What You Need to Know Today About the Cyber Posture of Remote Collaboration Tools
Written by: Black Kite
Takeaways and Steps to Remediate
The new work-from-anywhere model has increased attention to third-party SAAS, in which businesses leverage more than ever before.
In this blog, Black Kite reveals vulnerabilities associated with commonly-used remote collaboration platforms based on their commercially facing domains and digital footprints.
A Primer into Remote Collaboration Platforms
A remote collaboration platform is a suite of business applications that enable team members to work together on different activities and projects. Collaboration platforms generally consist of tools for effective communication, document exchange, conferencing, and real-time assistance which overcomes collaboration hindrances in remote and decentralized teams. By using these tools, companies can keep all of their employees on the same page, save time and money, and identify problems at an early stage.
These platforms work in the Software-as-a-Service (SaaS) model—also known as cloud-based software—delivering on-premise options. As such, companies do not need to deploy servers, manage storage, or do any maintenance due to the software use. Companies get immediate access to the latest features with automatic upgrades, benefiting optimal performance.
Why does the “Security Posture” matter?
With increased use of remote collaboration tools, hackers have been pushing various attack vectors hoping to find cracks in a company’s ecosystem. The quantity of phishing attacks has skyrocketed over the last several months, as hackers are leveraging inherent vulnerabilities on third-party SAAS platforms that companies adapt such as VPNs, video conferencing apps, and event social media accounts as seen in the case of the Twitter hack.
It begins with the Digital Footprint
The cyber rating Black Kite assigns to these remote collaboration platforms provides security executives insight into the external security of third-party platforms.
This assessment uses 20 categories, ranging from Credential Management to Application Security, from Fraudulent Domains and Apps to Network Security, providing a holistic view on a company’s outside-in security posture.
Cyber Scores
The remote-work model motivated Black Kite researchers to take a closer look into the cyber security of remote collaboration and project management solutions.
We made a list of ten remote collaboration and project management solutions based on FinancesOnline and Origanimi’s Remote Collaboration Tools list, deriving a cyber score based on a passive non-intrusive scan.
Based on a passive, non-intrusive scan of the platform’s domain name, researchers were able to derive a comprehensive digital footprint including every related healthcare domain, subdomain, IP address, service, email, etc. Building upon the assets discovered in the digital footprint, common security issues were identified and a cyber security score was calculated for each platform.
Of ten remote collaboration platforms on our list, five of them have received ‘C’ grades, while the remaining five received a score of ‘B’.
Lowest Scored Categories
Of 19 categories analyzed, Website security (71), CDN Security (74) and Application Security (74) were the lowest scored categories on average.
Website Security is a special analysis of the company’s main website, with regards to different security categories. The score is determined from the website’s SSL/TLS Strength, Patch Management, the security of applications, its Web Ranking and Brand Monitoring.
How it applies to Collaboration platforms: This category is especially important when the collaboration platform is delivered through web browsers. SSL/TLS strength is crucial when employee-specific and company-confidential data is transmitted to and from the platform’s website.
Content Delivery Network (CDN) Security: A content delivery network is a large distributed system of servers deployed in multiple data centers across the Internet. Companies use CDNs for online libraries like JQuery.
Black Kite analyzes the CDN content to detect possible vulnerabilities. Some common findings in this category include vulnerabilities associated with bootstrap and jquery libraries.
How it applies to remote Collaboration platforms: Using JavaScripts for hacking through code injections or XSS become quite popular in hacker society. As seen in the famous hacker group “Magecart” attacks, hackers may leverage third-party javascript codes present on a collaboration platform’s website to ignite their attacks.
Application Security: Application level weaknesses on a platform’s website are analyzed in this category such as Cross Site Request Forgery, Cross Content Mixing, Plain Text Transmission of Sensitive Information etc of the domain sites.
How it applies to remote Collaboration platforms: Depending on the specific vulnerability, weaknesses in this category can allow an unauthorized third party to perform actions more frequently than expected. This could eventually lead to a denial of service on the platform web page, or could allow an attacker to create a malicious website that forges a cross-domain request to the vulnerable application.
Fraudulent or pirate mobile or desktop applications are used to hack or phish employee or customer data. This category searches for possible fraudulent or pirate mobile or desktop apps on Google Play, App Store and pirate app stores.
How it applies to remote Collaboration platforms: Fraudulent apps could be executed in email phishing campaigns that pretend to be from a platform’s IT desk, seemingly providing an update to the user. The links in an email could direct the user to a fraudulent app in an attempt to steal user credentials and other sensitive data .
Black Kite’s Findings: The Most Critical and Frequent Ones
DNS Amplification
As the most common finding on our list, this vulnerability spans most of the remote collaboration on our list. A domain name system (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic. The attacker uses bots or a botnet to send DNS queries with a forged source address -targeted victim’s address- to a legitimate DNS server.
How a Hacker utilizes this vulnerability: A hacker might initiate a large response to the victim network by leveraging this attack, and in our case the remote collaboration or project management network and servers.
Steps to Remediate:
- Tighten DNS server security
- Block specific DNS servers or all open recursive relay servers
Takeaway: When successful, this type of attack makes the remote collaboration or project management portal unreachable and eventually disrupts a business’ communication activities.
Invalid, Incorrect, Expired or Self-Signed SSL Certificates
SSL protocol makes sure user information travels safely through the Internet in a secure manner if the certificate is trusted.
If an SSL/TLS certificate for the website is valid, it indicates two things:
- The channel is encrypted; hence, anyone eavesdropping over the network will end up with garbled information that can’t be read.
- Your browser is talking to the actual server and not an imposter.
If the certificate is invalid or expired, the users will no longer be able to communicate over a secure, encrypted HTTPS connection. The information will be transmitted in plaintext, leaving the users’ or a company’s data exposed to any attacker listening in on the network.
How a Hacker utilizes this vulnerability: It is perhaps one of the easiest vulnerabilities a hacker could exploit. A hacker can sniff the network to steal confidential information, like users’ credentials or company-sensitive data.
Steps to Remediate:
Check whether the
- The certificate is revoked or self-signed
- The certificate chain is broken
- The domain specified in the certificate does not match the website
Mitigate the reason(s) those apply to the system.
Takeaway: Lacking SSL controls on servers puts the privacy of the company content, user data, messages and transferred files at risk.
Vulnerable Jquery libraries from Content Delivery Networks (CDN)
Common findings in the CDN security posture of video conferencing platforms include vulnerabilities associated with bootstrap and jquery libraries the platform servers leverage. The problem is mainly associated with jQuery libraries of versions before 3.0.0. These versions are vulnerable to Cross-site Scripting (XSS) attacks.
How a Hacker utilizes this vulnerability: As seen in the famous hacker group “Magecart” attacks, hackers may leverage third-party javascript codes present on a collaboration platform’s website to ignite their attacks.
Steps to Remediate
- Always use secure and up-to-date version of CDN resources
- Never load CDN script via XMLHTTPRequests which may violate Cross Origin Resource Sharing (CORS) Policy
Takeaway: Know your SAAS vendors and their CDNs. Never execute responses from 3rd party origins by default and make it an option.
Fraudulent Domains
Fraudulent domains and subdomains are look-a-like domains mimicking a platform’s original site. Domain name scams are types of intellectual property scams or confidence scams in which unscrupulous domain name registrars attempt to generate revenue by tricking businesses into buying, selling, listing or converting a domain name.
How a Hacker utilises this vulnerability: Fraudulent sites could be used as part of a phishing campaign where cyber criminals could trick the company’s employees while giving away sensitive information (including PII).
Takeaway: Fraudulent sites could be used in phishing campaigns. Security awareness is the first line of defense in preventing users entering fraudulent sites. Integrating fraudulent domains as a blacklist to the company’s SIEM infrastructure may help as well.
Steps to Remediate
- Educate the (your) staff – security awareness is the first line of defense in preventing users entering fraudulent sites
- Continuously check for look-a-like domains on community services
Some Good Practices for Businesses
As the pandemic continues, many businesses will maintain a remote-working option, at least for a percentage of the staff. Attack surfaces extend with the proliferated use of these tools among employees.
Black Kite recommends several good practices in order to maintain the security of company data, the privacy of conversations, and reduce the attack surface.
- Keep an inventory of your SAAS vendors, including the meeting the apps
- Continuously monitor your SAAS vendors and assess their risk if possible
- Understand the encryption strategies for these platforms: whether there is an end-to-end encryption option or just the transport-layer encryption.
- Beware of files, messages sent through the platform
- Encrypt sensitive data / files offline before uploading it to the platform
- Check privacy policies
- Increase employee awareness
Black Kite’s platform aims to provide full visibility into a cyber ecosystem. It enables enterprises to continuously assess third-party risks, assigns a letter grade to each vendor, correlates findings with industry standards to inform compliance requirements, and determines probable financial impact if a third-party experiences a breach.
The Black Kite Platform’s intuitive interface compiles reports and communicates risks in qualitative, quantitative and easy to understand business terms for executives. The interface also allows IT-security teams to drill down to the technical details in each risk category.
Learn more at www.blackkite.com.
Featured image by Nathan Dumlao on Unsplash