The success or failure of an attack hinges on the intersection of the information attackers have gleaned about a potential target, and their ability to translate that into a weapon to use against them.
Video conferencing platforms are a great way to enable communication and collaboration during these uncertain and unusual times. As more organizations and individuals turn to these platforms, malicious minded people take notice and look for ways to exploit it. Some platforms are seeing more popularity in both usage and attacks; in fact, recent incidents of unwelcome attendees disrupting Zoom meetings with offensive audio or video has given rise to the term “Zoombombing.”
In general, these video conference platforms offer a few very convenient features that can alternatively be used to be a nuisance or conduct a cyber security attack.
- Audio or video sharing can be used to broadcast undesirable or offensive content
- Public chats can be used to send undesirable content or links to malicious websites
- Private or direct messages can also be used to send undesirable content or links to malicious websites
- File transfers can be used to transfer malicious files or graphic images
- Think about these as a phishing mechanism. The normal channel used for phishing is through email. Over the years, technology has evolved to scan, monitor, filter, block, and generally try to protect users from phishing attacks through emails. The features listed above have none of this phishing protection and create a much higher risk of falling victim to a cyber security attack.
Here are some things you can do to protect your organization from these threats:
For public sessions, use your platform’s webinar or presentation mode to prevent streaming uninvited attendee video or voice to other attendees. Some organizations have a need to invite the general public or a large group of non-employees. Where needed, limit the exposure a guest has to others.
For private sessions, apply a password to the meeting, share only with the expected participants, and lock the room once all attendees are in. Software tools exist to guess and validate meeting room codes at high volumes, and passwords serve as the best protection to prevent unwanted attendees. Management should adopt a single platform for organization-wide usage, and apply policies to all accounts to enforce security practices. Without an official platform, employees may go in search of using whatever is convenient and may not know security best practices.
Have one (or more) person join and designate them as a co-host to allow quicker moderation of any attendees attempting undesirable actions. Generally more applicable to larger or public meetings, this allows the meeting to continue uninterrupted.
Do not reuse any meeting codes, and disable any ‘room codes’ or ‘personal codes’ that allow for a single code to be joined time after time. These are a great convenience for those that use virtual meetings often, but it removes some difficulty for attackers.
Be mindful of whether the session is being recorded. Hosts should notify attendees if a session is being recorded and make sure to store any recordings securely. Not all platforms display an indicator to attendees when the session is being recorded. Attendees should consider that what they say, display, or even send in a chat could be preserved.
Encourage employees to pay close attention to any video conferencing links in emails and calendar invites to ensure they are clicking on legitimate links going to legitimate conferencing platforms. Attackers continue to adjust their phishing techniques to current situations, and we have seen recent phishing attempts that emulate video conference links while presenting a login page to grab employee credentials.
Many of our clients were forced into purchasing new remote access equipment in very short timelines, and sometimes that time pressure causes cyber security best practices to take a back seat. Organizations now need to revisit how they’ve implemented and deployed these devices.
Additional resources
Cisco Webex best practices for secure meetings:
https://help.webex.com/en-us/8zi8tq/Cisco-Webex-Best-Practices-for-Secure-Meetings-Hosts
GoToMeeting, 5 best practices for secure video conferencing with GoToMeeting:
https://blog.gotomeeting.com/5-best-practices-staying-secure-gotomeeting/
Microsoft, Security, and compliance in Microsoft Teams:
https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
Zoom, Best practices for securing your virtual classroom:
https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/
Zoom, How to keep uninvited guests out of your Zoom event:
https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/
We at Beazley Security look forward to keeping you, your customers, and your employees safe from cybercriminals. Please contact us at your convenience:
Phone: (203) 307-4984
E-mail: info@beazley.security
"For public sessions, use your platform’s webinar or presentation mode to prevent streaming uninvited attendee video or voice to other attendees."
"For private sessions, apply a password to the meeting, share only with the expected participants, and lock the room once all attendees are in."
"Have one (or more) person join and designate them as a co-host to allow quicker moderation of any attendees attempting undesirable actions."
"Do not reuse any meeting codes, and disable any ‘room codes’ or ‘personal codes’ that allow for a single code to be joined time after time."
