While the world was locked down in an effort to stop the rapid spread of COVID-19, video conferencing platforms provided a much-needed means for the business world to keep functioning. Zoom, among others, were already popular methods for virtual communications, however the global pandemic dramatically increased their usage which inturn exposed a number of privacy and security flaws.
By now we are all familiar with the much publicized unique COVID phenomenon of “Zoom-bombing” where an unwanted intruder joins a video call to share inappropriate or offensive content, which is just the tip of the vulnerability iceberg. The inherent security flaws of these platforms not only give hackers access to meetings in progress, but once a network is breached, these bad actors can easily compromise sensitive and confidential information, previous meeting recordings, as well as a computer’s webcam. These types of incidents have the potential to bring down an entire organization or worse, pose a significant threat to national security.
As the virtual collaboration market continues to mature and evolve, there are plenty of reasons why key business sectors like healthcare, law, and finance, and especially the public sector need to be vigilant about protecting communications and sensitive IP.
The government’s call to arms
Almost every week, we hear President Joe Biden talk about the insufficient mandates and voluntary actions in place to protect America’s critical infrastructure from cyber attacks, and he’s not wrong. The whole situation is a mess, and it stems from a lack of standard protocols as cyber security measures vary from organization to organization. We have reached a point where there are so many holes in the current system that it has been easy for competing nations like Russia and China, as well as ransomware outfits like REvil, to significantly impact businesses from operating like we saw with Colonial Pipeline, Kaseya, and JBS.
The question is, how do we get better?
The President recently hosted business leaders from key private sector industries including CEOs from Silicon Valley, the water and energy sectors, the banking and insurance industries, and academia where he described cybersecurity as a “core national security challenge.” According to CNN, “The hours-long cybersecurity summit marked the Biden administration’s most visible engagement yet with private sector leaders amid a wave of ransomware and other cyberattacks that have ratcheted up tensions with US adversaries and prompted the President to issue an executive order in May shoring up federal IT security.”
This recent “call to arms” by the President is just the latest government official to chime in on potential cyber security vulnerabilities, who are increasingly concerned with the dangers of remote collaboration tools. Senator Ron Wyden (D-Ore.) openly questioned the safety of federal agencies using Zoom and New York’s attorney general, Letitia James, sent a letter to Zoom asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers. While her letter referred to Zoom as “an essential and valuable communications platform,” it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams,” according to The New York Times.
Many video conferencing users and their organizations, both in the public and private sector, are generally unaware of the privacy and security risks that are present, most of which center around authentication. While video conferencing tools let people seamlessly meet with doctors, lawyers, financial advisors, colleagues, or family members with the click of a button, they are also an easy point of entry for data breaches. Today, even unsophisticated cybercriminals have the ability to access a computer’s camera, microphone, speakers, as well as private information stored on a hard drive or private network.
It all comes down to authentication
In May, the Biden administration announced a new Executive Order on Improving the Nation’s Cybersecurity which focuses on adopting a zero-trust model. The guiding principle behind zero trust is “never trust, always verify.” It assumes that risk is always present, and focuses on managing access and authenticating users. This is certainly a step in the right direction as many of the high profile attacks we have seen over the last year have centered around compromised passwords and login credentials.
Over the last year or so, we have seen hackers become much more sophisticated with their attacks which has further emphasized the need to be fully aware of potential “chinks in the armor.” Hackers are making millions stealing and selling data creating a necessity for users to have multi-tiered privacy protection that safeguards them against current and unforeseen security dangers.
Most security issues are centered around access control where the goal is to minimize the security risk of unauthorized access to (logical and of course in some cases, physical) systems. The most effective way to protect user integrity at this level is through multi-factor Out-of-Band authentication (MFA), which utilizes two separate channels for authentication. In-band authentication uses only one channel and can be easily thwarted by a MITM (man-in-the-middle) attack.
Organizations both large and small should implement strong multi-factor security strategies, which can include the latest types of biometric authentication solutions such as fingerprint, facial recognition, and retina scans to ensure users are who they say they are.
With hybrid working seemingly here to stay, it’s only a matter of time before our country’s adversaries and malicious hackers do serious damage by exploiting the inherent vulnerabilities present in virtual collaboration services. While the world waits for popular platforms like Zoom to beef up their user authentication protocols, it’s the responsibility of every organization from government agencies, to Fortune 500 companies and SMBs to require multi-factor Out-of-Band authentication wherever possible to create more certainty that usernames and passwords represent their legitimate owners. The Biden administration seems to be on the right track implementing a zero-trust approach, however it remains to be seen if it will effectively shut the door for good.