Your Quick Guide to Conducting Secure Videoconferences

April 20, 2020
Nate Fair
Information Security Architect

Chances are you have just been thrust into the throes of working from home (WFH). If you’re one of the millions in that boat, you may have also just learned the initialism for working from home. As the Coronavirus pandemic remains steadfast, more and more people are working from home and just as many companies are using videoconferencing services to keep the ship afloat. Videoconferencing software and their vulnerabilities are making headlines and bylines—so with all of this going on, I hope to give a quick rundown on some best practices to conduct a safe and secure videoconference for the new virtual workforce.

Known issue: what attackers are already looking for

The time is ripe for attackers to analyze different videoconferencing solutions for vulnerabilities, analyze them, and exploit them to run their code, gain unauthorized access to corporate infrastructure, and conduct additional malicious activity.

So what can you do? How do you do it?

The good kind of gatekeeping

Here are some common features of videoconferencing software to use and be aware of to help protect you and your organization.

Be your own meeting bouncer: To prevent unwanted or accidental attendees from wandering into your virtual meeting, restrict access to the party using defined groups or e-mail addresses. Most platforms give users the option to allow only those attendees with a company issued e-mail address to join the meeting.

Double-check defaults: When creating a new meeting, make sure a password is required to join the meeting. Some applications will randomly generate one for you, and some give you the option of creating your own. Note: If you’re e-mailing a meeting invite, make sure the password is not in the meeting link itself, but rather in the e-mail body.

No cuts, no buts: Make use of a waiting queue and validate your attendees. Meeting hosts and administrators are often given the discretion to approve incoming connections to the meeting. If you find that managing this access by yourself becomes difficult, assigning and delegating this control to multiple trusted parties may help carry the burden.

Encrypt. Encrypt. Encrypt: With the large mix of standalone workstation applications, web-based applications, and mobile applications, enforcing encrypted traffic across all these devices is important. Protect the content of your virtual meetings in the same way you protect your face-to-face meetings. In the same vein, make sure you are staying up-to-date with patches. When known, the tactics attackers are using become public, and vendors push fixes down to your machine, so install those security updates and keep the bad actors from snooping.

Protect your endpoints: Remember you no longer have your traditional e-mail/boundary defenses in place at home. Meeting hosts and administrators usually have the ability to allow certain file types and content to be uploaded to the chat. So restrict known suspicious file types (check your e-mail filtering rules) and move the file sharing to a more secure platform.

Triple check those tabs: And lastly, remember that the Internet is forever, and so are screenshots. When you are sharing your screen, ensure that you are only sharing the application that needs to be shared, that the content you are sharing does not contain any sensitive or private information, and that you close out of out all other applications that are not needed.

Remember: All of these controls work in unison, together on the same team, pedaling in tandem to create a finished, secure product, an information security tenent known as ”defense in depth.”

Conclusion

Remember, at the end of the day, you are not only helping protect the normal day-to-day operations that have moved from personal face-to-face meetings to involving more people with significantly more moving parts, you’re helping to boost and ensure the security posture of yourself, your colleagues, and your organization as a whole.

Learn how CBTS can help keep your organization safe.

Subscribe to our blog