Security Best Practices for Your Organization’s Video Conferencing Platform

April 17, 2020

As COVID-19 shifts organizations globally to remote work, there has been an inevitable increase in the use of video conferencing and team collaboration tools such as Zoom, Skype, Microsoft Teams, and WebEx.

Threat actors are exploiting publicly known vulnerabilities in these remote work collaboration & communication tools to spread malware and gain access to restricted, private meetings. The Federal Bureau of Investigation (FBI) has noted a significant rise in “Zoom bombing”, in which threat actors disrupt meetings with inappropriate language and images, forcing meetings to end early.

It is imperative that organizations keep security in mind when utilizing any remote work tools and software, especially video conferencing platforms.

Below, Herjavec Group has compiled the following platform-specific security recommendations so your organization can ensure its data and communications remain protected.  

Zoom

Zoom is a very popular video conferencing platform that has been used by enterprises in nearly every industry including education, transportation, and government agencies. However, there have been many security concerns over the privacy features and vulnerabilities of its platform.

Cyber Hygiene Recommendations:

• Enable the required H.323 and SIP encryption. Zoom is equipped with a setting in its control panel that requires all endpoints to use encryption once enabled.
• Change the default privacy settings to “Host Only” so that you control the meeting,
• Do not share your Zoom meeting info on social media,
• Use the password option on all Zoom meetings to protect any corporate or sensitive information
• Most importantly, always install updates immediately

We have also published a full threat advisory regarding phishing campaigns in which threat actors leverage the Zoom platform. You can review it here.

Skype

Skype has enabled end-to-end encryption for all its Skype-to-Skype voice, video, file transfers, and instant messages.

However, it should be noted that calls made from Skype to a phoneline (mobile or landline) will not be encrypted. Skype has provided details on its encryption methods here.

One security concern for Skype is that it provides an uncontrolled registration system for users with no proof of identity. Users can choose nicknames, without having to reveal their identities to other users, which means that the displayed caller’s name provides no guarantee of authenticity.

Therefore, Herjavec Group recommends the following best practices, which are in line with Microsoft Skype’s best practices:

• Since Skype does not require proof of ID, the meeting host using Skype must take the responsibility to verify the identities of all those attending the Skype call
• Disable Windows Server OS services that are not required on devices installed with Skype for Business Server
• Encrypt operating systems and disk drives where data is stored
• Disable all external Direct Memory Access ports of the server, since DMA-based attacks have the potential to expose very sensitive information

Cisco WebEx

The WebEx platform protects user information without compromising on must‑have features like secure search for stored and shared content. Similar to Skype, WebEx also offers end-to-end encryption to keep messages, documents, and whiteboard content encrypted from one device to another.

However, if you enable end-to-end encryption, you will lose some features, such as network-based recordings, Join Before Host, and the Cisco WebEx Video Platform.

If your organization uses WebEx, Herjavec Group recommends the following:

• Integrate WebEx with your existing Data Loss Prevention applications to keep sensitive information safe.
• Set up a secure password for all meetings
• Restrict meeting access and audio controls for all external attendees
• Don’t share the host’s Audio PIN with any attendee
• If using a personal room to run your meeting, auto-lock your room as soon as the meeting starts to prevent attendees from waiting in the lobby from automatically joining the meeting. This provides the host with an additional method of verifying that all meeting attendees have been appropriately authorized.
• Do not include the meeting password in your meeting invitation for an additional layer of security. Your guests may forward the invite to their colleagues or other unauthorized parties. In fact, request that invitees not forward the invitation to any other party.
• If hosting a confidential meeting, lock the meeting as soon as every attendee has been authorized. It should be noted that once you lock the meeting, even an invited participant will not be able to join until you unlock the meeting first so it’s better to lock the meeting once all participants are in attendance.
• If you are providing access to recordings after the meeting, restrict access by setting up a password and delete any recordings that are no longer relevant.

Although WebEx has had security vulnerabilities in the past, Cisco regularly rolls out patches in a timely manner. 

Microsoft Teams

Microsoft Teams offers a secure, robust platform by enforcing a team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest.

Additionally, files shared in the chats and during meetings are stored in SharePoint and are backed by SharePoint encryption, while the notes are stored in OneNote and are backed by OneNote encryption. The OneNote data is stored in the team SharePoint site. Lastly, the Wiki tab can also be used for note-taking and its content is also stored within the team SharePoint site.

If your organization uses Microsoft Teams, Herjavec Group recommends the following:

• Ensure that multi-factor authentication (MFA) is enabled for the Microsoft environment
• Control who joins meetings through lobby settings and/or set up a structured meeting so the presenter/host has total control over which actions attendees can take in the meeting
• Ensure that the host adequately understands participant roles and participant types for higher control of privileges and to limit access to specific meetings, especially if the meeting invitation will be sent to external participants

Microsoft has also provided a list of the top 12 tasks for security teams to undertake for a remote workforce here.

Organizations, large or small, need to take a security-first approach to their business processes and controls. This effort is only amplified in a fully remote work scenario and should extend to all personal tools, technologies, and softwares, including publicly available communication & collaboration tools.

For more information on how Herjavec Group can help your organization enable and secure a remote workforce, please connect with us.