Work From Anywhere (WFA) Update: Securing Videoconferencing
In early April, we here at Lares led a webinar, What Credit Unions Need to Know About Online Meeting Security, in response to the rapid adoption of video conferencing in the early stages of the COVID-19 pandemic. Organizations encountered security challenges (e.g. bombing) that rattled business leaders’ confidence in these solutions, tasked with moving staff en masse and in haste to videoconferencing mode. Work from Home (now, WFA) risks that presented themselves at the outset of the pandemic still demand continuous strategic vigilance. We have been tracking recommendations and posting our own (see list below). The Center for Internet Security CIS has released two new resources worth checking out: CIS benchmarks for Zoom and a CIS Videoconferencing Security Guide.
What’s in the Guidance?
The CIS Benchmark for Zoom details security configuration recommendations for Zoom while the CIS Videoconferencing Security Guide (VSC) is a vendor-agnostic guidance for securing videoconferencing. As such, the CIS VSC reflects a common set of security best practices applicable to a wide range of videoconference solutions.
Common Videoconferencing Security
What I appreciate about the CIS Guides is their consistency to map recommendations to the CIS 20 Controls. In this benchmark guide, there are seven VSC recommendations:
- Know the Network
- Know the Software
- Update Systems
- Change Default Passwords
- Use of Anti-Malware
- Videoconferencing Specifics
The CIS VSC team gives a sub-control from Implementation Group 1 for each recommendation and a corresponding task to execute. The following table illustrates the specific VSC guidance mapped to a control group.
These recommendations and sub-controls help companies define and coordinate shared security responsibilities for videoconferencing. Companies are encouraged to determine and delineate telework responsibilities from corporate ones to mitigate issues like meeting bombing and stolen meeting links.
A CIS VSC Feature Summary
We mentioned at the outset that the CIS VSC is a vendor-neutral guide for videoconferencing security. The following figure shows how a few of the common platforms compare.
The commonality and number of security features indicate the focus on security as a priority of videoconferencing providers. This development bodes well for leaders who are attempting to capture the WFH/A swell’s upside. Frictionless transition to all- or majority remote models is the current wave of digital transformative models. More secure videoconferencing helps to ease concerns, embracing this change. The CIS VSC, in particular, is a helpful guide for leaders along the way.
In Summary
The Lares Research and vCISO teams continue to track issues concerning the forcibly converged network. In so doing, we can better advise our clients on ways to manage their risk as the pandemic persists. Guides like the CIS VSC are helpful to benchmark the security of videoconferencing in organizations. Business and risk leaders should consider the CIS VSC to measure videoconferencing risk in their overall risk management programs.
Don’t forget to read our WFA resources listed below and be on the lookout for more Lares telework recommendations.
List of Lares Work from Home (WFH) and Telework Resources:
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.