Sergiu Gatlan* says a US Government Agency has shared measures those working from home should take to protect their privacy during virtual meetings.
Photo: Damir Cudic
The US National Institute of Standards and Technology (NIST) has shared a number of measures that should be taken by remote workers to prevent eavesdropping and protect their privacy during virtual meetings while working from home during the current COVID-19 pandemic.
Jeff Greene, the Director of the National Cybersecurity Center of Excellence (NCCoE) at the NIST, said “if virtual meetings are not set up correctly, former co-workers, disgruntled employees, or hackers might be able to eavesdrop”.
“Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”
Boost your online meetings’ security
Greene suggests taking advantage of your conferencing software’s built-in security features, as well as suggestions provided by their developers to boost virtual meetings’ security.
NCCoE’s Director recommends considering multi-factor authentication (MFA) whenever available and to make use of a dashboard to keep a close eye on your meeting’s attendees.
Also limit the reuse of meeting access codes and enabling notifications on attendees joining in to be able to quickly identify those who shouldn’t be attending.
The list of measures to be taken to prevent eavesdropping by unauthorised parties according to the NIST:
- Follow your organisation’s policies for virtual meeting security.
- Limit reuse of access codes; if you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
- If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider MFA.
- Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins.
- Enable notification when attendees join by playing a tone or announcing names; otherwise, make sure the meeting host asks new attendees to identify themselves.
- If available, use a dashboard to monitor attendees.
- Don’t record the meeting unless it’s necessary.
- If it’s a web meeting (with video): Disable features you don’t need (like chat or file sharing); and before anyone shares their screen, remind them not to inadvertently share other sensitive information during the meeting.
When you know that sensitive information will be shared between the attendees of a specific virtual meeting, you can also take the following additional measures to further increase security:
- Use only approved virtual meeting services.
- Encrypt recordings, requiring a passphrase to decrypt them, and delete recordings stored by the provider.
- Only conduct web meetings on organisation-issued devices.
The NIST provides a separate collection of telework security resources designed to assist remote workers including a guide to enterprise telework and BYOD security, an infographic on securing conference calls, guidance on mobile security, and security configurations and checklists.
CISA tips on securing enterprise VPNs
The DHS Cybersecurity and Infrastructure Security Agency (CISA) also shared tips on how to secure enterprise virtual private networks (VPNs) in response to the increasing number of employees working from home in response to the current COVID-19 pandemic.
CISA advised organisations to keep their VPN software, network devices, and user devices up to date, to alert their employees of any phishing attacks, as well as to make sure that their security teams are up to speed when it comes to security incident detection and response.
Also, CISA recommended implementing MFA on VPN connections or require users to use strong passwords as a defence measure against attacks.
Enterprises were also encouraged to test their VPN infrastructure in advance to assess its capability to support an increased number of users.
As part of its teleworking guidance, the US Department of Homeland Security cybersecurity agency also suggested reviewing CISA documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, as well as to choose, protect and supplement passwords.
To assist the wave of new remote workers, Software developers and service providers including Google, Microsoft, Adobe, Zoom, and LogMeIn, are also offering free licences or enhanced versions of their software and services during the coronavirus outbreak.
* Sergiu Gatlan is Security/Tech News Reporter for Bleeping Computer. He tweets at @serghei.
This article first appeared at www.bleepingcomputer.com/news.
