Although video conferencing technology is not new, its use and significance have risen exponentially as more firms transition to teleworking. Even if it’s convenient, you surely pause before registering for any new video conferencing app, citing fears of getting hacked or being kept under dangerous watch. But are these apps actually harmful? If so, what security dangers come along with them and what are the best practices for having secure virtual meetings? Let’s hear from experts in the field.
A video conferencing tool must be safe and reliable to be used regularly for business interactions. Remote work environments require employees to connect via an array of technologies that must be safe and secure to ensure the privacy of sensitive data. Unfortunately, many video conferencing solutions do not offer optimal security to users. Using solutions with poor security credentials carries the risks of having meetings interrupted, having confidential information intercepted, or unauthorized access to recorded sessions.
Let’s learn about these potential security issues with video conferencing that organizations across sectors should recognize and prepare for. We also gauge from security experts on whether securing video conferencing software with zero trust security is the best way forward.
Video Conferencing Security Risks
Matt Chiodi, the chief trust officer at Cerby, lists a few risks of using a video conferencing app. “Misconfigurations stemming from too many options without adequate enforcement is one of the biggest risks today. Most modern video conferencing platforms have built-in security capabilities, but that doesn’t mean they’re enabled,†he says.
See More: The Top 3 Needs of Application Security Today: Context, Visibility, and Control
Take two-factor authentication (2FA). CISA recently called this the most critical control consumers and businesses alike can enable. Chiodi highlights a key point from his analysis. “In our recent researchOpens a new window , we found out that 15% of users only enable 2FA when it’s absolutely required.†The same research also shows that 46% of users say it’s a hassle, and that’s why they don’t bother. Realistically, 2FA shouldn’t be a user choice–it’s a security control that needs to be enforced unilaterally and consistently.Â
Beyond 2FA, there are hundreds of security options available in platforms like Zoom, but many teams either don’t know how to enable them or don’t have the tools to ensure they are consistently enforced.
– Matt Chiodi, chief trust officer, Cerby
Rapid7’s director of research, Tod Beardsley, believes that the usual concern people have about video conferencing apps is the perceived ability of the video conferencing providers (like Zoom, Microsoft, or Citrix) to eavesdrop on live calls in progress. The threat actors in this scenario range from bored employees at those companies, to nefarious criminal organizations, to heavy-handed governments with warrants and subpoena power.Â
“This fear is completely understandable but also misplaced. For starters, all major video call providers provide some “end-to-end encryption†(EE2E) functionality, and most business plans have EE2E enabled by default.â€
Beardsley clarifies, “this means that calls in progress are encrypted such that only the users at the endpoints, the people on the calls, can decrypt the audio, video, and text chat. This is already a better encryption state of affairs than email and regular cell phone calls, which both are routinely used for private, sensitive communications and also merely encrypted at the client-server level, vulnerable to all those risks and threat actors.â€Â
So, assuming EE2E is enabled (which is easy to do in ZoomOpens a new window and Microsoft TeamsOpens a new window ), people should have confidence that their video calls are, in fact, private.
Ensuring Secure Online Meetings – With Zero Trust and Other Practices
Each vendor publishes its own security best practices for its platform, and the nonprofit Center for Internet Security (CIS) offers security benchmarks as well. But Chiodi thinks it’s up to IT and security teams to ensure that these practices and benchmarks are enabled and consistently enforced. “Often, those IT and security teams also have their security standards for video conferencing platforms, but again, there’s a deficit in regular enforcement.†For example, they might configure a platform like a Zoom to the CIS benchmark, but over time, there’s no tracking to ensure that the settings are not undone.Â
Chiodi also agrees with the need for video conferencing platforms in this remote working environment but asks to be hyper-aware because of the risks associated. “There are so many moving parts that it’s easy to miss configuration changes or drift from the desired state.â€Â
It’s vital for security and IT teams to invest in security automation platforms that can enforce security best practices and automate the mundane tasks that end-users and administrators often neglect.
– Matt Chiodi, chief trust officer, Cerby
Another best practice he suggests is eliminating trust from the system. He says that trust is a vulnerability and must be eliminated from any system that needs to be protected. “A key concept in zero trust architecture is the protect surface – most teams think instead of the attack surface, but that’s impossible to protect because it’s essentially the entire Internet.†The protected surface covers only the data, applications, and services critical to the business. Video conferencing fits squarely into that category. Online meetings should be just as secure as physical meetings.
Chiodi states another point with an example. “In order for me to attend a meeting in person, I need to navigate locked gates and guards, perhaps with guns. Online meetings should be no less secure. Any connection to online meetings should be validated to ensure the connection is secure and from a source that has met the requirements defined by the security and IT teams. Trust must be validated, never assumed.â€
See More: Authenticate, Encrypt and Optimize: 3 Tips to Secure Your Video ConferencesÂ
But not all apps could be safe or accept zero trust
What if not all video conferencing platforms can support zero trust architecture? This is actually true for many SaaS applications. Chiodi adds that if the platforms don’t support common identity standards like single sign-on (SAML) and SCIM (systems for cross-domain identity management) for adding and removing user access, it’s almost impossible to include the platform in a zero trust to protect the surface. “These applications can be defined as unmanageable applications–and while identity providers like Okta and Microsoft have pioneered a full application lifecycle management approach, these applications remain out of their reach.â€Â
Chiodi says that about 61% of SaaS applications don’t support single sign-on, 88% don’t support SCIM, and 95% have no security APIs. “This spells trouble for security and IT teams: Without support for these standards, the underlying applications will be ripe for attackers, and zero trust principles will be difficult to apply.â€
Another difficulty is unmanageable applications, which are of grave concern and a growing threat to businesses. “In our recent researchOpens a new window , we found that 92% of employees want full control over the applications they use for work, and this includes video conferencing platforms.â€Â
In this case, security and IT teams must do two things:Â
- Determine the extent to which unmanageable applications are being used, andÂ
- Look for solutions that extend enterprise identity standards to platforms that don’t natively support them.
ConclusionÂ
Now, with all that said, there is an opportunity for an attack on the endpoints, which is where vulnerabilities and exploits come into play. Beardsley thinks that no software is completely bulletproof. Even the most popular video conferencing apps are built by organizations with very mature, secure software development practices, but bugs happen. In 2020, there was a flurry of reported Zoom security bugsOpens a new window , which Zoom did a reasonably great job addressing.Â
“I’m a little worried about the 11-month-old Zoom App Marketplace, which ultimately relies on human review of submitted applications for security.†This is where I would look for opportunities to break those encryption promises made with EE2E, adds Beardsley. Suppose an attacker can install malware on an endpoint with special access to Zoom, Teams, or other video data. In that case, it’s challenging to be confident that past calls were truly confidential.Â
“This is where XDR and zero trust architecture can do the necessary block-and-tackle work of keeping endpoints secure,†he adds.
Which video conferencing solution do you think secures corporate communications the best? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!