A colleague asked me whether he should be concerned about the security of teleconferencing websites, like Webex and GoToMeeting. [We regularly use both Webex and GoToMeeting.]
My colleague is right to be concerned as there are several “vulnerability points” in Internet teleconferencing, particularly when video, voice and (potentially sensitive) data is being passed around the internet. [As a sidebar: I designed the security test plan in the mid-1980s on a White House project to provide highly secure emergency teleconferencing between the White House, several cabinet secretaries, and various DoD components.]
First, the good news: I asked my friend and technology expert, Jason Lidow, President of The DigiTrust Group, if they were seeing attacks coming through teleconferencing sites and he said no. Jason’s got a very sensitive pulse on cyber attacks so if he says he’s not seeing them, there’s a pretty good bet that they aren’t there in any meaningful amount. Far better to spend scarce cyber security dollars managing the stuff that’s here and now.
That said, there are a few basics that everyone should always pay attention to given the fact that all of the information being communicated is being sent out over the Internet. The Internet is like the roads in the early west; robbers might be found behind any rock. That’s why the basic foundational principle of cyber security is “Assume nothing is secure if you aren’t actively managing it or assessing it. And even then, be cautious.”
So starting from the perspective of never taking security for granted, here’s a few of the things I would pay attention to when considering a teleconferencing provider:
1. Is all teleconferencing encrypted in transmission? Does the URL begin with https://? This is what keeps communications private during the time the bits are traveling around the Internet. Encryption protects the communication from the cyber equivalent of wire tapping. If the answer to this question is “No,” then find another solution. If all you’re doing is videoconferencing, with no Power Points or QuickBook reports or other data being transmited, then a “yes” answer here is most likely good enough [unless you need to talk securely to the Fed].
2. What communications (data, video, voice) are being passed through the server? (The less the better.) Are communications being stored on teleconference servers. A “No” answer is better than a “Yes” answer.All other things being equal, I’d select the company that is able to meet your teleconferencing needs without getting its servers involved over the company whose servers process and, perhaps store, your sensitive information. I’d pay attention to this but I wouldn’t sweat it.
3. The third thing I’d pay attention to is more dangerous, more subtle, and more strategic, which also makes it more important. This, I sweat over. Here’s the situation: In order for you to show a PowerPoint from your computer to a person or persons at other computers (whether in the building next door or halfway around the world), a software program on your computer must take your PowerPoint, send it out of your computer over the Internet, directing that PowerPoint to the other participants in the teleconference.
For a few technical reasons, it’s not prudent to assume that the software program doing all this teleconferencing work is behaving properly; it’s far more prudent to assume that the software is capable of behaving maliciously, stealing your information or even taking over your PC.
This risk is a generic one affecting every program on your computer. [Sidebar: Every modern complex computer program has software vulnerabilities. This fact is a consequence of (i) the mathematical complexity of computer programming and (ii) the economics of software engineering.] Cybercriminals exploit these vulnerabilities to attack computers on which the program is running. Standard anti-virus, anti-malware solutions manage a piece of the problem. So does patching, keeping software up-to-date with updates that fix known vulnerabilities. An emerging class of solutions in this space—replacing increasingly ineffective anti-virus and anti-spyware software—are called “host intrusion prevention systems.” These systems are capable of actually recognizing a cyber attack and blocking it, something anti-virus anti-spyware solutions can’t do. Several of our clients have installed professionally-managed host intrusion prevention systems as these have become increasingly affordable to small and medium-sized businesses.
The second piece of managing this risk is to prefer—again all other things being equal—software from well known reputable companies with a history of taking security seriously and a positive leadership position in the industry.
That why we use Cisco’s Webex for our teleconferencing. It is a little more expensive but I feel I know what I’m getting, I know the seriousness with which Cisco takes security and the security talent they possess, and I’m confident that they’ll be there should something go wrong. I’ve never heard of tukbox, the program my colleague asked about,so can render no opinion.
One more thing to wrap-up this perhaps overly-long post. It’s important not to neglect the “human side” of security. Everybody needs to think about what they say or put on a PowerPoint; even what’s visible over the camera over someone’s shoulder. Ask yourselves questions like “What can we do to minimize the amount of sensitive data being sent over the Internet?” One strategy, for example, would be for voice communications to take place over regular land lines or a totally separate secure digital line. With this strategy, participants all agree that the ‘really sensitive information’ is to be talked about but not shown on shared PowerPoints, etc.
This is the most important strategic recommendation: That everyone keep thinking about cyber security.