blank
  • Industries
    • Healthcare
    • Higher Education
    • Retail
    • Financial Services
    • Manufacturing
    • Government & Non-Profit
  • services
    • Digital Forensics & Incident Response
    • Managed Threat Detection
    • Consulting Services
  • Resources
    • Insights
    • Advisories
  • About
    • Our Story
    • Our Experts
  • Newsletters
  • Connect
    • News & Events
    • Contact
    • Careers
Shape
Shape

How can we improve the security of our video conferencing?

How can we improve the security of our video conferencing?

January 5, 2021
Improving Video Conferencing Security

Video conferencing platforms are a great way to enable communication and collaboration during these uncertain and unusual times. As more organizations and individuals turn to these platforms, malicious minded people take notice and look for ways to exploit it. Some platforms are seeing more popularity in both usage and attacks; in fact, recent incidents of unwelcome attendees disrupting Zoom meetings with offensive audio or video has given rise to the term “Zoombombing.”

In general, these video conference platforms offer a few very convenient features that can alternatively be used to be a nuisance or conduct a cybersecurity attack.

  • Audio or video sharing can be used to broadcast undesirable or offensive content
  • Public chats can be used to send undesirable content or links to malicious websites
  • Private or direct messages can also be used to send undesirable content or links to malicious websites
  • File transfers can be used to transfer malicious files or graphic images
  • Think about these as a phishing mechanism. The normal channel used for phishing is through email. Over the years, technology has evolved to scan, monitor, filter, block, and generally try to protect users from phishing attacks through emails. The features listed above have none of this phishing protection and create a much higher risk of falling victim to a cybersecurity attack.

Here are some things you can do to protect your organization from these threats:

For public sessions, use your platform’s webinar or presentation mode to prevent streaming uninvited attendee video or voice to other attendees. Some organizations have a need to invite the general public or a large group of non-employees. Where needed, limit the exposure a guest has to others. 

For private sessions, apply a password to the meeting, share only with the expected participants, and lock the room once all attendees are in. Software tools exist to guess and validate meeting room codes at high volumes, and passwords serve as the best protection to prevent unwanted attendees. Management should adopt a single platform for organization-wide usage, and apply policies to all accounts to enforce security practices. Without an official platform, employees may go in search of using whatever is convenient and may not know security best practices.

Have one (or more) person join and designate them as a co-host to allow quicker moderation of any attendees attempting undesirable actions. Generally more applicable to larger or public meetings, this allows the meeting to continue uninterrupted.

Do not reuse any meeting codes, and disable any ‘room codes’ or ‘personal codes’ that allow for a single code to be joined time after time. These are a great convenience for those that use virtual meetings often, but it removes some difficulty for attackers.

Be mindful of whether the session is being recorded. Hosts should notify attendees if a session is being recorded and make sure to store any recordings securely. Not all platforms display an indicator to attendees when the session is being recorded. Attendees should consider that what they say, display, or even send in a chat could be preserved.

Encourage employees to pay close attention to any video conferencing links in emails and calendar invites to ensure they are clicking on legitimate links going to legitimate conferencing platforms. Attackers continue to adjust their phishing techniques to current situations, and we have seen recent phishing attempts that emulate video conference links while presenting a login page to grab employee credentials.

Many of our clients were forced into purchasing new remote access equipment in very short timelines, and sometimes that time pressure causes cybersecurity best practices to take a back seat. Organizations now need to revisit how they’ve implemented and deployed these devices.

Additional resources

Cisco Webex best practices for secure meetings:
https://help.webex.com/en-us/8zi8tq/Cisco-Webex-Best-Practices-for-Secure-Meetings-Hosts

GoToMeeting, 5 best practices for secure video conferencing with GoToMeeting:
https://blog.gotomeeting.com/5-best-practices-staying-secure-gotomeeting/

Microsoft, Security, and compliance in Microsoft Teams:
https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview

Zoom, Best practices for securing your virtual classroom:
https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/

Zoom, How to keep uninvited guests out of your Zoom event:
https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/

We at Lodestone look forward to keeping you, your customers, and your employees safe from cybercriminals. Please contact us at your convenience:

Phone: (203) 307-4984
E-mail: info@lodestone.com

iStock 1144604134

SEE MORE INSIGHTS

Cyber Kill Chain Illustration
Mastering the Kill Chain—Step Seven: Actions on Objectives
By: Danielle Wallace and Adam Harrison Let’s face it – we’re spending most of…
Read More
iStock 1208624778
White Rabbit Continued: Sardonic and F5
By Jason Daza Key Contributors: Manoj Khatiwada, Paul Brunney, Michael Wirtz, and Group-IB In…
Read More

Connect With Us

320 East Main Street
Lewisville, TX 75057

203.307.4984

blank

An elite cyber security force

If you have a breach contact us at info@lodestone.com

Linkedin-in Twitter
  • Industries
  • services
  • Resources
  • About
  • Connect
  • Privacy Policy

©2022 Lodestone
Lodestone Security is a wholly owned subsidiary of Beazley plc. Lodestone provides computer security and cyber security consulting services. Lodestone does not provide insurance services and client information obtained by Lodestone is not shared with Beazley claims or underwriting. Likewise, client information obtained by Beazley claims or underwriting is not shared with Lodestone.