fairfax_school_video_cyber_incident
General
April 12, 2020

Playbooks for video conferencing app attacks

By Sridhar Pippari

With the rush for Working From Home, organizations are overwhelmed with employees using video conferencing technologies, from Slack, Skype and Discord to GoToMeeting, Zoom and Webex. What are your security teams supposed to do when incidents like Fairfax school strike? Do they have the basic steps and planned approach to handle the events?. In this page we cover the top tips to analyze and mitigate/contain/remediate the issue.

  1. How to make what you train simple so that it sticks.
  2. Tips that are vendor neutral, so it does not matter what technology people use.
  3. Tips that are relevant for years not weeks
  4. Technical examples of each tip for some of the most common video conferencing solutions.

Description

Remote work options—or telework—require an enterprise to use the video conferencing technology extensively. Especially in the present situation around us due to COVID-19 lockdown, video technology helps organizations to maintain crucial working and personal relationships during this period of social distancing.

Technical Details

The following information need to be considered in advance to handle security threats on these applications:

  1. Individuals using video conferencing recommended to review how it is being used.
  2. Monitoring the sessions on teleconferencing application protocols and ports for suspicious connection.
  3. Make sure the firewall rules and other security controls in place for teleconferencing protocols and ports recommended by vendor.
  4. Understand the security provisions by the Service Provider especially how to basic security provided, where the data is held and what actions are permitted on it.
  5. Protect the video conferencing account with strong password. Use stronger authentication by using 2-Factor authentication if available. In case it is for an organization, plan to implement company-wide defaults and controls where possible. Plan carefully about which settings to enforce, and which to set as a default that can then be overridden on a per-meeting basis.
  6. Do not make calls public, know who is joining the call & understand the surroundings.
  7. These services can be configured to request users to authenticate to join meetings. We recommend implementing single sign-on where possible, integrating the video conferencing service with your existing corporate identity to inherit the same identity protections as your other corporate services.
  8. While configuring the more privileged accounts for (for example configure the service, or access logs, transcripts, or recordings) apply the concept of least privileges using a role-based access control (RBAC).
  9. Configure access to the meeting and conferences to protect the confidentiality of the discussions, and prevent unwanted interruptions.
  10. Configure addition feature like file sharing, screen sharing, messenger, automatic call transcript generation, remote control of another participant’s device securely.
  11. Configure and manage the video conferencing apps and software securely. Configure apps at an organisational level to constrain the app’s access to contact lists, location data, documents and photos. Distribute the apps using enterprise management tools and discourage users to download an app to join a call. Utilize always-on VPN on your corporate devices

Analysis

To analyse the security incident related to conferencing services, it would be good to have following information well understood by analysts

  1. Monitor the sessions on teleconferencing application protocols and ports for suspicious connection.
  2. Make sure the firewall rules and other security controls in place for teleconferencing protocols and ports recommended by vendor.
  3. Understand the protocols and ports in use for additional services or add-on services like file sharing, instant messengers etc

Playbook

Mitigation

Following are few for suggestions to manage the online conferences

  • Allow only signed-in users to join
  • Lock the meeting
  • Remove unwanted or disruptive participants
  • Prevent removed participants from rejoining
  • Turn off file transfer
  • Turn off annotation
  • Prevent participants from screen sharing
  • Put participants on hold
  • Disable video
  • Mute participants
  • Disable private chat

References

zoombombing

https://blog.paloaltonetworks.com/2020/04/network-video-conferencing-security/

https://www.ncsc.gov.uk/blog-post/video-conferencing-new-guidance-for-individuals-and-for-organisations

Leave a Reply