Maintaining a Circle of Trust

Campbell Murray

Campbell Murray

As news outlets report on yet another vulnerability impacting a popular application – in this case WhatsApp – it’s time that we ask ourselves: ‘With all the different methods we use to communicate for work, with friends and with family, which messaging apps can we really trust?’ Campbell Murray offers his views. 

WhatsApp recently patched a flaw detailed in CVE-2019-3568 where a buffer overflow vulnerability “allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number.” Basically, an exploit of this vulnerability could allow a malicious actor to call a random WhatsApp number and plant spyware on the target’s phone.

Any app that works under the premise of accepting and acting on data from unknown and untrusted sources is a risk to end users.

One way in which consumers and enterprises can help guard against these types of attacks is having a closed ‘circle of trust’. This is something that BlackBerry’s end-to-end encrypted messaging platform provides. With BBM Enterprise, individuals and IT administrators control who they communicate with as an invite must be accepted before a message or call is sent or received. Enterprises can also require that all new contacts provide up-front manual proof of identity before any communication can occur.

Additionally, because BlackBerry doesn’t monetise data, BBM Enterprise will not ask for a phone number or suggest contacts to users, and nor will it desire to know where users are messaging from or what’s being shared. It’s private, secure, meets regulatory standards and the end user has total control over your data and who you communicate with.

What this means for Enterprises

Businesses should ensure employees are sharing sensitive data securely through the correct channels, and have controls in place to protect against malicious actors gaining access to that data via vulnerable applications.

As the digitisation of the workforce has gained pace, we’ve seen a rapid increase in the use of consumer applications in enterprise and public sector environments. Just last year, NHS England relaxed rules around the use of messaging apps, allowing doctors and clinicians to share personally identifiable information over WhatsApp and other consumer-grade tools.

As citizens, we should expect that the security of our private healthcare and financial information is held to a higher standard.

The benefits of being increasingly connected are vast. The possibilities range from connected devices making our homes more comfortable through to contactless payments for quick on-the-go financial transactions or even smarter, data-driven healthcare devices delivering more personalised levels of care.

However, without trust, the promise of the IoT will not be realised.

Building trust on three pillars

We’ve long recognised that trust is built on three pillars: security, privacy and control. This is why we build them into everything we do, whether enabling organisations to embed secure communications capabilities into apps or providing individuals with end-to-end encrypted messaging capabilities.

Unfortunately, exploits like the WhatsApp episode will happen again, which is precisely why enterprises and consumers need to ask themselves key questions: ‘How much is my privacy worth?’ ‘Am I doing everything I can to protect it?’ ‘Are the companies that collect and store my information doing everything they can to protect it?’

Campbell Murray is Global Head of Cyber Security Delivery at BlackBerry

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts