Due to the quarantine of the COVID-19 coronavirus, millions of people worldwide have turned to video calling services to hold work meetings or feel closer to those they miss. However, after some security problems with these platforms were revealed, many have mistrust when using them. Therefore it is important to learn how to configure them. A team from the Kaspersky cybersecurity firm took on the task of evaluating the data protection mechanisms of the most popular video call platforms and share some tips for using them.
1.- Google Meet and Google Duo
Among the advantages of Meet, the provider cites a reliable infrastructure for data processing, encryption (although not end-to-end) and a set of protection tools. Like most other business products, G Suite, including Google Meet, complies with advanced security standards and offers configuration options and access rights management among its privacy settings. In turn, the Google Duo mobile application protects data with end-to-end encryption. However, it is a video conferencing application designed for private users, not for companies. Your conferences can only admit up to 12 participants.
Possible vulnerabilities: “In addition to some messages that remind us that Google collects user data and may therefore be a threat to trade secrets, we were unable to find concrete information on the security performance of these video conferencing applications. That does not mean that Google’s services are perfect, but that they are backed by a very strong security team that usually solves problems, “says Kaspersky.
2.- Microsoft Teams
Teams integrates with Office 365, which represents its main advantage for a corporate user. In response to increased demand for telecommuting tools, Microsoft now offers a six-month free Teams trial, but users of this trial will not be able to configure settings and policies, thus exposing themselves to a possible compromise on their security.
Teams complies with a large number of international standards, can be configured to work with confidential medical data and boasts flexible options for security management. Under some service plans, additional tools, such as DLP or parsing of output files, can be integrated into Teams. The data that is sent to the server, either by conversations or video calls, is encrypted, but not end-to-end. And since we are talking about storage and processing, information never leaves the area where the company operates.
Possible vulnerabilities: It is not a bad idea to monitor vulnerabilities in Teams. Microsoft tends to patch vulnerabilities very quickly, but they still appear from time to time. For example, researchers recently discovered a vulnerability (already patched) that allowed control of the account.
3.- WebEx Meetings
Cisco WebEx Meetings is a video conferencing-focused service that includes business services and end-to-end encryption. The option is disabled by default but the provider enables it upon request. This somewhat limits the functionality of the tool, but if your employees handle confidential information in meetings, it is certainly an option that you should consider.
Possible vulnerabilities: In March alone, the provider patched two vulnerabilities that threatened remote code execution. Still, Cisco is famous for taking video call security very seriously and updating its services quickly.
It was developed as a tool for social and non-business communication, but this free application can meet the video conferencing needs of any team or small business. This program is not suitable for large companies, since video conferencing only admits four participants at a time. WhatsApp has an indisputable advantage: true end-to-end encryption. Therefore, neither third parties nor WhatsApp employees will be able to see your video calls. But, unlike business applications, WhatsApp hardly offers security management options for your calls or conversations, only what is already incorporated by default.
Possible vulnerabilities: Last year, attackers distributed Pegasus spyware via WhatsApp video calls. This bug has been fixed, but it is important to remember that the application is not designed to provide protection at the business level, so, at a minimum, users should closely follow cybersecurity news.
Its flexible prices (with free 40-minute conferences with a total of up to 100 participants) and its ease of use have attracted many users, but the weak points of the platform have not left anyone indifferent. Still, Zoom complies with the international security standard SOC 2, offers a service plan for healthcare providers, and has flexible configuration parameters. Session organizers can block participants, even if they have the correct hyperlink and password, prohibit recording, etc. If necessary, Zoom can be configured so that no company traffic comes out.
Possible vulnerabilities: Zoom claims to have implemented end-to-end encryption, but this claim is not entirely justified. With end-to-end encryption only the sender and recipient can read the exchanged data, but Zoom decrypts the video data on their servers and not always in your company’s home country. Vulnerabilities of different levels of severity have also been discovered.
Zoom clients on Windows and macOS have reported a bug (already fixed) that allowed attackers to steal account data from the computer. Two bugs in the macOS application allowed cybercriminals to take complete control of the device. In addition, lots of news came from internet trolleys visiting open Zoom conferences, with no password, to post comments and share their screen with obscene content. In general you can solve this security problem if you configure the privacy of your conference correctly, but Zoom has also added a password protection by default to keep you safe from prying eyes.
Which to choose?
Kaspersky concludes that there is no video conferencing application that is 100% secure, therefore it recommends choosing the service whose drawbacks do not pose a problem for your company. It also emphasizes the importance of configuring privacy correctly and quickly updating applications to patch vulnerabilities as soon as possible.
Lastly, he advises that employees have at least basic cybersecurity skills and safe behavior on the Internet. If not, it is better to organize a training.
👍 I like
😍 I love