Video conferencing has always been an effective tool for interaction. It serves to bridge the location gap between people. It has always been used by individuals and organizations alike. In places where lock downs have been imposed, technology is now the only means humans interact with one another.
With the increased work-from-home policies around the world, cyber criminals have begun to take advantage of unsuspecting users and organizations, leveraging on the security risks and vulnerabilities which working from home brings. Several forms of malicious activities have taken place since the advent of the corona virus pandemic. These range from email and SMS scams, phishing scams and campaigns and other forms of cyber exploitation. Ransomware is also on the rise during this period as attackers seek to profit as much as possible. In this article, we will look at the security concerns and risks associated with video conferencing and subsequent mitigation which can be put in place to prevent or reduce risk.
Increased usage of videoconferencing services
As people now work from home, there is increased usage of VaaS (Video conferencing as a Service) platforms such as Microsoft Teams, Zoom and the likes. The daily meeting users on the Zoom platform increased from about 10 million users in December 2019 to about 200 million users in March 2020. Due to the sudden spike in the number of meetings and volume of users and traffic, issues normally not encountered have started to show significance. For example, there was a recent privacy issue with Zoom which exposed that its data collection practices were somewhat intrusive.
“Zoombombing” is a term which became popularized in 2020. The term was derived from the Zoom video conferencing where hackers brute-force zoom meeting IDs in an attempt to randomly join a valid zoom meeting. They then post malignant information on such chat rooms, rendering the meeting useless for others, as well as gathering sensitive information in the meeting. There have also been reports of about half a million Zoom accounts being sold on the dark web, which were obtained using “credential-stuffing” – where attackers leverage bots to automate login attempts using stolen credentials obtained from other accounts and services.
Another feature in Zoom which is considered intrusive is its “attention-tracking”, which checks the level of attention of an employee during a meeting by monitoring if the zoom window goes out of focus for more than 30 seconds. These and other concerns have sent a bucket of red flags, making companies seek for alternative video conferencing platforms. The popular company SpaceX by Elon Musk, with more than 6000 employees recently banned the use of Zoom, citing “significant privacy and security concerns”.
Let’s look at some of the ways we can reduce or eliminate the risks involved with the use of conferencing in our organizations and while we work from home:
Enforce meeting passwords: this is evidently important to prevent unauthorized access. Mandatory passwords will help protect against uninvited guest.
Recording: If the meeting is being recorded, participants should be made aware. Recording should be stored and encrypted appropriately. Also, participants should be blocked form recording, except the meeting host.
Screen Sharing: Sharing should be done one at a time when appropriate. This should be controlled by the host to prevent hackers from sharing images.
Updated Software: As much as possible, use updated software which can incorporate security improvements, preventing vulnerabilities hackers could exploit.
Conference links: Verify meeting invites and ascertain the source. Be mindful of malicious links or meeting invites posted on public platforms, including social media. Hover over the link before clicking.
Hosting Meetings: If possible, the actual meeting session should not start without the host. Some VaaS platforms offer a waiting room feature, where participants are in separate virtual rooms before the actual meeting begins.
Attendees: Attendees can speak at the start of a call. This helps to identify unknown attendees.
Lock Meeting: If all have joined a meeting, it can be locked to prevent further joining.
Link Sharing: Meeting invite links should not be shared in public forums. This should be sent to the specific attendees to minimize the risk of intrusion.