Firstly, I am a security and privacy freak with my personal security likely being better than what you would find at the British MoD. I try to avoid mass market services especially those owned by the big players and that includes WhatsApp. Occasionally I use it abroad while using a country SIM since it saves on high bills since it uses the internet not GSM which has high call charges while abroad. As soon as I am on the flight back, I uninstall it, remove its historically entry from the app store and remove left over files.
WhatsApp was once independent and then Facebook bought it up. Facebook, WhatsApp and other mass market services are typically free, and are funded by advertising or worse them selling on your data. WhatsApp has no advertising in it, so you have to wonder how they make money out of it. Their security spiel claims it offer end to end encryption by default and they cannot read your messages. It states the encryption is handled by the devices and they do not store messages once pushed to the end device. There is a short sentence about law enforcement access so obviously there is a way around it.
Daily server & endpoint patching, application whitelisting, web application firewalls, intrusion prevention systems and more all sound like excellent defences yet phishing can punch through them. Why? Phishing goes after the person unlike a SQL injection attack. Strangely some email security gateways guarantee 100% (hmm) malware blocking and 99% or so spam blocking.
Split DNS
Hackers, terrorists and heist gangs do reconnaissance before an attack and if you can hide your services hackers will struggle to pull off the attack. Everyone has a website which routes through www (www.domain.com) and @ (http://domain.com). For VPN gateways, client logins, document management systems; sub domains are used, i.e. vpn.domain.com, clients.domain.com and docshare.domain.com.
