Guide on Secure Video Conferencing
During the outbreak of COVID-19, video conferencing (VC) is becoming an effective way of communication for remote working and for users at different locations to conduct real-time communications.
With the rising popularity of VC, there are increasing cyber attacks targeting VC solutions and users. It is therefore crucial to assess the risks before conducting VC meetings and ensure they are held in a secure manner. Below are some potential risks:
Meeting bombing - an attacker may join a VC meeting by discovering or guessing the meeting ID to disrupt the meeting or share inappropriate content.
Malicious links or phishing attacks - if attackers gain access to the meeting room, they may trick participants to click malicious links. There may also be phishing emails or websites mimicking VC invitations with a malicious intent to steal user credentials or send malware.
Sharing data with third parties - be aware of data sharing with third parties by the VC solution or platform and their data usage policy.
Malware or zero-day attacks - there may be vulnerabilities in the VC solution that could be exploited by attackers.
The followings are some security measures / good practices to reduce the risks and avoid privacy breaches when hosting VC meetings or using VC solutions:
General Security Measures
Pay attention to any security news of the VC solution and take timely security measures accordingly.
End-to-end encryption and network security measures should be in place to protect the transmission of sensitive data during the course of the meetings.
Apply the latest updates and security patches to all relevant hardware / software items involved in VC, including the VC application, operating systems, web browsers and anti-malware software.
Only share the meeting ID with intended participants and use one-time meeting ID where possible.
Set a strong meeting password to prevent unintended third parties from joining the meeting.
Limit the collection of personal data from participants to reduce the risks of data leakage.
Adopt two-factor authentication with strong unique passwords to protect the account of the meeting hosts.
Use available security features to control meeting registration or sign-in, e.g. pre-registration or waiting room features.
Track and verify who are at the meeting and confirm the identity of all participants.
Do not allow participants to share screen by default. Only allow specific participant to do so where appropriate and only share the application needed rather than the whole desktop.
If a link is received to join a VC meeting, make sure the link comes from a trusted source and do not open links and attachments from unknown senders.
Avoid sharing or discussing sensitive information in VC meetings conducted over public cloud or untrusted network.
Avoid performing sensitive operations, such as checking emails, during the VC meeting to avoid sharing the screen with others accidentally.
File transfer should be limited or disabled unless necessary to avoid malicious files being shared, and do not open any suspicious links or files shared by unknown participants.
Avoid recording the VC meeting involving sensitive information since the recording may reside in public cloud of the VC service provider.
VC meetings should be conducted at designated private places of individuals and any visible sensitive information should be removed from the camera view.
Cameras and microphones should be turned off when not in use during the VC meeting.
Some references on video conferencing and what you need to know:
Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) - HKCERT proposes 10 measures to secure Zoom Meetings
“Cyber Security Campaign” website - ZOOM Security Settings and Recommendations
Australian Cyber Security Centre - Web Conferencing Security
Palo Alto Networks - Best Practices for Video Conferencing Security
Federal Bureau of Investigation (FBI) of the United States - FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic
Federal Trade Commission (FTC) of the United States - Video conferencing: 10 privacy tips for your business
National Cyber Security Centre (NCSC) of the United Kingdom - Video conferencing services: security guidance for organisations
Cybersecurity and Infrastructure Security Agency (CISA) of the United States - Guidance for Securing Video Conferencing
The Office of the Privacy Commissioner for Personal Data, Hong Kong website - Protecting Personal Data under Work-from-home Arrangements: Guidance on the Use of Video Conferencing Software