Date: 03 April 2020
Amended: 14 April 2020 to expand the PRODUCT GUIDANCE section
As organizations adapt to health policy measures associated with the COVID-19 pandemic, many are increasingly using video-teleconferencing (VTC) software products to facilitate business continuity. Care should be taken in the implementation and use of these to ensure that expected levels of integrity and confidentiality are maintained.
A significant increase in adoption of VTC software solutions as a method of business continuity during the current isolation requirements mandated to slow the COVID-19 pandemic has highlighted inherent vulnerabilities in this type of software. Recent media reports have noted vulnerabilities related to third-party infiltration or hijacking of VTC sessions. This is being done in order to disrupt business or attempt to compromise computer systems through social engineering. The Cyber Centre is aware of incidents in which Canadian organizations have had VTCs infiltrated and disrupted.
Incidents include unexpected infiltration and disruption (so-called Zoom-bombing) of VTCs. Such infiltration is possible when meetings are configured without password protection or a “waiting room” mechanism by which participants would be positively identified and granted entry. This situation can be exacerbated by publishing links to VTCs in open forums. Individuals determined to disrupt meetings have also been using applications designed specifically to locate and attempt to join unrestricted VTCs. Beyond the obvious risk to confidentiality, infiltrations of this sort can result in reputational damage, loss of credibility, disrupted business and the need to re-establish secure communications.
The use of link and file sharing in VTC applications present a set of risks similar to those present when opening links or files from emails. If a conference has been infiltrated by a malicious actor, they may be able to convince meeting participants to click on a malicious link or open an infected document file that they provide. In the case of Zoom versions prior to 1 April 2020, under certain circumstances it was possible for a user to expose Windows password information (specifically the NTLM password hash) when clicking on a UNC link in the form \\<computer>\<share>. This vulnerability has been patched in the latest version of Zoom.
The Cyber Centre advises that organizations using (or planning to use) VTCs take the time to understand their associated risks and limitations, which usually can be managed by following general best practices and provider-specific guidance.
MITIGATIONS AND GUIDANCE
Treat remote work like you would treat the office in terms of security, and VTCs like you would treat an office meeting. The following practices are recommended:
- Use existing corporate solutions whenever possible.
- Choose a platform with appropriate security features. Factors to consider include the level of encryption, the ability to require passwords or other methods of authentication in order to join a VTC, etc.
- Set rules and expectations concerning the types of discussions that may take place on a given platform. (As an example, for Government of Canada users, classified material should never be shared on an unclassified network.)
- Use the right tool for the job. Don't be afraid to send sensitive documents via courier or secure email rather than sending them over a VTC shared files channel.
- Ensure that VTC organizers are aware of the security features available in the VTC software package and that they are used appropriately. For example: Keep meetings private by requiring a password for entry. If for some reason that is not feasible, control guest access from a waiting room, just like how we let visitors into our buildings: by having them registered and escorted.
- Ensure all parties using the VTC software are aware of and comfortable with any data sharing done by the software owner in order to realize a profit (i.e. Selling data analytics for marketing purposes.)
- Choose a solution that allows you to control how your data is handled. Some platforms may route data outside Canada or store shared data on servers they control.
- Do not post links or teleconference IDs in unmanaged or public forums.
- Consider using a solution that does not require participants to install a client unless necessary. Web versions of a VTC obviate the need to update client software.
- Patch all software to latest version. Always.
While the above practices are applicable to VTC products and services generally, Cyber Centre advice and guidance should always be evaluated and applied to an organization’s unique cyber security context. The Cyber Centre does not make recommendations for or against specific products or services. For convenience, we have included below a non-exhaustive sampling of provider-supplied guidance for several well-known VTC products. Other VTC products may provide similar guidance.
Set up Meet to enable remote working for your organization:
Basic security tips for Slack workspace administrators: https://slack.com/intl/en-ca/help/articles/115004155306-Security-tips-to-protect-your-workspace
Best practices on security for users building internal Slack apps: https://api.slack.com/authentication/best-practices
Describes Teams’ security features and how its security architecture holds up against different types of cyber-attacks:
Provides an overview of security best practices to employ before, during and at the conclusion of a Webex meeting:
Some ways to manage attendee access for a Zoom meeting: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/
Further information on how to use the waiting room feature in Zoom (this is beneficial for those hosting interviews): https://blog.zoom.us/wordpress/2020/02/14/secure-your-meetings-zoom-waiting-rooms/
Additional information on securing your Zoom meeting, including password protection:
The Cyber Centre recommends updating Zoom to the latest version before using Zoom. The current version patches multiple known vulnerabilities, including two local privilege escalation vulnerabilities in OSX version of Zoom software, one of which could give the user root access to the local computer.
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.
The Cyber Centre can be contacted at:
Toll Free: 1-833-CYBER-88 (1-833-292-3788)