A backdoor into your network: how to mitigate the risks of team collaboration guest accounts

Nextplane Inc.
6 min readJan 25, 2021

--

Team collaboration platforms trying to mitigate risk of guest accounts

Team collaboration tools are taking the world by storm. Platforms including Microsoft Teams, Cisco WebEx Teams, and Slack offer a breadth of functionality and user-friendly experiences that have hooked corporate workers. Employers also love them because the staff is happy and productive, driving a host of business benefits.

According to Nemertes Research, nearly 70% of organizations are now using a team collaboration application. Currently, 44.2% of organizations rely on guest accounts to enable external access to their team collaboration instances or allow their employees to use external team collaboration apps to connect with partner organizations.

Team collaboration guest accounts can be a ticking security time bomb: an unwitting vector for in-bound cyber-threats and outbound data loss. According to a recent New York Times article, cybersecurity experts say companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce, Google’s G-Suite, Zoom, Slack, SolarWinds, and others — and giving them broad access to employees and corporate networks — they will never be secure.

“These cloud services create a web of interconnections and opportunity for the attacker,” said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm, “What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses.”

As organizations end the year under a heightened state of cyber alert, they would do well in 2021 with a plan to tackle guest accounts as an under-reported risk to corporate assets. The answer is eliminating guest accounts from your team collaboration platforms without compromising your users’ need to collaborate with external partners, customers, and clients.

Threats are everywhere

The recently revealed state-sponsored attack campaign reminds organizations of the need for a comprehensive and continually evolving approach to risk mitigation. Russians targeted countless US government agencies and technology companies, NGOs, contractors, and other companies in the recent espionage raid. Many more victims are coming to light.

What does this tell us? Well, only part of the story. While state-backed operatives are getting increasingly bold and wide-ranging in selecting victims, there are even more threats facing CISOs from cybercrime groups, hackers-for-hire, and others. One security vendor alone blocked over 27.8 billion cyber-threats in just the first half of 2020.

That’s not counting the risk of human error, which can cause employees to accidentally send sensitive data outside of the organization or misconfigure IT systems to expose them to compromise or data leaks. According to Verizon, “misdelivery” and misconfiguration were in the top five types of data breaches in 2020, and “errors” were linked to nearly a quarter (2

Insider threats are taking their toll

One 2020 report claims that the cost of insider breaches has risen 30% since 2018, to stand today at over $11.4 million. It calculates that such incidents take over two months on average to contain. For these and third-party attacks designed to steal sensitive data and/or deploy ransomware, there are many potentially negative consequences, including:

  • Non-compliance fines (e.g., CCPA, GDPR)
  • Brand damage
  • Lost customers
  • A falling share price
  • IT productivity losses and costs (e.g., clean-up, remediation, and incident response)
  • Staff productivity hit
  • Legal costs

Guest accounts are a ticking time bomb

The challenge for CISOs is that guest accounts could present a previously unnoticed vector for cyber risk. Guest accounts allow users to invite ANY external users with a business or consumer email account, such as Gmail, to participate as a guest with full access to team chats, meetings, and files.

A recent survey of IT professionals reveals nearly half (49%) of companies use guest accounts. Security vendor McAfee analyzed its customer data and found that a typical organization added about 3000 guest accounts on Microsoft Teams between January-April 2020.

It’s the digital equivalent of letting an unvetted user walk straight past front-desk security and into your main building. There are several risks here, including:

Authentication problems: Compared to enterprise account password policies, guest accounts’ password policy in most cases only requires letters and numbers and does not include Two-Factor Authentication (2FA). It is also nearly impossible to control whether guests have robust security measures like password complexity check and password expiration.

User error: could lead to employees accidentally sharing sensitive material with guests they should not.

Malicious users: will find it easier to share sensitive documents with unvetted guests.

Offboarding: becomes a significant security issue. If third parties move on but retain access to your Slack platform, it could create considerable extra cyber risk.

Access from Unmanaged Devices or Untrusted Locations: Guest accounts can be used on unmanaged devices, potentially resulting in data loss.

Malware Uploaded via Guest accounts: File uploads from guests or unmanaged devices may contain malware.

Data Loss Via Teams Chat and File Shares: File shares can lose confidential data.

Slow Security is Worse Than No Security: Security actions need to be near real-time, or the data is already gone.

Inconsistent Control Across Applications: Policies should be consistent with data controls for other cloud apps and non-cloud controls such as file transfer via email, USB stick, and more.

Missing Risky Behavior Patterns: User behavior can indicate lost credential and rouge users, but these patterns are rarely reviewed

Simple Controls for a Complex World: Comprehensive and flexible controls are needed to ensure security without losing functionality.

There are also risks associated with allowing your employees to take on guest accounts from external third parties to collaborate with them. In so doing, they may be unwittingly exposed to malware or even carry malware into third-party environments. With no means for IT to track usage of this type of guest account, there’s also a risk of unintended or deliberate data disclosure.

How to eliminate guest accounts as a threat vector

There are several steps IT security bosses can take to help mitigate the threats outlined above. These include:

  • Blocking domains and setting allow lists so that users only collaborate with authorized users
  • Setting policies for unmanaged devices
  • Scanning content for malware when uploaded from third parties
  • Implementing robust data loss prevention (DLP) on team collaboration chat and file shares
  • Reviewing and blocking access to any risky third-party apps

However, this all takes time and considerable IT staff effort. For instance, as risks evolve, you need to review and adjust guest account policies. Plus, there’s no getting around the fact that IT can not regularly monitor the usage of guest accounts granted by external partners. In other words, you have to be right 100% of the time. But hackers have to right only one time.

A more straightforward solution would be to enable your users to communicate from within their preferred collaboration platforms in a secure and compliant manner without requiring them to invite outside colleagues by guest accounts. This is what NextPlane offers.

NextPlane-Collaborate Without Boundaries-Connect. Any Team. Anywhere.

NextPlane enables users on different team collaboration platforms to connect with their colleagues, clients, and partners inside or outside the enterprise.

Users can chat and DM each other with rich text, GIF, and emoji reactions, share presence status, participate in channels, and share files; without leaving their preferred platforms. That means:

  • There’s no need to buy expensive guest accounts for external collaboration
  • Your internal users can stay on corporate-controlled collaboration platforms, boosting security and compliance
  • Employee productivity is enhanced because your users and their external colleagues can stay on their preferred platforms
  • IT administrators are freed from making time-consuming decisions around guest account privileges and adjusting security policies

Using NextPlane, companies such as IBM, Western Digital, Amgen, Novo Nordisk, Ericsson, and Emerson, have eliminated guest accounts.

Please visit NextPlane to Learn more about eliminating the potential risks of guest accounts without negatively impacting your users’ need to collaborate with external colleagues, or book a free 30-minute call with a NextPlane expert.

Originally published at https://nextplane.net on January 25, 2021.

--

--