Skip links

Work From Home: Virtual Meeting Security…It’s Not Rocket Science

By Philip Reitinger

You’ve heard about Zoom Bombing and other horrors that arise from virtual meetings.  But what choice do you have when you are locked down in your basement? This is mostly what people in cybersecurity call “FUD” – Fear, Uncertainty, and Doubt. In fact, there are a few basic things you can do that will make your virtual meetings much more secure and private.

Patch Your Software

Just like any other software, app or service, use the most up-to-date version.  Zoom was faced with a bunch of problems in its software near the start of the pandemic, and a new vulnerability in Microsoft Teams was patched on April 20. All software has vulnerabilities, so update your software. With virtual conferencing software this isn’t hard, and you may very well get a pop-up box asking you if you want to update (or requiring it) when you launch the app. If you have a choice, just say “YES.”  You can find more help on updating your software when working from home here.

(Note: I’m not saying that all video-conferencing software is equally secure, and it doesn’t matter which you choose.  My point is that no matter which you choose, update it).

Limit Invitations

When actually scheduling and running meetings, the most important thing you can do is to control who is invited to the meeting. If you post the link to the meeting on Facebook or Twitter, then you do not know who is in the meeting.  That’s okay if you don’t care, so long as you have considered the risk that participants may act disruptively or post offensive material in the chat window (see “Zoom Bombing”).

To control access, the most important thing to do is not share the link publicly – control who receives the invitation. A good practice is to put a PIN or code that must be provided to join the meeting, however, if you distribute the PIN in the same email or meeting invitation as the link to the meeting then it doesn’t accomplish much. (PINs only add value when the meeting link is reused or easily guessable, which happens most often when people call in, or when the PINs are unique to each participant so they can be better identified).  Reusing links or PINs can present a challenge, because it is more likely the information will leak over time.

Control Who Is In The Meeting

Even if you limit invitations, uninvited guests may show up.  Bad things can happen. In 2012, the hacker group Anonymous listened in, recorded, and released a conference among representatives from the U.S. FBI and U.K. police

Preventing this takes a bit more work, but you can do it. You need to verify the identity of all the participants in the video conference.  This is simple if it is just your team, but the larger the group and the fewer people you know the harder verifying participants becomes.  Among the things you should do are to have people turn on cameras, and introduce themselves. Make sure you know who everyone is, and get enough information so that you are confident in having the conversation with the participant. This is especially difficult when people call in, as you won’t have the ability to see the other participant. 

Here you have to decide how much risk you are willing to take.  If Susan from Acme Company introduces herself, knows the subject of the meeting, and was the only person to whom you sent an invitation, then talking with her about your business relationship may be reasonable. But it’s also possible that Susan received in the invitation using a personal email account which was hijacked by a hacker, and you are talking with Yvonne from the XYZZY Squad hacker group. Your best bet is to be cautious and take reasonable steps, especially if you don’t have a previous relationship with the person. If someone makes fun of you, tell them you are practicing good “OPSEC, that is, Operational Security” and move on. I bet they don’t question you further.

Your job is not done once you have verified the identities of all participants. People may enter and leave the conference, and know who is present for the start of a video conference doesn’t do you any good.  You need to monitor comings and goings, looking at the attendees counter, all the video frames, and/or by listening for tones indicating changes in attendees.  How to do this will vary by software, so become familiar with what your software provides.

For more sensitive subjects, if your software or service allows, “lock” the participants at the start of the meeting so no one new can join.

I’ll end with an example. You have a weekly meeting that 10-20 people usually attend.  The link is always the same, and in a recurring invitation.  Do you actually check attendees every time, or do you assume things are fine just like they were during the 30 meetings? My bet is the latter – I know that’s what I would naturally do. How unlikely is that sometime during the past year somebody inadvertently forwarded an email outside your company?  So with everybody videoconferencing all the time, and bad people out there, let’s be a bit more cautious.

You can find more extensive tips on secure video conferences at the website of the National Institute of Standards and Technology here.

Translate »