cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Why is ISC2 Communities stating we should use Whatsapp?

Hi All

 

I cannot fathom for a security community (ISC2) sanctioning the use of Whatsapp for building secure groups or related communities?  If you want to create a relatively secure community use "Signal" at least it has some security controls and is not owned by an organisation, which actively sells information for advertising purposes.

 

Within my own organisation, we are not permitted to use it for official business purposes and as seen recently JP Morgan were seriously burnt too:  https://www.thetradenews.com/jp-morgan-fined-125-million-over-staff-using-personal-emails-texts-and-...

 

I may be speaking out of turn, but surely we must set a good example for others as practicing security practitioners professionally? 

 

We all use Linkedln, Twitter and others social media outlets, and in many cases they are sanctioned by our own organisations too.

 

Surely, we we won't sanction the use of Tik-Tok owned by the Chinese as a good idea?

 

Others thoughts please?

 

I need a sanity check.

 

Regards

 

Caute_Cautim

 

 

 

 

 

 

7 Replies
dcontesti
Community Champion

Nah you don't need a sanity check.  For me, I totally agree with you....just seems bad form.

 

I agree that as a Security Certification body, (ISC)2 should be following err change that to "Leading the industry in Best practices" and not using tech that has been hacked or easily hackable.

 

d

 

Caute_cautim
Community Champion

Hi All

 

To enlighten everyone, here in New Zealand we received our invitation to provide our annual report for ISC2, along with a number of suggestions.   Our Secretary as usual put out a reminder to all Auckland Chapter Officers to report back and provide suggestions.

 

One of the questions asked for the Annual Report submission was:

 

"Why don’t we have a Whatsapp group – ISC2 are asking?"

 

I feel there is a disconnect between those security practitioners, and perhaps the administrative staff within ISC2 in the perception of Facebook now named Meta and its social media tools i.e. Facebook, Instagram and Whatsapp.  Perhaps a security practitioner from the ISC2 administration could perhaps have a word with the author of the suggestion about using Whatsapp as to why we should not use Whatsapp or even create a Whatsapp group, other than a honeypot for non security practitioners?

 

This question and suggestion, got me thinking about my own sanity at the time. 

 

My response to our Auckland Chapter Secretary was along the lines of this:

 

"Whats-app is owned by Meta previously Facebook; they also own Instagram and Facebook.  

 

JP Morgan recently were recently fined by the financial legislation board to a major sum.

 

IBM bans its use for similar reasons, it is insecure, and owned by a company which actively sells information.

 

If ISC2 want to set an example, then use a relatively secure messaging system such as "Signal" and set up a working group.

 

For a security organisation - it is a very bad precedent using Whats-app amongst professionals.

 

Are they going to ask us to use Tik-Tok as well?  Surely not???!!!"

 

I am sure our ISC2 community representative may like to investigate and make appropriate suggestions to ensure everyone is in alignment?

 

Many thanks

 

Regards

 

Caute_Cautim

 

 

 

 

wimremes
Contributor III

1) Corporate rules around use of WhatsApp (and other platforms, including Signal) are not necessarily guided by security concerns but often because there are regulatory rules around retention and control of communications.

2) I agree that sanctioning tools is not the right way. If you have the resources to run your own Mattermost instance, you agree on using Signal, or choose WhatsApp ...fine. As long as there is a convenient way to communicate across the chapter, that should be fine.

3) There is an additional disconnect here between those in Western locations and their understanding of the situation in the rest of the world. Many third world countries, including those that have thriving chapters, have mobile plans that include exemptions for certain tools/platforms. If it is your limited money on the line and your choice for chapter comms is between Whatsapp which is free and Signal which will substract from your data allocation (which is also currency in some locations) then the choice for Whatsapp is reasonable.

 

In brief, mandatory tools is bad. Making a conscious choice for the best solution that allows for fluent chapter comms, even if that choice is Whatsapp, is not bad. 



Sic semper tyrannis.
Caute_cautim
Community Champion

@wimremesI can see where you are coming from and why etc.

 

However, as a security practitioner we should use best practices, and use the same principles in our daily encounters, whether they are in business situations or social interactions. 

 

It is very easy to slip into unhealthy approaches, which quickly become the normal practice, within organisations and lead to situations such as JP Morgan and others who have been caught on the legal end.

 

We should practice, what we preach, develop and teach to others.  

 

We all know the background to Whatsapp, Tik-Tok etc, one should measure the benefits against the associated risks, and the circumstances in which they are used, and what is being conveyed.  Boundaries should be drawn, yes I am in a Westernised environment, however, we should be cognisant of our environments, limitations, and the perception they give.  There are privacy issues abound as well, but that brings an entirely different aspect.

 

How people are people at the end of the day, they are certainly not perfect, and almost certainly error bound by default.

 

In an esteemed organisation, such as ISC2 or ISACA or others, it does not provide good credibility by advocating the use of such social media communications solutions, which have their own commercial agendas, and whom have been caught red handed in the past in various nefarious situations.

 

If there are no other means of communicating, and you seriously have to revert to Whatsapp etc, then be very guarded on what is conveyed, keep it neutral with no bias.   Any information will eventually find its way into some search algorithms, or AI driven analysis and be misconstrued depending on the developers who drive and create the related algorithms.

 

I would seriously think about becoming a Radio Amateur and communicate in the open via radio waves, by analogue or digital means, at least in an emergency a signal will get through as proven many times over many years.  All you need is a radio license.  Or you can achieve the same with Public Radio systems, but with limited range.

 

Now that is an idea, how about some radio networks for ISC2 worldwide globally or for remote communities?

 

These are my thoughts.

 

Regards

 

Caute_Cautim

cindelicato
Contributor I

Like you, my org has listed these apps are not to be used for official business.  I have not used TikTok or WhatsApp for my personal use, and I won't.   Family and friends' use of Messenger and Telegram has pushed me to establish accounts on these apps, but I won't use them for trusted communications.

noel
Newcomer II

Ultimately you need to meet your members where they are, and a lot of people use WhatsApp.

No, I do not recommend using WhatsApp for "secure corporate communications," but we're talking about using it for the purpose of sending even confidential information. They are talking about setting up a different platform for communicating with each other. Personally, I'm not a fan and think it's way to easy to set up a secure message board than use an app from a third-party, but to each their own.

That said, everyone needs to calm down about the "inherent risks" of using a platform just because it's owned by a company that you don't like. We live in a world that has chosen to pay for services through the sale of personal data rather than being paid for by the end user. We may not like it as paranoid security professionals, but there's too much money to be made in that model to be ignored. Apps/services that don't follow that model simply do not get funded.

Instead of taking an abolitionist stance for such apps/services, we need to become more focused on educating our users on how to use such apps/services responsibly. Prohibition only leads to abuse we cannot govern.
Caute_cautim
Community Champion

An interesting update about Signal - the Founder for Signal has moved on, leaving the application rather wobbly.

 

https://www.theregister.com/2022/01/11/signal_ceo_moxie_marlinspike_resigns/

 

Regards

 

Caute_Cautim