Shulou(Shulou.com)06/01 Report--

In terms of sensitive data exposed, Slack violations would be a nightmare. Here is how to lock the Slack workspace.

As a popular enterprise workspace collaboration tool and IRC cloning, Slack does not provide end-to-end encryption, which makes any damage to Slack servers potentially catastrophic to users around the world. If the internal Slack conversation is leaked, you or your organization will suffer serious damage, then it's time to consider encrypted Slack alternatives, or to reduce risk by locking down your Slack workspace. We interviewed technical expert Andrew Ford Lyons (Andrew Ford Lyons), who works on digital security for high-risk groups at Internews in the UK.

While none of these techniques can fully protect you from Slack vulnerabilities or other threats to the confidentiality of your Slack workspace, they can reduce some of the inevitable disasters.

1. Enable two-factor authentication (2FA)

Slack can provide 2FA, use it, if the Slack is breached, it will not protect you, but it will make it difficult for attackers to attack you or your organization.

Slack supports Google authenticator, Duo Mobile, Authy, 1Password, and (in rare cases using Windows Phone) Microsoft Authenticator, depending on which mobile device you are using. Slack also supports SMS 2FA, and if not, try not to use it. Although any 2FA is better than none, SMS 2FA is far less secure than using soft tokens.

There is currently no sign that hard tokens, such as Yubikey, support Slack. Yubico, a leading maker of hard tokens, announced support for mobile devices in January. Large organizations concerned with account security may provide a friendly explanation to Slack, asking when Yubikey support is needed.

A 2FA problem: make sure that mandatory 2FA is turned on, because Slack turns this setting off by default.

Even in organizations that do not include phishing, threat models can cause accidents. "has anyone walked around with Slack without 2FA and lost their phone?" Lyons asked.

two。 Say no to non-critical third-party integration

Slack provides a large number of third-party application integration. Although Slack checks the appropriate permissions and data access for all third-party applications, each additional integration increases the overall attack surface of the organization. Take them off unless you have to need them.

In 2016, more than 1500 Slack access tokens hard-coded into open source projects were found on GitHub. "such tokens provide access to chat, files, private information and other sensitive data shared within the Slack team, and these developers or robots are members of the Slack team," our colleagues at PC World said at the time.

"if I talk to you and you integrate crazily, it will affect my conversation with you," Lyons said.

The network effect of integrating multiple work tools means that any one of them affects the security of all tools. Hypothetical violation and division. Organizations that choose to accept a riskier Slack workspace for a slight productivity advantage should keep their eyes open and be aware of the risks.

3. Turn off Slack email notification

If you are concerned about the confidentiality of the Slack workspace, turn off Slack email notifications. In the Slack channel, each mention of a user goes to the user's email inbox, or is displayed as a push notification by default. Users can turn off this default value, and administrators can enforce this setting in a higher pay tier.

"even if email notification for Slack is turned off completely, email is a weakness in Slack security because this is where the password reset and account recovery process takes place," Lyons said, noting that 2FA should be deployed on Slack and the corresponding user's email account.

One of the biggest advantages of Slack is that it is far more available than cc dozens of people in a single email. Separate Slack from email as much as possible.

4. Human factors: choose Slack participants wisely

Mankind is always the weakest link. Choose the channel for whom you allow to join Slack. Do this on the basis of what you need to know. Withdraw an inactive member or employee after a period of time. The fewer people who have access to sensitive information, the less likely it is to leak it. The 500 employees work on the internal Slack channel, just like working in the cloud, for the world to see.

Setting automatic session logout instead of unlimited login sessions allowed by Slack can help clear inactive accounts. However, Leon warns not to set the session too short, as users will find it very annoying, especially on mobile devices.

Use guest accounts for contractors or users who need limited access in a relatively short period of time. "if you are my customer, I can give you a guest account for a channel, but you can't see anything else, it will expire in a month or two, and anything set up will expire," Lyons said.

Encryption is very useful for protecting messages, but it does not repair human nature. The relaxed message is not short-lived. Think about what you are typing, where you are typing, and the permanence of your words. After all, an attack on Slack, a phishing colleague, or an internal rascal, won't hurt you because of words you didn't type in the first place.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.