use Compliance Auditor to verify that all access permissions currently in place are reasonable. This software tool makes it easy to detect security exceptions and manage them. By applying this layer of defense, you reduce the impact of any specific security vulnerability.

4) Leverage outside reviews of security vulnerabilities

In large security-conscious companies like banks, you may have the resources to have a full-time security vulnerability professional or team. In other cases, that level of specialization is not a reasonable option. In that situation, we suggest contracting with a specialized consultant to perform a periodic review of all of your applications to detect problems.

What To Do Next To Improve Your IT Security

Once you get Slack security vulnerability management under control, celebrate for a moment! You have eliminated a significant gap. Next, you need to find the next major weakness in your organization. If you are like most IT security department leaders, you probably have a mile-long wish list of security project ideas.There’s just one problem. You’re unlikely to get a considerable boost in your budget or staffing levels. Therefore, you need to develop a way to increase your staff productivity so you have more capacity to take on more improvement projects. If you find password resets take up a lot of your staff time each week, you need to cut down on that work. Use a chatbot tool like Apollo to handle these requests. Then your staff will have a few more hours of work time each week to take on significant new projects.

Written by Nelson Cicchitto