Due to the COVID-19 coronavirus mandatory requirement to practice social distancing by working remotely, there has been an increased need to leverage solutions offering video-conferencing capabilities.
Unfortunately, there has also been an increase in attacks against these platforms. Some of these attacks are focused on hijacking sessions and causing disruptions through the use of explicit content.
The N.C. Department of Information Technology has been working with vendors to provide secure and efficient solutions to meet state agencies’ telework needs. The state’s standard for teleconferencing is Cisco WebEx and Microsoft Teams.
An alternative solution that state agencies may use is Zoom for Government. This license is not the standard Zoom for Commercial but the Federal Risk and Authorization Program (FedRAMP)-approved version that meets the state’s required security requirements for voice, video and chat features.
NCDIT does not promote or approve of the use of Zoom commercial licenses (which include the free and paid versions) for organizational use. However, NCDIT understands that state agencies might need to interact with these platforms as a participant. In such cases, state employees should refrain from discussing sensitive matters or exchanging data related to personally identifiable information (PII), HIPAA, CJIS or other sensitive data types, as defined within the State Data Classification and Handling Policy.
NCDIT is also aware of numerous schools leveraging this technology to aid distance learning and understands the limitations and the need for those environments. These organizations are encouraged to refrain from sharing sensitive data related to FERPA and PII and restrict conversations to public matters only. Lastly, leverage best practices listed further on this site to ensure against external abuses and unauthorized disclosure of sensitive data.
The Enterprise Security and Risk Management Office recommends exercising due diligence and caution in telework efforts. The best practices listed will help mitigate teleconference hijacking threats when hosting a video conference.
- Auto-lock the personal room for secure meetings. This prevents the attendees in the lobby from automatically joining the meeting. The host will see a notification when attendees are waiting and can authorize them to join.
- Set personal room notifications before a meeting to receive an email notification when attendees are waiting for a meeting to begin. The host can review the participant list and expel any unauthorized attendees.
- Schedule a meeting instead of using a personal room. Personal room weblinks do not change. Improve security by scheduling a meeting, which includes a one-time weblink.
- Set a password for every meeting by creating a high-complexity, non-trivial password (a strong password or passphrase). A strong password should include a mix of uppercase and lowercase letters, numbers and special characters. Passwords protect against unauthorized attendance because only users with access to the password are able to join the meeting.
- Do not reuse passwords for meetings. Scheduling meetings with the same passwords considerably weakens meeting protection.
- Use the entry or exit tone or the "announce name" feature to prevent someone from joining the audio portion of a meeting without the host's knowledge.
- Do not allow attendees or panelists to join before the host. This setting is set by default by the site administrator for meetings.
- Assign an alternate host to start and control the meeting. This keeps meetings more secure by eliminating the possibility that the host role will be assigned to an unexpected or unauthorized attendee if the host inadvertently loses their connection to the meeting. One or more alternate hosts can be chosen when scheduling a meeting. An alternate host can start the meeting and act as the host.
- Lock the meeting once all attendees have joined. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress.
- Expel attendees at any time during a meeting.
- Share an application instead of sharing your screen to prevent accidental exposure of sensitive information on your screen (e.g., Microsoft Office products, web browsers, etc.).
- Set passwords for recordings before sharing them to keep the recording secure. Password-protected recordings require recipients to have the password to view them.
- Delete recordings after they are no longer relevant.
- Create a host audio PIN. The PIN is the last level of protection preventing unauthorized access to your personal conferencing account. Should a person gain unauthorized access to the host access code for a personal conference meeting (PCN meeting), the conference cannot be started without the audio PIN. Protect the audio PIN, and do not share it.
- Do not click on emails when you don't know the sender, the emails have inconsistencies in grammar and/or spelling or the emails contain weblinks you're unfamiliar with.
If attending a non-Zoom for Government meeting hosted by an external party, encourage the host to use of a more secure platform, or offer to host if necessary. If that is not a viable option, follow the steps below to help protect state data and infrastructure:
- Do not discuss or share sensitive data on the Zoom or other video conferencing platforms. Share those types of data through other secure means.
- Be mindful of clickable links shared in videoconferencing platforms, as they might contain malicious payloads.
- Be mindful of spoofed emails with invitations to attend Zoom meetings that are not expected.
- Recommend attending via dial-in only.
Although the sharing of public data is a low-risk issue, the potential for impact to the infrastructure through malware distribution and other cybersecurity threats is still a concern.
- Use WebEx or Microsoft Teams, if possible. Both are the state’s standard for teleconferencing.
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting-room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Add a passcode to the meeting, then share that passcode with guests. Once set, the passcode is required to enter the meeting.
- Manage screen-sharing options. In Zoom, change screen-sharing to host only.
- Ensure that users are using the updated version of remote access/meeting applications.
- Do not use Facebook to sign in. It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom can access.
- Use two devices during Zoom calls. If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees.
- Don't use a personal meeting ID for meetings. A Zoom personal meeting ID is the same as a personal room meeting in WebEx.
- Consider turning on the waiting room for a meeting so that you can scan who wants to join before letting everyone in.
- If you don't want participants to join/interact before the host enters, uncheck "join before host." Set an alternate host if there is a need for a backup host.
- Disable "allow removed participants to rejoin" so participants you have removed from your session cannot re-enter.
- Disable "file transfer" unless you know this feature will be required.
- Disable "annotation" if it is not needed.