Collaboration tools have become hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no matter how far apart they might be physically. But whether it's a workflow-based utility such as Asana or a chat-oriented app such as Slack, these tools have also created new opportunities for cybercriminals looking to access your company's most vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private information outside of your organization. In other words, even if they're being hosted elsewhere, your collaboration tools might still be putting a huge security hole in your network.
Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sat down with Arnette to discuss the sort of attacks that could happen via collaboration services and how businesses can protect themselves.
PCMag (PCM): Collaboration tools of all kinds are being adopted at a pretty rapid pace by all sorts of companies. What are some of the security-related problems that can arise from this?
Greg Arnette (GA): So, before we go into the sort of vulnerabilities involved, I think it's important to give an overview of what's happening right now. There are a number of different trends happening around collaboration and how it relates to what we're seeing today, with systems that are vulnerable to attacks that are then compromising people.
One of the trends is this massive migration of on-premises collaboration services moving to cloud alternatives. With that migration, you have an increased use of email and real-time messaging systems, such as Slack and Facebook Workplace and a dozen or so different platforms that are rising in popularity alongside of email. With this migration, companies are saving money and simplifying their internal IT infrastructure. Microsoft Office 365 and Google G Suite and Slack are becoming the system of record in many organizations. That will probably continue to play out for the next five years until I think there will be a big shift to people mostly doing things in the cloud as opposed to anything on-premises.
Now, couple that trend with the rise of APIs and artificial intelligence [AI]. That is creating a lot of good things but also an equal number of bad things. As companies migrate their collaboration systems from on-premises to cloud , they're using these new types of systems. An integration might be integrating an identity management service into Microsoft Office 365 so that you can get single sign-on. Or you could integrate a telephony service into the email system so that the calendar can add a bridge number to the next meeting invite.
PCM: These are all good things, of course. So where do the problems begin?
GA: This same tech is allowing the people that want to do harm to others to take advantage of these open APIs and these new systems of record. The bad actors of the world are also taking advantage of the innovations in cloud and using AI, machine learning (ML), and cheap cloud computing to sponsor attacks with these APIs. They're looking for vulnerabilities and mimicking user behavior so that they can get around the known defenses and infiltrate organizations using what were thought to be pretty secure defenses and to keep the bad stuff out.
So that's kind of a perfect storm of businesses wanting more convenience with the ability for bad actors to leverage these APIs and get into those systems. It's a race of a mutually assured destruction, basically.
PCM: Give us an example of a specific type of attack. Would a malicious actor create a seemingly harmless app for a program like Slack that an employee would be tricked into installing?
GA: An example of a malicious usage of the Slack API is you can develop a third-party Slack app that can bridge your Slack account with a customer relationship management (CRM) platform like Salesforce. Somebody in a company could download and install the app, and then this trojan Slack app—which appears on the surface to be a simple connector—can be easily authorized by an individual in the company. All of a sudden, now you have this little bot that's sitting on someone's workstation that can talk to both Slack and Salesforce and leak data out without the company's knowledge. And that's just one small example. You can apply this to virtually any platform that has an open API.
In the case of AI, the folks out there in the world that want to do harmful things are using AI to figure out how to exploit systems, gather data, and expose it to journalists and others. This is to cause problems and affect elections, affect economies, affect business stability, and so forth. This could happen in a lot of ways. It could be an ML model that is trained to look for specific information or a bot that appears to be a real person that could solicit the information from employees. There are all sorts of vulnerabilities that these collaboration tools open up for organizations.
Another trend that we see is departments and teams purchasing or implementing solutions that inadvertently connect public things to the private network that is outside the purview of the IT department. Since these collaboration tools have been adopted, IT departments have been having trouble trying to lock down who can actually install and run things in the company network in order to prohibit these types of connections of happening. If any employee is allowed to add, an app to the company Asana team, it can be disastrous.
PCM: These attacks are scary, sure, but these are extremely useful tools. It's hard to imagine most businesses giving up these apps once they've had access to this sort of convenience. How should businesses keep themselves secure?
GA: That's absolutely true; these apps are here to stay. They've established that they can help make lives better in a work setting.
There are a couple things that...companies can do to stay secure. The first is ensuring that the IT department is aware of all the apps that are installed and all these third-party connectors that are installed into these apps. Make sure they've been reviewed or vetted by scrutinizing eyes to make sure that they're not actually Trojan-like attacks that were created to spook somebody into installing them.
The second thing that customers should be doing is vetting their supplier's security and compliance best practice standards. There's a great third-party website that helps IT departments do that vetting called Enterpriseready.io. You can go there and you can check out [your Software-as-a-Service or SaaS app] and see if it has all of the right controls in place to ensure a highly secure operating environment. So it's all about privacy, ensuring that there's a sufficient ability to lock down controls, that APIs have audit access, and that kind of stuff, so that we can be better vigilant.
On top of that, it's worth noting that a lot of these collaboration solutions have permissions controls to fight against this exact sort of thing. You can tighten permissions on what integrations can come through these apps and who controls them. If you configure these permissions, it saves IT a lot of the work of having to monitor what apps are installed.