The COVID-19 pandemic has pushed the majority of organizations remote, and workers have turned to video conferencing platforms like Zoom, Skype, GoToMeeting and Microsoft Teams to keep the ball rolling. As expected, major security issues have emerged on these platforms. For U.S. federal and government organizations, security has become a front and center matter as employees perform critical functions at home. The new cyber landscape has left many to ponder the same question: To Zoom or not to Zoom?
To date, the most notable teleconferencing scandals have involved Zoom. The platform has fallen under scrutiny for security and privacy issues that have affected users of all types. Zoombombing is a term that was recently coined to signify harassment instances in which intruders hijack video calls and post hate speech or offensive images on the Zoom platform. While this has predominantly become an issue for schools, teachers and students, Zoombombing is on the rise in government meetings, too.
In fact, Zoombombing disrupted a House Oversight Committee meeting on women’s rights at least three times on April 3, 2020. Despite FBI warnings, government entities on the federal and state levels have continued to experience breached meetings. If you’re a federal organization using online meeting platforms to communicate with your workforce, you should be taking extreme safety precautions to protect your assets.
Nobody’s perfect, and in this case, neither are online meeting platforms; regardless, you must choose your platform wisely. The NSA recently published a guide to help government personnel select and safely use online meeting platforms and collaboration services while operating from home. This document outlines the top criteria to consider when selecting a collaboration service and how to use collaboration services securely. We’ve briefly described the top seven ways to secure your online meeting platform below.
- Use government-furnished equipment (GFE) for government use only: Even the most secure platform provides no protection against a compromised device. Personal devices are much more vulnerable than GFE devices due to the installation of malicious applications and failure to apply patch updates. Always use a GFE if it’s available. The private sector can take a similar approach, requiring employees to use organization-issued devices, and/or by at least offering posture assessments for security and policy compliance with NAC features or advanced endpoint protection built into remote access. And, for public and private sector alike, “equipment” doesn’t just mean the compute system. Orgs should consider a secure supply chain for add-ons like USB or Bluetooth headsets, microphones, cameras, and other accessories.
- Know where your platform came from: Ensure you’re downloading or installing a secure online meeting platform from a direct source, such as an official app store or website. Official websites can be identified by having ‘HTTPS’ in the URL. Many organizations use whitelisting within the endpoint security agent, within app management, or at the Internet gateway to help enforce this good hygiene.
- Enable encryption when engaged in an online session: Not all online meeting tools have settings to enable or disable encryption, but the NSA recommends enabling encryption when available. Similar to the previous tip, be sure to check that ‘HTTPS’ is enabled when using a browser-based platform and check the website certificate to validate its safety. In the private sector, organizations can further bolster security posture by enabling SSL inspection.
- Use a secure means for meeting invitations: Keep your meetings on the DL. If you’re unable to send meeting invites through encrypted platforms, make your session is private and send individualized passwords or PIN numbers to each participant.
- Verify participants: Don’t rely on the simple, “Hi, who just joined?” to verify the identity of each participant. Designate someone to verify each participant that joins the meeting is either authenticated by the platform or recognized by voice or appearance. Waiting rooms can also help control who joins a meeting.
- Share appropriate information: Understand the risks of sharing information or holding conversations that may be compromised. Be aware of screen-sharing and recording features that can expose sensitive information.
- Be aware of your physical environment: Ensure there are no background apps, software or sneaky bystanders actively sharing microphone data. IoT devices are often less trusted and can run location services and unnecessary permissions without the user noticing.
Carolina Advanced Digital offers a breadth of security solutions for organizations dealing with a sudden remote workforce, including endpoint protection solutions, NAC, secure remote access, secure gateways and micro-branch technology, SSL inspection technology and security consulting. Contact us today to schedule a free call with a team member to discuss your needs.