The Do’s & Don’ts of Video-Conferencing Security
When any technology sees its popularity increase quickly, the number of bad actors taking advantage of new and untrained users also grows. The world is seeing this now with videoconferencing services and applications, as reports about the popular Zoom app being hijacked — known as “Zoom-bombing” — have surfaced.
With multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language, the National Cyber Security Centre (NCSC) recently issued a warning for users of videoconferencing platforms about the incidents. Meanwhile, details on Zoom’s password problems and how hackers were able to use “war dialling” methods to discover meeting IDs and passwords for Zoom meetings have emerged on industry news sites.
While hijacked meetings are disruptive and disturbing for participants, a more insidious threat comes in the form of intruders who lurk in meetings without revealing their presence with the goal of discovering sensitive information that can be exploited — a nightmare for corporate security and individual privacy alike.
Another nightmare: thousands of private recordings of Zoom meetings have been discovered on the open web, according to the BBC. In response, Zoom told The Verge that its own servers had not been breached and that the videos had likely been uploaded by users to other cloud storage services. But they were easily found through search because they used the company’s default naming convention for recordings.
Locking down meetings
The good news is that many videoconferencing products include security settings that can prevent such incidents. The bad news is that it’s often left to users with no security training to configure these settings.
We’re here to help with some safety tips for companies, schools and individuals using videoconferencing services.
Don’t use consumer-grade software or plans for business meetings. Consumer tools most likely don’t have all the administrative tools you need to lock things down. While no videoconferencing service can guarantee 100% protection from threats, you’ll get a more complete set of security tools with products geared for business use, many of which are being offered for free currently, such as Microsoft Teams.
Do use waiting room features in conferencing software. Such features put participants in a separate virtual room before the meeting and allow the host to admit only those people who are supposed to be in the meeting.
Do make sure password protection is enabled. Zoom now auto-generates a password in addition to a meeting room ID. Make sure that your service uses both a meeting ID number and a string, but in addition, also has a separate password or PIN. If the service lets you create a password for the meeting, use password creation best practices — use a random string of numbers, letters, and symbols; don’t create an easily guessable password like “123456”.
Don’t share links to teleconferences or classrooms outside of secure channels. Invite attendees from within the conferencing software and tell them to not share the links, especially not on social media.
Don’t allow participants to screen share by default. Your software should offer settings that allow the host to manage screen sharing. Once a meeting has begun, you can allow specific participants to share when it is appropriate.
Don’t use video on a call if you don’t need to. Turning off your webcam and listening in via audio prevents possible social engineering efforts to learn more about you through background objects. Audio-only also saves network bandwidth on an internet connection, improving the overall audio and visual (AV) quality of the meeting.
Do use the latest version of the software. Security vulnerabilities are likely to be exploited more often on older software versions. For instance, Zoom recently updated its software to require password-protected meetings, and it has paused work on new features to focus its application development on stamping out security vulnerabilities, indicating that more updates are to come. Regardless though of whichever platform you’re using, double-check that participants are using the most up-to-date version of the application available.
Do eject participants from meetings if an intruder is able to get in or becomes unruly. This prevents them from re-joining.
Do lock a meeting once all the participants have joined the call. However, if a valid participant drops out, be sure to unlock the meeting to let them back in and then re-lock it after they return.
Don’t record meetings unless you need to. If you do record a meeting, make sure all participants know they are being recorded (the software should indicate this, but it’s good practice to tell them too) and give the recording a unique name when you save it, rather than using whatever default naming convention your application assigns.
Do educate employees who host meetings on the specific steps they should take in the software your company uses to ensure their conferences are secure. Why not share this Blog with them?
Balancing security with ease of use
One of the reasons Zoom and other videoconferencing services have gained in popularity has been because of their ease of use for end users, many of whom don’t use this technology on a regular basis.
People crave simplicity when it comes to technology, especially during stressful times such as a global pandemic, there is always a juggling act between security and ease of use when it comes to tech products.
Most people prefer not to think about the security aspects of a product. Even when these features are included with a product, most people still usually don’t configure these settings, and assume someone else is managing these things on their behalf.
The majority of people working at home currently, want simple security and privacy settings already baked in and turned on for them, they just want to start the program and use it. As the host you should make it your responsibility to ensure security settings are applied for your guests.
Educating your fellow technology users
It has been widely reported, at least in the IT sector newsfeeds, that hacking efforts around videoconferencing services have grown as a direct result of the growth of work-at-home policies, in the wake of the Covid-19 pandemic.
Hackers and cyber-criminals think like marketers — they’re always looking for trends and how to market their scams. So when it became apparent that applications like Zoom were trending we started to see new types of threats emerge because of that. It hits everyone because people are more dependent on technology today more than ever.
What’s different now compared to previous security threats is that a whole new set of technology users — students, teachers, family members and small organizations like karate, fitness, and dance studios — are utilizing videoconferencing to run meetings, often without any IT or security support behind them. Traditional messaging efforts around security training, such as emails or Twitter messages, need to expand to where this new audience will see them.
If you want to reach them you should go through the channels they are now utilising. Maybe the material is the same, but the way you deliver it has to adapt where people will see it. Identify what media platforms your colleagues and contacts are using and use these same platforms to deliver security training.
Want more advice? If you would like advice on IT for your small business or start-up, get in touch.