When the COVID-19 crisis broke open a month ago and forced organizations to make employees work from home, video conferencing was seen as a way to allow managers to keep on top of what staff are doing.
Now, amid recent complaints that Zoom and others have security and privacy flaws, a Forrester Research advisor is urging management to give employees rules on how to chose a collaboration platform and use it securely.
“Give guidance to employees,” Heidi Shey, a security and risk principal analyst at Forrester said in an interview. “Now is the time for leadership, for giving advice so people understand what they’re using in terms of technology, what they need to be aware of. That they have to understand the privacy controls and not just use the default settings.”
In many cases, the advice is basic hygiene: Before signing up for a service read its privacy policy. What data does the service collect, does it share data with third parties, does it have rights to any user content? These questions also apply to chat and file sharing apps, added Shey. “If it’s a wall of dense legalese, that could be a flag.”
End users and meeting hosts need to think about what content is being shared if privacy can’t be assured. Sensitive personal or financial information about customers, partners or the company may not be appropriate.
Meeting hosts should think about whether the meeting will be recorded. If it is, are there controls on who can access and share it.
End users should be conscious of what others can see when they are on camera. Is there a bulletin board or desk with visible passwords stuck to it. Meeting participants should also off home smart speakers in the room because they might be activated and start recording.
Things are serious enough that a U.S. Senator has urged an American regulator to create security guidelines for software makers and end-users.
Zoom has been the focus of many complaints that its service is not secure enough, with the U.S. Senate’s sergeant at arms asking Senators and their staff to look at alternatives. In addition, Germany’s Ministry of Foreign Affairs, the governments of Taiwan and Australia, Google and New York state area schools have banned Zoom. The University of Toronto’s Citizen Lab had a number of serious questions, to which Zoom has responded.
Related:
Zoom admits confusion over encryption
Zoom has recently made some immediate changes to its platform. It made mandatory the use of passwords to attend meetings — and promising to quickly close holes on bugs.
This week Kaspersky issued 10 tips for securing Zoom. They include:
- When creating an account use a strong password enforced by two-factor authentication
- Never make public the Personal Meeting ID you get after registering or use it to host public events. Instead chose the one-time meeting ID or the ‘generate a meeting ID automatically’ option
- Don’t fall for fake Zoom apps
- Don’t use social media to share conference links
- Meeting hosts should have participants use a Waiting Room, where they can be verified before the meeting goes live
- Limit participants from screen sharing. That will prevent participants from sharing with those who aren’t supposed to be in the meeting
- Use the web client if possible
Some of these tips apply to all platforms, although the names of their controls may be different.
Cisco Systems’ Webex is a common enterprise platform which according to the company has seen a “massive” adoption since the crisis began. It has broadened features available to the existing free version aimed at consumers while letting existing enterprise customers add licences at no charge.
But even Webex has vulnerabilities. In January the company patched a severe bug that let uninvited people into password-protected meetings if they had the meeting ID and the mobile app. In March Cisco fixed vulnerabilities in Webex Player and Webex Network Recording Player for playing back recordings that could have allowed an attacker to execute code.
In an interview, Abhay Kulkarni, vice-president and general manager of Webex meetings, noted these vulnerabilities were found by Cisco. Both the free and enterprise versions have the same basic privacy features, he said, although the enterprise version offers single sign-on and a managed solution for mobile phones.
By default, Webex automatically sets a password for each scheduled meeting. However, while new registrants have to create a strong password, it is not protected with two-factor authentication.
Cisco also offers these best practices to hosts for securing Webex meetings:
- Do not share your Audio PIN with anyone
- Provide meeting passwords only to users who need them. For sensitive meetings, check “exclude password from the email invitation.” Then you have to provide the password to attendees another way, such as by phone
- Never share sensitive information in your meeting until you are sure who is in attendance
- You set your Personal Room to automatically locks when the meeting starts. Cisco recommends locking your room at 0 minutes. This is essentially the same as locking your room when you enter it. It prevents all attendees in your lobby from automatically joining in the meeting. Instead, you will see a notification in the meeting when attendees are waiting in the lobby. You can then screen and allow only authorized attendees into your meeting
- For extra security require attendees to have an account on your site
Asked for comment about what users can do to secure Google Meet, a spokesperson referred to a blog published this week, which notes several security features. Google Meet makes it difficult to brute force meeting IDs by using codes that are 10 characters long, with 25 characters in the set. It limits the ability of external participants to join a meeting more than 15 minutes in advance, which Google argues reduces the window in which a brute force attack can be attempted.
External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting, and their request must be accepted by a member of the host organization.
For schools that use Google Hangout Meet, changes are being made so only meeting creators and calendar owners can mute or remove other participants. This is to ensure instructors can’t be removed or muted by student participants. Only meeting creators and calendar owners can approve requests to join made by external participants. This means that students can’t allow external participants to join via video and that external participants can’t join before the instructor. Meeting participants can’t rejoin nicknamed meetings once the final participant has left. This means if the instructor is the last person to leave a nicknamed meeting, students can’t join later without the instructor present.