That means they need to consider how confidential their meeting is going in and take appropriate measures. I mean, 95 percent of conference calls are not confidential. In fact, there’s probably a good portion of those that should be an email. But the remaining 5 percent, those have varying degrees of confidentiality. From mildly sensitive all the way up to — at this point in the era of COVID — board-level meetings over conference calls and videoconferencing. If somebody is there listening, that can be catastrophic for a business.
More people are working from home than ever before. Employees have had to adjust to new workflows, collaboration tools and networking protocols. But of all the solutions getting extra attention, videoconferencing and audioconferencing have perhaps been relied on the most. Adjusting to the platforms has also opened up new opportunities for hackers, forcing businesses to confront new security realities. BizTech spoke with IBM X-Force Red Global Head Charles Henderson about why this technology requires a different cybersecurity approach and what businesses can do to ensure their information is protected.
BIZTECH: What are the security differences between in-person meetings and video meetings?
HENDERSON: It's really easy to see when somebody walks into your meeting room physically, sits down next to you and starts listening. But when you have a dial-in conference or a web meeting, it may be less obvious. We’ve all heard of conference call bingo, where one box is a count of who has joined the meeting, but it turns out there's actually a really good reason for that, because you want to know who’s on the call. But it’s almost an interruption to ask that question, so many people disable the join tones. Once that person is in there, invited or not, they're on equal footing with everyone else. They hear everything everyone else does. So, once somebody comes in, from a business point of view, they can be party to information that they really shouldn't have.
BIZTECH: From a technology perspective, what vulnerabilities are businesses leaving themselves open to?
HENDERSON: Well, if you think about it, the whole model has changed. We’ve had this rush to remote work. I think it’s 50 percent of the country that is now working remotely. These services had a huge surge in adoption, and not just businesses — everyone's having meetings on these services now. Kids’ schools, grandparents in the Midwest; everybody’s using these services, and as you have more users, you have a greater percentage of the rooms taken.
More users means more opportunity for attackers. If you think about dialing a phone number at random, if there’s five people in the prefix that have phones, the odds of you getting a working phone number are 5 in 10,000. You bring that up to 500 people, your odds go up. That’s the same thing with these conference calls with the PIN numbers. The more saturated the subscription becomes, the easier it is to brute-force your way in.
Six months ago, I would get calls maybe a couple of times a month, and it would be a Fortune 500 or a Fortune 1000 company saying, “Hey, we’ve got these mics and video cameras in our boardroom. We’re worried somebody might hack them and listen in.” In that scenario, you’re thinking about a James Bond-like villain with elite hacker tools getting into the corporate boardroom and eavesdropping. Now I’m getting two, three calls a week from businesses saying, “Hey, I’m worried that somebody’s going to join a conference call and just sit there and listen.”
That’s a dynamic shift, where the barrier to entry for the attacker has gone way down. The elite hacker skills that we all know and love aren’t really the minimum bar anymore. You simply need a touch-tone phone. That’s the evolution of the attack.
It’s akin to “war dialing” in many ways, when people used to look for modems across a wide spectrum of phone numbers in a phone number bank. Instead of war dialing for modems, like back in the ’80s and ’90s, now you’re seeing war dialing for conference bridges. That can be a web tool that scours all the possible conference rooms, or actually some sort of auto dialer that goes through all the PINs possible for various conference systems.
BIZTECH: Are these hackers just looking to disrupt? Or do they just want to know things about random meetings?
HENDERSON: A lot of people have a lot of free time on their hands suddenly. I wish there was a better explanation than that. But keep in mind that for somebody that’s looking for just easy information, that’s an easy way to get it. I was talking to a chief information security officer just a few days ago. He said, “I really don’t care what the motivation is. I care that suddenly my users in my organization of these conference bridges have a false sense of security.”
They think they are in a closed room. They think they’re on a private call and they don’t really know that they aren’t. In fact, if you talk to these people and say, “Hey, do you know everyone that was on there?” A reader of this story, looking back on their calls, probably wouldn’t have a good enough recollection to say yes.
CDW's Paul Shelton discusses cybersecurity's growing role in the future of work.
BIZTECH: Businesses want to make sure that their information is safe from a cyber standpoint, but there are also privacy concerns here. How are businesses handling that?
HENDERSON: Privacy and security are absolutely intertwined here. They’re certainly not mutually exclusive. Insecurity undermines privacy in this case. When you ask CISOs what keeps them up at night, it isn’t, “I’m worried that somebody’s illicitly using my conference call bridge at 2 o’clock in the morning for nefarious activities.” What they’re worried about is the 1 p.m. phone call they’re having not being confidential. So, it’s a privacy breach that scares them. Whether it’s somebody forcing their way into a conference call or some vulnerability in the system, it undermines the privacy of these platforms.
There’s this certain intersection of privacy, security and convenience. These companies want to ensure that their conference calls are secure, but they also want to make sure that their platforms are easy to use. If you think about it, if you make the most secure conference calling system in the world but it's cumbersome for your sales force to use and it impacts how easily they’re able to close deals in a time where you can’t do onsite meetings very easily, you’re not going to have very good adoption.
In fact, your users are going to pivot to their own solutions to get around it, and it’s going to be far less secure. So, convenience is right there with security in this sense. To that point, privacy is paramount to these security concerns. If you list the top 10 security concerns on these platforms, every one is going to be related to privacy.Finally, privacy isn’t really a problem for users until it is. To clarify that, you don’t notice privacy being a problem until your privacy is violated. In other words, before somebody joins your call, because the security protections in place are insufficient, you don't realize you have a privacy gap as an average user. Privacy is one of those intangible things, but a lack of privacy is very tangible.
Charles Henderson Global Head, IBM's X-Force Red
BIZTECH: What are some cultural best practices that can make meetings secure, and what can IT departments do on the tech side?
HENDERSON: First of all, your policies are only as good as they are able to be used. Don’t lock down every call under the sun and make your conference calls unusable. Take a risk-based approach. Not all meetings are equal. Have your meeting organizers think about the content that will be shared in the meeting. A good litmus test is would you feel comfortable talking about this in a coffee shop? If you would, would you whisper it? Or would you speak loudly about it and comfortably about it? If the answer is either, “I wouldn't talk about it at all in a coffee shop,” or, “I'd whisper,” start thinking about things like using the unique meeting ID for each meeting.
For confidential meetings, you can go into the web portal, say I want to host a meeting and create a meeting identifier. You can also think about adding a password to your meeting. That makes it a lot more difficult for random people to pop in. If you’re dealing with something really confidential, though, you may want to change the password to a specific meeting. Another thing that’s really easy to do, even on meetings that aren’t ultraconfidential, is actually do a roll call as the organizer and make sure you actually know everyone that’s dialed in. And finally, revise settings in your conference call bridge to implement these factors.
There are also things like waiting rooms, which have become a default for all meetings on most platforms. In these waiting rooms, a conference organizer basically gets a notification that somebody is in the waiting room. It gives their name and they’re given the option of bringing them in or not. So, if you have everybody you’re expecting in the meeting, you don’t let the person in. If it’s somebody you know, you let them in. It gives you a gateway so that somebody just doesn’t automatically come in.
Finally, you want to make sure that you are preparing your users for a conference call being breached. What happens when somebody joins a call who isn’t supposed to be there? You want them to know what to do in advance, because during a breached conference call is not the time to figure that out.
First and foremost, they should end the call immediately. But if they can’t, they need to mute everyone and make sure that everyone on the call is aware of the situation. If they’re able to end the call, they should then circle back with everyone to make sure everyone knows that somebody came on the call who wasn’t supposed to be there. It’s important that everyone have that information so they know that the information they were talking about may have been compromised.
BIZTECH: As all of this has unfolded, have you had any businesses coming to you with new issues that have arisen since shifting to a remote work model?
HENDERSON: We had a couple of companies come to us because somebody has popped into a meeting and shared inappropriate content. We have had many more that have come to us because of news reports, and there’s been a sudden lightbulb that’s gone on saying, hey, wait a second, this isn’t a great way to discuss our confidential data. So, what we’re doing is a lot of threat modeling with these companies. If I was an attacker, how would I approach this? That enables these companies to better situate their policies to defend against these types of attacks.
Like many things in security, you read a lot of the press about these systems being compromised and whatnot. Right now, the conference calling systems are the best thing going. I certainly am not advocating for the elimination of conference calls, but I think we can do it in a much more secure, measured way where we start to look at the settings and configuration to make sure that we’re taking appropriate steps to keep the information discussed in them private.