Please consider updating your browser. Some parts of the website may not function as intended.

Who’s Zoomin’ Who?

Zoom unsecure

Video conferencing has never been more popular, let’s have a look at the options and examine some of the security implications.

Possibly you, like me may have been a bit disappointed to see that when it comes to video conferencing his taskforce, our Prime Minister simply used Zoom like many of the rest of us. Perhaps I have watched too many James Bond films but I always assumed that upon entry into the Cabinet Office, MP’s & the PM would immediately have some bespoke, super-secure communication applications and infrastructure installed by GCHQ or the like.

I’m not looking for this post to be a forensic in-depth look at the security mechanics behind each different VC solution, more of an overview and the basic steps we should all take to be secure both at work and home.

With Zoom specifically, one of the more common accusations thrown at it is that it’s not end-to-end encrypted as advertised – instead, it uses TLS which (now more often than SSL) provides the security backbone for HTTPS website connections. So whilst this is good – it’s not perfect though and not true EtoE. To be reasonable though, for most of us having mundane business or family conversations that our transmission could be intercepted in transit is not the biggest threat.

In my opinion, the biggest threat with all of these applications is the bog-standard tried and tested phishing email. The chances are a lot of us are expecting a VC invite to pop into our inbox at any given time in these crisis days.

In many cases we are already working outside of the usual security of our normal working environment – as discussed in a previous post: Working from Home: Don’t forget Information Security – and are already potentially more susceptible to the lure of a well-crafted phishing email. So when an email invite for a VC meet comes into your email, apparently from someone you know – there is a strong likelihood you could click on the link without first verifying its authenticity. And we already know the possible outcomes of clicking on malicious email links.

What can we do to protect against false video-conferencing email invitations?

In addition to employing all the usual email security best-practices (checking emails for disguised links, correct credentials and so on) including new working from outside the office ones it’s a good idea that companies should introduce a new process, whereby VC meets are pre-arranged, pre-agreed and initially sent using your calendar capabilities (i.e. Outlook) if possible. Or, if practical, confirmed via a voice call. Similarly for domestic use, users should do the same – perhaps using messaging services from a trusted source.

What are the VC app options?

For most businesses the two obvious options, bearing in mind that you are likely already using their office suite are:

  • Microsoft Teams
  • Google Hangouts Meet

Otherwise, there are a few good choices apart from Zoom, including GoToMeeting and WebEx, for a more comprehensive list, Techradar has a good list HERE.

As usual with any online activity, you need to run an information threat & risk assessment before deciding on your final choice. Here you need to balance such aspects as functionality, cost and availability against the nature of the information you will be transmitting and the security implications linked to it.

Improve your VC experience

One final word. As well as taking in the security implications there are other steps you can take to make the VC experience as smooth and rewarding as possible:

  1. Prepare for the meeting
  • Don’t wait until the last minute to log on only to find that you need to install an app or that your mic, camera and speakers aren’t configured properly
  1. Observe good VC etiquette
  • As part of your preparation locate the mute button and see how to toggle the camera on and off. Let others finish speaking before you jump in – meetings quickly fall apart if everyone is trying to talk at the same time
  1. Do it somewhere quiet & private
  • For obvious security reasons but also you want to minimise external noise and interruptions as much as possible. Hearing a TV programme in the background or having a member of your household walk in the view of your camera wearing a towel, isn’t always appreciated!
  1. Usual good meeting rules still apply
  • Where practical have a time allowance and agenda set-up in advance. Having someone chairing the meeting will also help with observing good VC etiquette.

Oh yes, if you’re wondering where the ‘Who’s Zoomin’ Who reference comes from it’s a rather good (if slightly dated) soul song from 1985 performed by the wonderful Aretha Franklin. It’s absolutely nothing to do with video conferencing, coming from a time when cloud-based video conferencing and indeed, COVID-19 were non-existent!

Leave a Reply

Your email address will not be published. Required fields are marked *

Risk Crew