Some of this may be as “innocent” as causing a disturbance in an online classroom, whereas others may go as far as effectively denying service to legitimate users, surreptitiously joining to listen in to a conversation they are not supposed to be a part of, or accessing information and documents which were not intended to be made available. Many of the traditional/typical security considerations apply here, but let’s dive into some specifics.
- Are there any underlying security concerns with the meeting application or service?
As has been covered recently, some meeting services have been associated with security concerns. On the one hand, this could be unintentional, with poorly written code resulting in exploitable vulnerabilities. On the other hand, some applications go as far as even spying on users without their consent.
Before signing up for any particular service, companies should perform some research regarding the history and known issues surrounding the company or companies providing that service. [may want to refer to Zoom specifically?]
- Who can join the call or service? How have the call details been published?
Much of the concern surrounding web conferences relate to how people join. There is a clear trade-off between ease of connectivity and security; many users have preferred to make connecting to a web meeting or a collaboration tool as painless as possible; for example, allowing anonymous users to connect or not requiring authentication. In other cases, meetings or tools intended for large groups of people may have common passwords, sometimes published in such a way that they are accessible or can be readily shared with others and thus allowing unintentional connections.
Some tools, such as Cisco WebEx, have features which create a lobby functionality that prevents new connections from being placed directly into an ongoing meeting without owner approval. This sort of lobby or secondary approval is expected to become a standard means of preventing strangers from connecting using shared credentials.
- How are users authenticated before they are allowed to join?
Some meeting and collaboration tools can be configured to allow access to anyone with the link or URL. Others can be configured to require SAML-based authentication with multiple factors. There is a wide range of options regarding how to authenticate users prior to joining meetings to eliminate the connection of anonymous users, or even the classification of known users as anonymous due to a failure to identify and authenticate.
- Who is on the call currently?
Because of the history of web conferencing technical challenges, many people have grown accustomed to seeing a nebulous “dial in user #1” or something similar in their web meetings. Furthermore, it is not uncommon to experience mute/microphone problems to the degree that while such users can be challenged – “who is dial in user #1?” – a lack of reply is typically shrugged off as a problem with that user’s microphone or computer. It is advisable to establish an identity for everyone who is on the call so that outsiders cannot hide and listen into conversations using this sort of scenario.