Addressing videoconferencing security concerns

The Covid-19 pandemic response saw many organisations rush to adopt, or dramatically expand their use of, video conferencing. But with it comes increased privacy and security concerns.

These risks impact not just on organisations, but also their employees and clients.

The security team at Catalyst, a Wellington-based open source technology specialist, has compiled a series of recommendations to assist you and your organisation understand the scope of these privacy and security risks, and what you can do to mitigate them or manage them to an appropriate level.

These recommendations are intended to help you determine if a specific platform is appropriate for your organisation, and offers some tips on how to mitigate potential attacks. The team’s recommendations are applicable to any platform.

Regrettably, some platforms can be insecure by design. So Catalyst has prepared the following two lists.

If you are required by a client to join a Zoom meeting, you can minimise some of the privacy and security risks by adopting the following practices:

• Keep your meeting links off social media.

• Do not use your Personal Meeting ID (PMI) to host public events. Instead, generate a random ID.

• Choose “only host” for screen sharing control during a meeting.

• Only allow signed-in users to join a meeting.

• Use the “lock” feature to prevent random users from joining in. You might also want to consider using the Waiting Room.

• If you are gate-crashed, hover over the user’s name in the Participants menu to bring up a “remove” option.

• Whenever possible, call in to the meeting using your phone instead of connecting via your computer.

• Ensure the proper clearance level is communicated. You can use the government rules as a guideline.

These next generic recommendations can also be applied to the evaluation of other videoconferencing platforms. They include:

• Ensure the Privacy Policy of the service provider is aligned with your organisation’s requirements in terms of data classification and privacy requirements.

• If your organisation has specific requirements around data sovereignty, review the service provider’s terms and ensure that their practices and infrastructure are aligned with them.

• Ensure a password or passcode is set for the meeting. Services that do not provide this functionality should be considered insecure by design.

• Similarly, choose more complex meeting names, to reduce the risk of bad actors guessing your meeting ID.

• Independently of what service provider you use, it is important to maintain security awareness among your staff on the use of the service that has been selected. The following are general recommendations in this area:

◦ Proceed with a review of the current security posture, privacy policy, location and where the data it receives will be stored for any video conference service provider you are considering to adopt. This to evaluate if it fulfils the organisation’s requirements on data privacy, data sovereignty, etc.

◦ Educate your users on security issues that will occur, as mention at the beginning of the advisory all platforms will be subject of misuse and abuse to take advantage of the current situation.

◦ Try to maintain control of the meetings, understand the tools available on the platform of choice and educate your staff on its use. Modify the organisation’s policy to enforce its correct use.

◦ If security vulnerabilities are discovered (and they will) review their potential impact and when possible educate your staff on what needs to be done to mitigate them while a fix is applied.

While there is no perfect solution or provider, Catalyst recommends using open source video conferencing platforms like BigBlueButton and Jitsi. “Both solutions respect user data and privacy, are open to scrutiny by security experts, and more importantly, can be hosted here in New Zealand, either on the Catalyst Cloud or on your own infrastructure.”

For more information go to: https://www.catalyst.net.nz