CERT-In Advisory
CIAD-2020-0020
Web Conferencing Security
Original Issue Date: April 15, 2020
Severity Rating: High
Description
The recent COVID-19 pandemic has led organizations, educational institutions and many others to incorporate web conferencing for communication from home.
Web conference is a service which enables users to conduct meetings, conferences, presentations, trainings through the internet over TCP/IP connections without being physically present at one single location. Web conferencing allows real time communication offering streams of data through text messages, voice and video calls.
Fraudsters have found this as an opportunity to conduct unauthorized activities resulting in obtaining of sensitive information of individuals and organization such as employee information, product knowledge, trade secrets etc. It is necessary to protect confidential data from prying eyes.
Few security issues while using web conferencing are:
- Attackers joining the meeting if no password to join is required or if they get to know the access code.
- Attacker sending malicious links in chat to extract information.
- Data shared using third parties might be used by attackers to obtain information.
- Vulnerabilities if not patched on time could allow attackers to exploit the target system.
Best practices for using Web Conferencing
- Install the web conferencing system through a distinguished vendor which allows encryption of data with SSL/TLS limits, provides intrusion control and allows non-persistent flow of data.
- Update the system regularly for any vulnerabilities with the latest software and patches.
- Review security and privacy settings to prevent attackers from exploiting the system.
- Information about the meeting should be given only to concerned individuals via authorized email. Providing of access codes to join the meeting to participants will lead to restriction of data flow.
- Consider using waiting room features: Place participants in a separate virtual room before the meeting and allow the host to admit only people who are supposed to be in the room.
- Keep an eye on uninvited guest during the web conference. The meeting may be locked for others to join once all valid participants have joined.The host of the web conference should monitor whether only the intended participants have joined in.
- Screen sharing should be limited to the host which will restrict sharing of content by the other participants by mistake.
- If you do record a meeting, make sure that you get permission from all participants and give the recording a unique name when you save it.
- Participants should be aware of their surroundings. Basic rules such as using headphones, muting the microphone when not speaking, using a blank background during video conferencing should be incorporated.
- Give information to others in the meeting on a need to know basis by assigning level of information access to all participants.
- Kids who have classes through web conferencing should be advised to use the system in a safe and secure manner. They should be advised to discuss only on the topic mentioned by the teacher and not divulge personal information.
- Once the web conference is over, the provider should erase all data from its server.
References
https://www.welivesecurity.com/2020/03/30/work-from-home-videoconferencing-security-in-mind/
https://blog.paloaltonetworks.com/2020/04/network-video-conferencing-security/
https://www.cyber.gov.au/publications/web-conferencing-security
https://sentreesystems.com/newsletter-topics/web-conferencing-security-tips/
https://www.computerworld.com/article/3535924/do-s-and-don-ts-of-videoconferencing-security.html
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|