Top Videoconferencing Attacks and Security Best Practices
Videoconferencing has become a routine part of everyday life for remote workers, students, and families. Yet widespread adoption of this technology has also attracted nefarious characters whose motivations can range from simple disruption to full-out espionage. It's important to understand these threats and how secure configuration of videoconferencing systems can improve the overall security of an organization and individual everyday users.
Common Videoconferencing Attacks
Making sure your videoconferencing technology is set up securely can help prevent these attacks from being successful. There are several types of attacks that can be executed through videoconferencing platforms; here are some that have been recently observed:
- Meeting Bombing: In this type of attack, an uninvited guest joins a videoconferencing meeting either to listen-in on the conversation or to disrupt the meeting by sharing inappropriate media.
- Malicious Links in Chat: Once attackers gain access to the meeting room, they can trick participants into clicking on malicious links shared via the chat, allowing attackers to steal credentials or attempt to install malware.
- Stolen Meeting Links: Reusing meeting links makes it easy for attackers to use them, too.
- Host Privileges Transfer: In this type of attack, a participant can wait until the end of the meeting, and if the host leaves before all the attendees, the participant can become the host.
A Combined Effort to Create Best Practices
The significant growth in remote working environments, combined with the very public problems that occurred with the Zoom platform earlier in 2020, prompted the CIS Benchmarks team to provide comprehensive security guidance for videoconferencing. This new guidance takes two forms:
1. A CIS Benchmark for Zoom with detailed security configuration recommendations.
2. The CIS Videoconferencing Security Guide describing the shared responsibilities and configuration recommendations for individuals and IT departments, regardless of which specific platform is used.
The process to create the CIS Videoconferencing Security Guide began with research to determine the common set of security best practices that apply to a wide range of videoconferencing systems. Each product may have distinguishing features, but there is typically a core set of capabilities that is common across all systems.
The CIS Benchmarks team wrote an initial draft based on this research and solicited feedback from internal CIS experts and key external CIS Benchmark Community contributors as well.
Secure Videoconferencing Configuration
The CIS Videoconferencing Security Guide provides prescriptive guidance that is applicable to a wide variety of videoconferencing systems in use today. Examples include Cisco WebEx Meetings, Microsoft Teams, Zoom, and BlueJeans.
The recommendations are mapped to the CIS Controls Implementation Group 1 (IG1) safeguards for basic cyber hygiene, and discusses the shared responsibility between individual remote workers and company IT departments.
Key areas include:
- An overview of the impact of a remote workforce on organizational security
- Prescriptive guidance for videoconferencing system configuration and use for:
- Meeting setup: Participant authentication, meeting room types, how participants join, and meeting encryption
- During a meeting: Attendee verification, participant ejection, use of video, screen sharing, and chat
- Meeting recording: Retention policy, recording protection, and more