Hackers are increasingly compromising videoconferencing equipment to gain access to conference rooms and boardrooms, virtually high-jacking systems and becoming invisible eyes and ears, privy to confidential conversations, strategic documents, and secure client information.
The following are 12 best practices companies can follow to minimize the threat and ensure what happens in the boardroom stays in the boardroom.
- Enhance videoconferencing security by putting the system in a DMZ. Separating it from internal systems will help ensure that any compromise is limited to the videoconferencing system.
- Enable dynamic inspection of video traffic through the firewall (e.g., H.323). This leverages the firewall’s capability to monitor and inspect the traffic for potential anomalies or malicious behavior.
- Turn off the auto-answer feature on the video conferencing system. Many videoconferencing products come with auto-answered enabled as the default, making the system automatically answer and turn on with any incoming call — a virtual welcome sign for any hacker.
- If possible, disable remote/offsite administration of the video conferencing system, to prevent unauthorized users from attempting to log into the system from external sources.
- Enable and require administrator passwords for video conferencing/IP phone systems. Be sure to change the default administrator passwords and keep the password information secure.
- If possible, use centralized authentication for administration of accounts. This will minimize the overhead associated with administering accounts locally on the videoconferencing device, and help ensure that accounts comply with the organization’s overall administrative requirements (e.g., account lockouts for invalid attempts, password expiration).
- Create user roles and lock down general user options to only what is needed. Take a close look at who needs access and permissions for which activities. Not everyone will need the same rights and settings.
- Utilize account lock out for excessive invalid logon attempts. A few slips in entering a password can be expected, but multiple repeated attempts to log on could indicate an attempt at fraud. Lock the account after a specified number of tries (e.g., three or five successive invalid attempts).
- Provide videoconferencing user and security awareness training. User naiveté about the capabilities of unsecure videoconferencing can pose tremendous risk. Make sure all employees are trained on secure use and practices.
- Keep videoconferencing systems updated and patched. Videoconferencing systems should be treated like any other networked computer devices or software. Check for, schedule, and run upgrades as needed and make sure you’re operating current versions.
- Enable audit logging and reporting. This will provide an audit trail and history of access attempts, both legitimate and otherwise, which is essential as part of a monitoring strategy to watch for unauthorized activity in the environment.
- Take it seriously. Document videoconferencing policies, standards, and procedures and adhere to them.
If you have questions about your videoconferencing security or any aspect of security across your enterprise, contact your partners at GBprotect. As a leader in providing personalized, better security throughout systems, operations, and applications, GBprotect’s only priority is your peace of mind.
Stay informed, stay protected with GBprotect