In our 2020 security predictions, we pointed out that the modern workforce now has access to options beyond the traditional office setting, and true enough, the ongoing coronavirus (COVID-19) pandemic has caused a shift in the way a lot of people work. With companies implementing work-from-home (WFH) arrangements for their employees, many organizations are now turning to video conferencing tools such as Zoom, Microsoft Skype, and Cisco Webex.
While these apps provide many benefits, most notably allowing a near-seamless transition from direct to digital communication, they also present organizations with the challenge of ensuring that their employees — and the data they work with — remain secure when using these apps.
What exactly do businesses have to be wary of when it comes to their video conferencing software?
Vulnerabilities, for one. Threat actors are not shy about using everything they have in their toolbox, and are always on the lookout for any flaw or vulnerability they can exploit to pull off malicious attacks. For example, in early 2020, a vulnerability in Webex allowed unauthenticated users the ability to join private meetings with just the meeting ID and a mobile Webex app.
Another issue that has been recently making the rounds are incidents where uninvited users crash existing video conference meetings that lack password authentication simply by gaining access to meeting IDs. While this might seem like a minor annoyance, it could turn into a major issue when the said meeting involves highly sensitive and confidential information. In addition, threat actors can also use the chat portion of these tools to spread malicious links or upload files.
Social engineering schemes taking advantage of the increased usage of digital communication software have also been on the rise. For instance, more than 1,700 new domains related to Zoom were registered in 2020 as of the end of March, with a large number of them occurring during the latter half of the month.
Fortunately, businesses have options that we’ll cover in the next section. We’ll also outline some best practices that organizations can implement to strengthen the security of their work-from-home setups.
But before getting into the details, it might be a good idea to reexamine if the software you’re using still fits your specific needs.Businesses tend to stick with what they know — there is a tendency to stick to the status quo if it still works. However, organizations might also assume that a system that has worked in an office-based setup will continue to be effective when transitioning to a WFH environment. This might not always be true, especially when considering the security requirements of the organization. For example, with employees working from home, there is an even greater need for the encryption of audio and video — a factor that should be considered when retaining or changing the existing video conferencing software.
Always ensure that meetings are password-protected. Incidents involving outsiders crashing meetings — popularly known as “Zoom bombing” — often occur due to two factors: first, the external user manages to get hold of the meeting ID, whether intentionally or accidentally; and second, the meeting is set up without a password. While the first factor might not be something the organization can control, setting a password for all video conferencing meetings should be mandatory.
Don’t share meeting information on public platforms. Pranksters — and worse — can gain access to unsecured video conferencing meetings simply by having the meeting identification info. Although it might seem convenient to share meeting info on public platforms like social media, users should avoid doing this as it can potentially lead to disruptions and other malicious activity. Note that apps like Zoom will provide users with a personal meeting ID, which is essentially — as the name implies — a personal meeting space for the user.
Use host controls to your advantage. Video conferencing apps will typically offer “host controls” that allow the host to moderate a meeting, for example, by managing or removing participants, or by locking the meeting room altogether. The latter is a good idea for preventing disruptions once the meeting has started. Another prudent measure that hosts can take is to disable auto-screen sharing for attendees to prevent potential disruptors from sharing any offensive material.
Utilize waiting rooms or lobbies. Most video conferencing apps have a waiting room or lobby feature where participants can wait before they’re allowed to join the meeting. These waiting rooms give the meeting host the ability to control when and how many people can join a particular meeting at any given point. This feature also allows the host to check who’s trying to join the meeting.
Notify users if the meeting is being recorded. Although this might not seem security-related at first glance, hosts should still make it a point to remind meeting attendees if a meeting will be recorded to ensure that everyone is on the same page when it comes to privacy issues.
Disable file transfer features. Threat actors looking to take advantage of the rising popularity of video conferencing apps will sometimes use meeting rooms or chat rooms to upload files that are unwittingly downloaded by participants. To minimize the chance of this happening, the meeting host should disable file transfer features and instead, use other methods such as email for sending files.
Always update to the latest version. Patches are there for a reason — either to add new features or to fix bugs and vulnerabilities, many of which can be leveraged by malicious elements looking for software flaws that they can exploit. Users should always update their app to the latest version to address vulnerabilities.
The current situation has made video conferencing an indispensable part of the remote workplace — and this will likely extend even past the return to normalcy. As these kinds of apps become more commonplace and more integrated into the business environment, security becomes an even more significant issue. While these best practices are not silver bullets for videoconferencing security, they will help both organizations and individual users have a better and safer experience.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.