Lessons Learned from a Signal Security Breach
As cybersecurity professionals, we witnessed a concerning event last month when classified information about American military operations was leaked through Signal due to a journalist being mistakenly added to a high-level group chat.
It’s important to clarify that Signal’s encryption did not fail in this situation. The security features performed as intended. This incident was not a result of a technical breach but rather a case of human error.
Analyzing the Security Mishap
A high-level government official accidentally added a journalist instead of a fellow officer to a Signal group discussing sensitive operations. Classified information was shared for nearly 18 hours before the mistake was noticed, leading to screenshots being taken and the information becoming public.
This incident highlights a series of security failures that were not related to Signal’s security capabilities. It’s akin to hosting a top-secret meeting in a public park instead of a secure location.
Key Takeaways for CISOs
1. Shadow IT poses a significant risk.
2. Segregate personal devices from classified information.
3. Enhance user interface to prevent errors.
4. Provide comprehensive training on secure practices.
Is Signal Still Secure?
Despite the incident, Signal remains a highly secure messaging platform. The issue stemmed from mismanagement rather than a flaw in Signal’s security measures.
Choice for Secure Communication
For sensitive communications:
1. Use secure systems over consumer apps.
2. Implement strict access controls.
3. Utilize dedicated devices for classified information.
4. Incorporate visual cues and confirmation processes.
For general business communications:
1. Establish clear tool usage policies.
2. Create distinct groups with proper naming conventions.
3. Conduct regular security audits.
4. Opt for enterprise versions of messaging platforms.
5. Provide ongoing training on secure communication practices.
Dealing with the Human Element
This incident serves as a reminder of the impact of human error on security. It emphasizes the need to understand human behavior and design systems that align with it. Security is not solely about technology but also about working with human nature to enhance protection.
Javvad Malik is lead security awareness advocate at KnowBe4
