Slack has announced a range of new security features, certificates and integrations, including a verification system that creates an additional obstacle for would-be phishing scammers attempting to infiltrate the workplace communication platform.
In June the company announced Slack Connect, which lets separate organisations create shared channels to communicate. Slack’s goal has always been to move people away from email, which is fraught with the risk of phishing attacks where scammers impersonate reputable companies.
Now Slack wants to create a verification system that will show a company is legitimate, in a similar way to Twitter’s blue tick system or Google Chrome’s padlock symbol.
It’s not clear at this stage how Slack will go about verifying organisations, though.
“This is not a feature we’ve released yet, so we don’t have all the is dotted and ts crossed about exactly how we’re going to do that,” said Slack Chief Security Officer Larkin Ryder, adding that she takes the responsibility of getting it right “very seriously as the CSO at Slack”.
“If we’re going to say this organisation is XYZ company, we better know that it’s XYZ company.”
Slack’s verification feature is by no means a silver bullet – cyberattackers are renowned for adapting to new situations. In April, researchers found a vulnerability by which a hacker could hijack incoming webhooks – a tool to import posts from other applications into Slack – to carry out a phishing attack. However, an administrator can counteract this by invalidating publicly exposed webhook URL.
In theory, a malicious hacker could also infiltrate a channel by duping the administrator – although this is still a far smaller attack surface than presented by email. Admins can also limit the way employees present their name, making spoofing impossible for organisations with the strictest settings in place. Slack’s verification feature could create an additional safety net from phishing attacks for its users.
“Scammers right now are in email because everyone is using email,” said Ryder. “And if everyone were using Slack, then the scammers would be in Slack. We have the advantage when building Slack of having 30 years of how not to do it via email.”
Another feature coming soon to Slack is Information Barriers, which will allow companies to restrict communications between specific users within the same company. This is designed to avoid conflicts of interests, such as in financial services.
Ryder gives the example of traders and analysts, who should not be communicating in case they game the market.
“What you don’t want is one of them seeing a data graph or spreadsheet that they can then share from their work environment within their [Slack] work environment,” said Ryder.
The State of Technology This Week
Of course, if individuals were intent on communicating when they shouldn’t be, there’s nothing stopping them from contacting each other outside of Slack. Instead, Information Barriers aims to prevent accidental information sharing and create an additional hurdle to overcome.
“We just don’t want Slack to be a conduit within the work environment for people within an organisation who shouldn’t be sharing data,” said Ryder.
Slack’s other security announcements
Slack has also achieved FedRAMP moderate authorisation, a US government standard for cloud service providers. It previously had low authorisation and the new moderate level will apply to both free and paying users.
“Moderate is a whole other level of comfort and access that government agencies and even defence contractors will now have using Slack,” said Ryder. “It certainly unlocks a lot of use case for customers that weren’t available before.”
Slack has also made enterprise key management (EKM) available for Workflow Builder, the company’s set of tools for automating tasks within the platform. This provides full encryption to all data added during this process – including form data and search queries.
The company also plans to provide EKM support for Slack Connect, which will allow its users to encrypt messages and files shared with external organisations using their own encryption keys.
In addition, it has added an integration with Splunk, which allows users to “ingest activity” into the data monitoring firm’s dashboard.
In future, Slack plans to provide support for Microsoft’s Intune Mobile Application Management, which gives admins control over employee mobile apps to prevent corporate data leaks.
The workplace communication firm, which has enjoyed a surge in demand during the pandemic, has also given admins the ability to enforce a download of a specific version of Slack for employees to ensure the most up-to-date security patches are running.