The COVID-19 pandemic has caused many organizations to abruptly adopt a remote work policy for most or all their staff. One impact of this transition is a spike in the use of online collaboration and videoconferencing tools such as Zoom, LogMeIn GoToMeeting, Cisco WebEx, and Microsoft Teams.
The sudden popularity of these platforms has piqued the interest of cybercriminals. Hacking activities have reached such proportions that the FBI has posted an alert. This makes it more important for you to ensure your virtual workers are using collaboration tools securely.
This article explores how several popular online collaboration tools handle security, explains the associated risks, and provides best practices for protecting your workers and your business.
Cybercriminals watch and wait for times of chaos during which to strike.
One recent trend brought about by the increased use of Zoom as a collaboration tool that has made headlines is “Zoom bombing”. In a Zoom bombing attack, a hacker gains unauthorized access to a Zoom meeting and, typically, displays inappropriate content or uses profane language.
Alternatively, a cybercriminal may be able to join a meeting and eavesdrop on sensitive company information without being noticed.
These attacks are enabled by the fact that many organizations set up Zoom meetings without defining a meeting password. In these cases, anyone with knowledge of the meeting time and URL can join the meeting. Many times, a meeting link is posted on social media or a cybercriminal can take advantage of the high usage of Zoom by trying to guess Zoom meeting IDs (since a Zoom link consists of a company’s Zoom URL and a nine-digit code).
Unauthorized parties joining a Zoom meeting is not the only threat an organization faces when using the collaboration platform.
Zoom is also vulnerable to UNC path injection attacks. When presented with a link that points to a file on a remote SMB server, Windows will send the user’s username and password hash to that server in an attempt to authenticate when trying to download the file. The exploitation of this vulnerability in Zoom, which is easier than ever as employees grow accustomed to online meetings, can enable an attacker to guess weak employee passwords.
When discussing sensitive company matters over video conferences, end-to-end encryption is an important feature. Encryption ensures that only participants in the conference can access the meeting’s video, audio, or other shared media.
Be aware that different platforms provide different levels of end-to-end encryption:
The level of security required depends on an organization’s business needs and the sensitivity of the discussions made on the platform.
Employees working from home are likely connecting via untrusted networks. This may include public Wi-Fi, like that provided in some apartment buildings, or home networks that may have a weak password or lack a firewall and other basic security features. Transmitting sensitive business data over these insecure connections leaves it vulnerable to
interception and business computers are more likely to be infected by malware on these networks.
Businesses should provide all of their remote employees with an enterprise virtual private network (VPN). This provides end-to-end encryption of all traffic between the remote worker and the business network, protecting against eavesdroppers.
Additionally, all business traffic is routed through the VPN, even if its final destination is the public Internet. This allows the organization’s existing perimeter-based cybersecurity deployment to scan the traffic for malicious content, data exfiltration, and other threats before allowing it to continue on to its destination.
Events like the COVID-19 pandemic may force an organization to move to a partly or fully remote workforce. For job functions that require online meetings, a secure videoconferencing platform is essential to maintaining business continuity.
The security of an organization’s video conferences depend upon both the choice of platform and how it is
configured.
Follow these additional best practices for using video conferences for secure communications:
For more information about secure conferencing and how it can affect your organization’s data security and regulatory compliance, reach out to start the conversation.