This article originally appeared in the May 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag!
Whether in our personal lives or our professional lives, conducting virtual meetings or attending virtual conferences or family events – our daily routines are now inexorably linked to digital applications. As a security business, it is important to know how to secure these applications so we know interactions online remain private and cannot be accessed by others.
Platforms like Zoom, Microsoft Teams and WebEx are software applications that are easy and intuitive. People who have no technology background can easily access the content. In recent weeks, however, there has been much more scrutiny over these video conferencing services. Using these tools without establishing policies and best practices for users working from home can leave both the individuals and their company vulnerable to cyber-attacks.
Whether it is intellectual property, confidential information, private conversations or virtual classrooms, it is critical that information is being disclosed only with the intended individual or audience. Face-to-face meetings conducted through a virtual environment mean that users can feign anonymity or hide behind a screen or a phone. It is much more difficult to establish a roster of who has joined when people can opt to turn their cameras off and mute themselves, which creates a huge security risk.
Recently it was uncovered that Zoom had numerous vulnerabilities within its application that exposed users to less-than-desirable cyber activities. Zoom’s policies on privacy, how connections are encrypted, and security vulnerabilities are all being vetted and acted upon with solutions in response to “Zoombombing” – where intruders take over video conferences. These vulnerabilities leave users open at their home networks, which becomes a major risk when relying on non-technical individuals to ensure that these platforms are secured.
A typical invitation from Zoom can be forwarded to anyone – there is no authentication process for users to validate that they are actually invited to the meeting and frankly, even if there is one, it may be way too complicated for many users to set up. Then you have the challenge of your meeting being hijacked or Zoombombed, as previously noted. Other vulnerabilities may include a hacker being able to gain local privilege to install malware, or even diverting network traffic through other countries. Essentially, you are potentially leaving your business open for bad threat actors to have access to your data or your customers’ data.
Closing the Vulnerabilities
Many of these platforms’ weaknesses are now coming to light, with patches are being provided quickly – by Zoom, for example, to update the software and remediate the vulnerabilities. Best practice guidelines are also being updated to address these issues and protect the users.
Even with this in mind, you cannot just rely on outside companies to fix these problems – it is equally critical to have internal best practices in place for employees working from home. Set up security parameters and guidelines that your employees can follow based on your own company culture and requirements. Here are some basic recommendations:
- Request that participants use the waiting room function – this allows you to screen all users before they join the meeting.
- Users should be required to input their full names so the host can validate the identity of those in attendance.
- Set a timeframe for when users can join the meeting to avoid stragglers or others joining into the conversation past the set parameters.
- Put a disclaimer on the email invite that states that users are not allowed to forward the Meeting ID and information.
As much as action is being taken to remediate all known risks, new ones will still be detected and found, as threat actors constantly look for gaps to use for their advantage. Within our fast-changing world, it is important to create awareness within your own company so everyone plays a part in creating a layer of security against hackers.
Min Kyriannis is an Associate for Cybersecurity/Technology Business Development with Jaros, Baum & Bolles (www.jbb.com), a Manhattan-based MEP and building services firm.