Most of you have seen news stories regarding problems faced by users of web conferencing. These included so-called Zoom-Bombing interruptions of meetings, where hackers shout profanities or otherwise disrupt meetings. As bad as that is, other security concerns exist for users of web conferencing, including exploits that allow viewing your camera feed or taking control of your computer.
To combat these threats, units and groups are advised to follow a few simple guidelines when using any web conferencing service:
1. Do not post links to meetings anywhere. 2. Do not discuss, share, or post sensitive or personally identifiable information online. 3. Do not record meetings unless necessary. 4. Be careful of background audio and visuals. 5. Check microphone and camera before meetings. 6. Use a waiting room and selectively allow people entry into meetings. 7. Consider locking the meeting room once everyone has arrived. 8. Use secure means to share sensitive info.
Meeting links should be considered security information, and sent only to members who need to attend your meeting. Inform your members that this information is to be treated as for official use only. Meeting links generally persist for some time, typically through use of virtual meeting rooms. This provides more time for a potential attacker to learn your meeting address, and infiltrate your meetings or systems.
It's easy to feel relaxed in an online conference, especially one with your CAP friends. Since problems have been identified with web conferencing, we must all be careful with what we discuss. Remember that each personal detail you share in an electronic forum could be assembled with others to create a more complete profile of you. Criminals use this type of information to commit identity theft, or perform social engineering against others to elicit their information.
One reported exploit allowed an attacker to access recorded meetings, stored on the web conferencing service's servers. Some of these recordings were apparently made because a program had a default setting to automatically record every meeting. If your web conferencing service offers a recording capability, turn it OFF unless you specifically need to record a meeting. Remember to turn it off again once the meeting is complete.
If you or someone else within earshot of your microphone say something, perhaps even placing an order via phone and paying with a credit card, it could be exploited for misuse. A webcam that happens to have a view of sensitive information could also allow confidential or protected information to be exposed. You would be very surprised at some of the gaffes made by people using web conferencing in the last few weeks, all because they didn't know a microphone or camera was in operation. Many of these have been made public, much to the dismay of those involved.
Keep your microphone muted until you need to speak. Verify what your camera can see before entering the meeting, and adjust it as necessary. These steps will help avoid the problems discussed above.
This will prevent Zoom-Bombing, as you will need to individually let each attendee into the room at the start of the meeting. Tedious, but a good way to ensure only members gain entry into your meeting.
This can become annoying if you have attendees with spotty Internet connections who keep getting disconnected. If, however, no one has difficulty staying online, lock the door for an additional measure of security.
Never click links in emails, even if they look official. There have been many examples recently of criminals sending carefully crafted web conferencing links that look like they go to the real service. Always check, and don't hesitate to type the web address yourself. If you always meet in the same virtual room, with the same link, ensure that you are in the correct meeting room and bookmark the site for future use. That way, you won't be tempted to click a link in a reminder email.
Never send sensitive information via email, unless you have taken the separate steps to encrypt the email so it may only be read by the intended recipient. Just because your email provider web site has a padlock next to the address doesn't mean your message is protected after it is sent.
Only share sensitive, confidential, or personally identifiable information through secure channels, and only when you initiate the conversation. Never call numbers you don't recognize, including those for banks. Call the customer service number on the back of your debit or credit card, since you know those numbers are legitimate. And remember that no legitimate company ever requests user IDs, passwords, or any personal information via email.
In summary.
