Estimated reading time: 2 minutes, 53 seconds

Remote Working Can Be a Double Edged Sword Featured

Remote Working Can Be a Double Edged Sword "Model: @Austindistel\nhttps:\/\/\/austindistel\/\n\nPhotographer: @breeandstephen\nhttps:\/\/\/breeandstephen\/\n\nThis photo is free for public use. If you do use this photo, Please credit in caption or metadata with link to \"\"."

As the effects of COVID-19 and social distancing are felt across the lives of millions of Americans, working remotely and meeting with colleagues over teleconferencing services has emerged for many as a double-edged sword. While many companies have found a transition to distance-working, collaboration tools, and web conferences to be quite easy, attackers of various stripes have been seeking to take advantage of the unprecedented surge in the use of these tools.

Some of this may be as “innocent” as causing a disturbance in an online classroom, whereas others may go as far as effectively denying service to legitimate users, surreptitiously joining to listen in to a conversation they are not supposed to be a part of, or accessing information and documents which were not intended to be made available. Many of the traditional/typical security considerations apply here, but let’s dive into some specifics.

  1. Are there any underlying security concerns with the meeting application or service?

As has been covered recently, some meeting services have been associated with security concerns. On the one hand, this could be unintentional, with poorly written code resulting in exploitable vulnerabilities. On the other hand, some applications go as far as even spying on users without their consent.

Before signing up for any particular service, companies should perform some research regarding the history and known issues surrounding the company or companies providing that service. [may want to refer to Zoom specifically?]

  1. Who can join the call or service? How have the call details been published?

Much of the concern surrounding web conferences relate to how people join. There is a clear trade-off between ease of connectivity and security; many users have preferred to make connecting to a web meeting or a collaboration tool as painless as possible; for example, allowing anonymous users to connect or not requiring authentication. In other cases, meetings or tools intended for large groups of people may have common passwords, sometimes published in such a way that they are accessible or can be readily shared with others and thus allowing unintentional connections.

Some tools, such as Cisco WebEx, have features which create a lobby functionality that prevents new connections from being placed directly into an ongoing meeting without owner approval. This sort of lobby or secondary approval is expected to become a standard means of preventing strangers from connecting using shared credentials.

  1. How are users authenticated before they are allowed to join?

Some meeting and collaboration tools can be configured to allow access to anyone with the link or URL. Others can be configured to require SAML-based authentication with multiple factors. There is a wide range of options regarding how to authenticate users prior to joining meetings to eliminate the connection of anonymous users, or even the classification of known users as anonymous due to a failure to identify and authenticate.

  1. Who is on the call currently?

Because of the history of web conferencing technical challenges, many people have grown accustomed to seeing a nebulous “dial in user #1” or something similar in their web meetings. Furthermore, it is not uncommon to experience mute/microphone problems to the degree that while such users can be challenged – “who is dial in user #1?” – a lack of reply is typically shrugged off as a problem with that user’s microphone or computer. It is advisable to establish an identity for everyone who is on the call so that outsiders cannot hide and listen into conversations using this sort of scenario.

Read 86 times
Rate this item
(0 votes)

Visit other PMG Sites:

click me
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.