Cyber Threats
How To Secure Slack for Remote Teams and Work from Home Employees
Cloud-based Slack has become an integral part of many teams’ daily functions and interactions. But with all the corporate data and potentially confidential information being shared via Slack, have you stopped to think about its security?
The events of 2020 have impacted all aspects of our lives, including the way we work. However, employees in this new remote workforce have different needs to get their jobs done effectively. The inability to hop in a conference room to collaborate or communicate across the cubicle wall can make it tough to get work done as quickly or easily as in the past.
Enter Slack.
The newly acquired cloud-based communication platform has become an integral part of many teams’ daily functions and interactions. In fact, the company claims more than 12 million daily active users, including those from 65 of the Fortune 100.
A lot might change after the acquisition closes and Salesforce fully absorbs Slack, however, this will likely take quite a while.
Either way – before the integration and after – there is a lot of corporate data and potentially confidential information being shared via Slack. But have you stopped to think about its security?
In case you haven’t, no worries. We did a deep dive on Slack security to see how it holds up to scrutiny. This post shares some of the key security changes that help keep your business information safe, and the three big questions to keep in mind when securing your Slack workspaces.
Slack security in 2020
If you’ve ever googled some iteration of, “How secure is Slack?” the search returns a lot of results. The large number of results touting all the ways Slack is not secure may have caused a mild panic.
But don’t fret. Slack has taken significant steps to improve the overall security posture of their platform.
Updates to Slack security have addressed some of the root causes of past breaches and leaks. Two big changes that improve the platform’s overall security:
- Identity and device management
- Encryption at rest and in transit
Admins can use access logs to make sure rogue or malicious users aren’t hopping in their workspace. This is also useful for verifying normal user behavior for your workspace.
Single sign-on integration helps ensure that only people in your organization using approved devices can access the workspace. It also prevents former employees from accessing data after they leave the company.
Encryption has also been a hot-button topic surrounding all communications platforms recently. Slack has responded with force, encrypting all data at rest and in transit. There is also an option to take your company’s encryption up a notch with Slack Enterprise Key Management (EKM). It uses AWS Key Management System (KMS) to give admins total control over data access within a workspace. Access to encrypted messages, files, and even search history can be granted or revoked at a granular level using your own keys with no usability impact or downtime.
These security-focused updates and additions have been released over time. The current version of Slack for Windows and Mac is 4.11.1 at the time of writing, but they released the last major update in March with version 4.4.0. Everyone should be running at least this version; most major security updates were introduced before March 2020.
Here is a timeline of some of the most significant security updates and when the dates Slack introduced them.
- April 2020: This update allowed app developers to add Security & Compliance info in a dedicated tab on the app’s page in the Slack App Directory (https://slack.com/apps). It also featured an easier app review process to decide if it makes sense for your workspace.
- February 2020: This update discontinued support for TLS versions 1.0 and 1.1 so that any request sent to Slack from a service that has not upgraded to TLS 1.2 fails.
- January 2020: This update added a feature that remotely signs members out of Slack in case an employee’s device is lost or stolen.
- October 2019: This update featured a consolidated view of app permissions, making it easier to see what permissions an app requires.
- July 2019: This update added MFA options for mobile users of enterprise accounts. Also, it restricted single sign-on permissions only to Workspace and Org owners in Enterprise Grid organizations.
- March 2019: This update introduced the Slack Enterprise Key Management tool.
Nearly every monthly update in 2020 has included a security-related feature. For example, the September 2020 update added EKM encryption options for Slack Connect (https://slack.com/connect), a feature that allows companies to connect channels with other organizations.
Given the continued work-from-home trends and the current state of uncertainty, we anticipate this focus on security continuing into 2021.
What security questions should you be asking to protect your Slack workspace?
While the security focus of Slack is hugely beneficial, no software is ever totally secure. Here are the main things to consider if your company uses Slack and ways you can minimize the related risk.
- What are you connecting to the workspace?
A primary concern with Slack is related to apps. The double-edged sword of connectedness means Slack can integrate with anything through an app, and anyone can write an app for the App Directory or their own workspace. Fortunately, Slack puts the apps through a security review process before they are made publicly available. But as with any software, there will always be bugs, and unsecure apps will inevitably slip through the process.
Another positive change is that Slack apps and bots now operate similarly, including admin controls. This gives admins greater control over what can be added to a workspace, or allow admins to restrict user additions. This also gives them control over what apps can access, which has been a security concern.
How to minimize the risk:
Just like with mobile apps, check who published the app in the App Directory. If you want to add O365 integration to Slack but you find an app that wasn’t created by Microsoft, it may not be the right app for you.
Regardless of the developer, always check what permissions the app requires. In our analysis, Slack app permissions are very extensive — even going so far as granting universal read-write access that acts as the user. Whatever the permissions are, you have to decide whether it presents an acceptable level of risk for your business.
- How do users access and interact with the workspace?
Phishing can take many forms when it comes to Slack. An attacker can phish credentials to gain direct access to a Slack workspace. With some open-source intelligence gathering (OSINT) upfront, a threat actor might be able to determine who the admin is for a workspace or Enterprise Grid account, providing the attacker with the highest level of access from a phishing attempt.
Now that Slack is more secure than in the past, gaining access to user credentials is the easiest way for an attacker to abuse the platform. Credentials can be also be bought or reused from other breaches, but phishing is more likely to be successful.
Successful phishing attacks may also impact Slack users indirectly. For example, if a malware-infected file is uploaded to Slack by accident, thus infecting anyone who downloads and opens the file. The same idea applies to a bad URL or a user sharing a contest or form to fill out, not realizing it’s a scam.
How to minimize the risk:
Phishing is tough to stop because social engineering is such an effective entry point for all kinds of attacks. Criminals preying on people’s base instincts are harder to stop with technology. Therefore, educating employees helps improve awareness of phishing attempts. Effective employee education campaigns are a whole different topic, but there are ways to do this to avoid this common threat.
Multi-factor authentication (MFA) and single sign-on integrations can also limit the effectiveness of a successful phish.
- What information is being shared?
Is critical or secret business information being shared via Slack? This could be customer data, developers sharing code, employee data, etc. If an attacker gains access to a workspace, this data is at risk. With admin credentials, an attacker could view all messages and files in a workspace — even in private channels, depending on the admin settings.
Second, is Slack information being shared externally? This primarily happens in the form of webhooks and API keys, which we found in abundance on GitHub. AT&T Alien Labs published a great proof of concept that demonstrates how an attacker could abuse webhooks.
How to minimize the risk:
Developers need to be aware of the risks of publishing passwords, keys, and webhooks in their code. Companies should also scan for these secrets in case they have been leaked by accident in a public code repository.
This is a good example of how Slack EKM can be useful. Deeper, more granular control over access to sensitive information enables admins to keep sensitive content shared in Slack private and protected.
One word of caution: As with any AWS service, KMS is designed with security in mind, but settings and configurations can be changed that compromise its security. We also found thousands of KMS keys published in GitHub and even Shodan.
Trend Micro’s Cloud One – Conformity ensures that AWS services are securely set up and managed. It has 11 checks for AWS KMS to alert you if anything is off with how it’s set up or for possible key misuse.
Overall, Slack has been responsive to security issues and continues to make security-minded updates. While Slack works to secure the platform’s technology and infrastructure, it is up to admins to understand the controls and know what security options are available.
Underestimating the risk of credential abuse, accidental exposure, or leaked information can lead to real problems. For those who dig into the capabilities and security controls Slack offers, their organizations can use the platform with confidence.
It will be interesting to follow the security side of the acquisition of Slack by Salesforce. I look forward to seeing how they handle security in the combined world of Salesforce with Slack built-in.