During the early days of the COVID-19 pandemic quarantine, many businesses shifted the bulk of their operations from in-house workplaces to online distributed workforces. Video conferencing web-based tech companies suddenly found their services in high demand as teams of employees met online to discuss their daily business. And the tech company Zoom was and still is among the most popular of these services.
Around the beginning of April 2020, the cyber security firm Cyble discovered that more than half a million valid Zoom account credentials were being sold cheap or offered for free on the dark web. In his Forbes article, “500,000 Hacked Zoom Accounts Given Away for Free on the dark web,” senior contributor Lee Mathews writes that stolen credentials included client info, personal meeting URLs and Zoom host keys.
The hacking incident at Zoom highlights the importance of cyber security in business, specifically video conferencing security. By accessing Zoom conferences, malicious actors can obtain a wealth of sensitive and confidential information damaging to companies, clients and employees alike. The pandemic, however, has turned cyber security professionals’ attention toward fixing previously overlooked security issues with working remotely.
Steps to Securing Video Conferencing Software
As with most types of connected software and web-based tools, video conferencing programs can be accessed by anonymous hackers and other malicious actors through a variety of exploits and security flaws.
Once hackers gain access to video chat software, they can listen to and view everything that is happening during the conference, including confidential client information, technical data, trade secrets, shared screens, login credentials and personal information.
Hacked video conferencing meetings can lead to anything from industrial espionage to “Zoombombing,” a prank whereby a hacker or other unauthorized user suddenly opens an inappropriate video in a group conference
Securing video conferencing software and web services requires several relatively easy-to-implement steps, according to the WeLiveSecurity.com blog article, “Work from Home: Videoconferencing with Security in Mind.” Key considerations for video conferencing security include:
- Controlling access: Video conferencing hosts can control access to the conference by creating user groups, limiting attendance by domain (e.g., only those with a company email address), setting a meeting password and holding attendees in a virtual “waiting room” to approve each one individually.
- Securing communication: Video conferencing hosts can enforce encrypted file transfers and data traffic during each call. Software generally doesn’t enable encryption by default. In such cases, the host must enable encryption before setting a meeting. Also, whenever file transfers are necessary, file types can be restricted on most platforms, blocking the transfer of executable files (.exe) or other file types that can quickly deliver malware or viruses.
- Managing both engagement and attendees: Video conference hosts should enable settings that allow them to see whether attendees have the video software running in the foreground (as the primary window) or behind other programs. Hosts can also view lists of actual attendees to check against a list of invited attendees. If someone appears on the list who was not invited or isn’t even an employee, the meeting was compromised.
In HighFive.com’s “5 Steps for Secure Video Conferencing,” tech writer Sara Moseley adds these considerations:
- Staying current: Companies need to ensure that both their video conferencing software and the systems on which it runs are not out of date. The computers both employees and hosts use for video calls need to be updated regularly with security patches and malware information. Even one missed update may leave a video conference open to would-be hackers.
- Implementing single sign-on user authentication: Companies that take advantage of video conferencing technologies should implement single sign-on (SSO) authentication for users. SSO is convenient for users because they only need to keep track of one set of login credentials. IT staff also benefit from SSO because it allows them to keep track of exactly how, when and where those credentials are used.
- Using the domain-based approach: IT staff and video conferencing providers are both capable of setting up a video conferencing domain setup. The domain approach allows each user to be assigned varying levels of permission. Anyone attempting to connect from outside the domain must wait until someone with appropriate permissions allows the connection to proceed.
While IT teams and chat hosts are primarily responsible for securing video conferences, companies that take advantage of the technology should have a policy in place for all employees who participate in video meetings.
Instituting a Video Conferencing Policy in the Workplace
Video conferencing settings and network security can only do so much to prevent a security breach. If a skilled hacker successfully bypasses security measures, video meeting participants can still help prevent a leak of sensitive information.
Companies that rely on video communication with remote workers and clients need to have a video conferencing policy in place with which all employees are familiar. Such a policy should include these items, at minimum:
- Recording of calls should either be prohibited or allowed only with express permission of the host.
- Sensitive information should be discussed only in designated chat rooms or calls or exchanged over approved channels.
- Cameras should focus only on attendees’ faces. Sensitive information may be visible on desks, whiteboards or elsewhere within the visual range of the camera.
- Cameras and microphones should remain off when not in use. Commercial camera covers are available, or a simple strip of tape can suffice.
- Remote access to cameras should only be granted to authenticated, permitted users.
University of North Dakota’s Master of Science in Cyber Security Program
Choosing the right online cyber security master’s program is crucial. The best programs offer courses that keep current with today’s cyber security issues and concerns.
UND prepares students for careers in cyber security with concentrations in Autonomous Systems Cyber Security, Cyber Security and Behavior, Data Security and General Cyber Security. For more information, visit the program’s website.
Sources:
500,000 Hacked Zoom Accounts Given Away for Free on the Dark Web – Forbes
Work from Home: Videoconferencing with Security In Mind – WeLiveSecurity.com
5 Steps for Secure Video Conferencing – HighFive.com