The COVID-19 pandemic has caused many organizations to abruptly adopt a remote work policy for most or all their staff. One impact of this transition is a spike in the use of online collaboration and videoconferencing tools such as Zoom, LogMeIn GoToMeeting, Cisco WebEx, and Microsoft Teams.
Cybercriminals Are Targeting Online Collaboration Platforms
The sudden popularity of these platforms has piqued the interest of cybercriminals. Hacking activities have reached such proportions that the FBI has posted an alert. This makes it more important for you to ensure your virtual workers are using collaboration tools securely.
This article explores how several popular online collaboration tools handle security, explains the associated risks and provides best practices for protecting your workers and your business.
Cybercriminals watch and wait for times of chaos during which to strike.
One recent trend brought about by the increased use of Zoom as a collaboration tool that has made headlines is “Zoom bombing”. In a Zoom bombing attack, a hacker gains unauthorized access to a Zoom meeting and, typically, displays inappropriate content or uses profane language.
Alternatively, a cybercriminal may be able to join a meeting and eavesdrop on sensitive company information without being noticed.
These attacks are enabled by the fact that many organizations set up Zoom meetings without defining a meeting password. In these cases, anyone with knowledge of the meeting time and URL can join the meeting. Many times, a meeting link is posted on social media, or a cybercriminal can take advantage of the high usage of Zoom by trying to guess Zoom meeting IDs (since a Zoom link consists of a company’s Zoom URL and a nine-digit code).
Unauthorized parties joining a Zoom meeting is not the only threat an organization faces when using the collaboration platform.
Zoom is also vulnerable to UNC path injection attacks. When presented with a link that points to a file on a remote SMB server, Windows will send the user’s username and password hash to that server in an attempt to authenticate when trying to download the file. Exploitation of this vulnerability in Zoom, which is easier than ever as employees grow accustomed to online meetings, can enable an attacker to guess weak employee passwords.
Tools Handle Security Features Differently
When discussing sensitive company matters over video conference, end-to-end encryption is an important feature. Encryption ensures that only participants in the conference can access the meeting’s video, audio or other shared media.
Be aware that different platforms provide different levels of end-to-end encryption:
- Microsoft Teams supports team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest. Additionally, the Microsoft 365 suite also supports the following; shared files are stored in SharePoint and are backed by SharePoint encryption. Notes are stored in OneNote and are backed by OneNote encryption. The mobile client supports InTune App Protection Policies that ensure content is encrypted and users are authenticated on the end point device.
- Zoom security documentation is described as end-to-end encryption, but in reality it is a one-way TLS 1.2 connection. Meaning there is some encryption along the communication path, but it is not true end-to-end encryption. See Avertium’s Threat Report for details about Zoom vulnerabilities.
- GoToMeeting offers end-to-end encryption secured by a key generated by the GoToMeeting service broker and deleted after the session is complete.
- Cisco Webex is not end-to-end encrypted by default but offers an option where public key cryptography is used to ensure that an encryption key generated by the host is distributed to all participants without being revealed to the Webex server.
The level of security required depends on an organization’s business needs and the sensitivity of the discussions made on the platform.
Secure Network Connections with a VPN
Employees working from home are likely connecting via untrusted networks. This may include public Wi-Fi, like that provided in some apartment buildings, or home networks that may have a weak password or lack a firewall and other basic security features. Transmitting sensitive business data over these insecure connections leaves it vulnerable to interception, and business computers are more likely to be infected by malware on these networks.
Businesses should provide all of their remote employees with an enterprise virtual private network (VPN). This provides end-to-end encryption of all traffic between the remote worker and the business network, protecting against eavesdroppers.
Additionally, all business traffic is routed through the VPN, even if its final destination is the public Internet. This allows the organization’s existing perimeter-based cybersecurity deployment to scan the traffic for malicious content, data exfiltration, and other threats before allowing it to continue on to its destination.
Making Secure Collaboration Part of a Business Continuity Plan
Events like the COVID-19 pandemic may force an organization to move to a partly or fully remote workforce. Job functions that require online meetings, a secure videoconferencing platform is essential to maintaining business continuity.
The security of an organization’s videoconferences depends upon both the choice of platform and how it is configured.
Online Collaboration Tool Security Checklist
Follow these additional best practices for using videoconferences for secure communications:
- Require a strong password or passphrase for all work-related meetings
- Use a videoconferencing solution that offers end-to-end encryption
- Ensure that conferencing software is kept patched and up to date
- Do a roll call for each application or call-in connection to identify all attendees
- Do not share meeting links on social media or other public media
- Configure Windows to not send NTLM passwords to remote machines
For more information about secure conferencing and how it can affect your organization’s data security and regulatory compliance, reach out to start the conversation.