The Latest Easy Target for Bad Actors May Be Online Video Collaboration Tools

By Matthew Vulpis July 14, 2021

Growing attacks on collaboration platforms organizations were forced to  use when work-from-home mandates were put in place around the world during the pandemic got the attention of law enforcement in 2020, when the FBI issued guidance, warning “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”

They offered a few steps that should be taken to mitigate teleconference hijacking threats:

-Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.

-Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.

-Manage screen-sharing options. In Zoom, change screen sharing to “Host Only.”

-Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.

-Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Cybercriminals are becoming more sophisticated in a cybercrime “industry” that is worth billions, if not trillions of dollars.

Security expert and investigative journalist Brian Krebs shined the light on “war dialing,” a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, servers, and fax machines. He wrote about Zoom’s password problems and how hackers were able to use “war dialing” methods to discover meeting IDs and passwords for Zoom meetings.

What’s keeping CISOs and IT teams up at night? Not just the annoyance of collaboration sessions being disrupted by strangers (which is upsetting to participants) but more so the more serious threat that intruders may lurk in meetings without revealing who they are, which has become a nightmare for those responsible for protecting corporate secrets, systems, and other assets.

As part of its advisory, the FBI offered safety tips for companies, schools, and individuals using videoconferencing services, including recommendations regarding the use of professional, highly secure “enterprise-grade” platforms rather than “consumer-grade,” which lack the administrative tools to secure every session and verify the identity of every user.

We spoke with Kevin Howe-Patterson, VP PLM and CTO, at Kandy, an American Virtual Cloud Technologies company and developer of secure, private enterprise collaboration software being used by US government agencies, large city governments, education institutions, hospitals, eCommerce companies, and more.

“There are important processes organizations can follow, including training their employees on the rationale behind security policies,” Howe-Patterson said. “But if these protections are not built into the experience, compliance will be harder to maintain; the key is to make it simple for both end-users and administrators with automation and intelligence.”

For example, while there are “waiting room” features built into many collaboration platforms, if users do not specifically select that feature so participants in the next conference can be hosted in a separate virtual room, new visitors can crash the current session, which is not only uncomfortable for all participants but is a natural security risk when confidential or sensitive information is being shared and discussed.

“Features like one-time-passwords or PINs can help keep bad actors out, and the ability to mute participants, disable their ability to share their screen or add comments to the chat, and to even remove them from the conference is all very useful, but without some level of automation can be difficult to enforce across large organizations like many of the financial services customers we serve,” Howe-Patterson said.

Up-to-date software versions are also important, as new releases often include more security features, Howe-Patterson said. “IT teams or managed service providers who are responsible for ensuring integrity and security benefit greatly from real-time reporting, showing which users may not have downloaded the latest update. Automatic software updates for collaboration solutions are another critical requirement, especially for highly regulated industries including healthcare, payments, e-commerce and others who are entrusted with their customers’ private information.”

Gabriel Friedlander, the CEO of security awareness training firm Wizer, posted a list on LinkedIn of recommended security settings writing:

  1. Turn off [Participants Video]. They can turn it back on once you allow them to join.
  2. Turn off [Join before host]
  3. Turn off [Use Personal Meeting ID (PMI) when scheduling a meeting]
  4. Turn off [Use Personal Meeting ID (PMI) when starting an instant meeting]
  5. Turn on [Require a password when scheduling new meetings]
  6. Turn on [Mute participants upon entry]
  7. Turn on [Play sound when participants join or leave] (this is heard by the host only).
  8. Turn on [Screen Sharing] - host only
  9. Turn off [Annotation]
  10. Turn on [Breakout room] - allows the host to assign participants to breakout room scheduling.
  11. In the advanced settings, hosts should Turn on [Waiting Room] feature.

While these settings are specific to Zoom, videoconferencing software should offer these options – they are fundamental to security risk management.

“Given all this, it is also essential to make sure the user experience, whether one is hosting or attending a meeting, is excellent,” Howe-Patterson said. “By combining more automated security features with quality-of-service features, IT teams can avoid the shadow IT problem, where employees go outside the digital perimeter to use easier tools which are less secure. The underlying infrastructure matters – ample high-speed broadband, and a full security stack which protects the physical layer as well as cloud services, and works on desktops, smartphones, and tablets with the same intuitive experience.”

With a secure, high-performance enterprise-grade digital collaboration platform, which includes video but also supports voice and messaging application, organizations can take full advantage of distributed workers while also supporting customers with embedded applications that make it easy for those customers to choose their channels and click once to reach a live expert.

“The benefits are so clear, whether reducing the cost of travel, providing employees a better work-life balance, dramatically improving customer experience, and even changing the world by making telemedicine and distance learning not only possible but practical,” Howe-Patterson said. “Without security, however, those benefits could be lost in a heartbeat if an organization’s events are attacked, leading to reputational damage, fines, and other catastrophic consequences. The good news? Advanced digital collaboration tools are available which include security as a forethought, not an afterthought.”

Edited by Luke Bellos
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Content Contributor

Related Articles

$100M Towards Innovative Capital Options: AppDirect Secures New Funding from CDPQ

By: Alex Passett    1/9/2024

New funding from CDPQ provides AppDirect with the power to help technology providers and advisors in transforming and scaling their businesses while m…

Read More

NextPlane's Affordable Microsoft Teams PSTN Calling Solution for UCaaS and Service Providers

By: TMCnet Staff    5/23/2023

NextPlane's Affordable Microsoft Teams PSTN Calling Solution for UCaaS and Service Providers

Read More

Snapchat Announces its New ChatGPT-Powered 'My AI' Chatbot

By: Alex Passett    2/27/2023

The popular app Snapchat is now offering a new friend, of sorts: My AI. Powered by ChatGPT, the bot is already integrated for select users to experime…

Read More

Black-owned Businesses See Vision Become Reality with Dialpad, and Sacramento King's Davion Mitchell

By: Greg Tavarez    2/24/2023

Dialpad is further expanding its Tech for Black Founders program and partnership with Sacramento Kings' point guard Davion Mitchell to promote Black-o…

Read More

IDEA Showcase 2023 at ITEXPO Gives Startups Opportunity for Exposure

By: Greg Tavarez    2/16/2023

IDEA Showcase 2023 at ITEXPO in Ft. Lauderdale, Florida, gave entrepreneurs a chance to present pitches to a panel of judges.

Read More