Tuesday, November 26, 2024
HomeChecklistConference Call Security Checklist - Best Practices in On-Call Security

Conference Call Security Checklist – Best Practices in On-Call Security

Published on

When you’re hosting a conference call there’s usually a handful of things you’re worried about, the integral part in the Conference Call Security for example:

  1. “Can you see my screen?”
  2. “I’m getting lots of echoes, can everyone be sure and mute.”
  3. The magic trick of casting your screen to the conference room TV while not losing the screen on your conference call.
  4. “I can’t see your screen, I dialed in today.”
  5. Or the dreaded, yet classic line to try and save face: “I swear these things work about 30% of the time.” After dropping the connection on your new client kickoff call…again.  

However, there is one aspect of conference calling that is often overlooked, and that is the security of the service provider. While you don’t often hear about it, conference calls can be easily compromised and be a huge detriment to your business and reputation. Imagine this scenario:

Your leadership team is having their weekly meeting. In this meeting, there’s probably a decent chance that confidential information is being shared about the company. Now, let’s say you have a disgruntled employee who is able to access that call, this is known as an internal leak.

- Advertisement - SIEM as a Service

Nowaday’s, it’s common for co-workers to be able to view each other’s calendars so you can find meeting times that work for everyone. However, you can also see existing meetings, and invite links, on those calendars as well. A careless overlook of the attendees on that conference call could allow that disgruntled employee to share any information shared in that leadership meeting.  

Another instance could be if someone outside your organization tried to gain access to a conference line, this is known as call snooping. The same thing could happen in which confidential information from that meeting could be leaked to the public.

I know you’re thinking these are unlikely scenarios, and it probably couldn’t happen to you; but, this exact scenario happened in 2012 when the group Anonymous, hacked into a conference call between the FBI and Scotland Yard. The result of this conference call breach was that details regarding various cyber-crime investigations were leaked to the public.

Hopefully, these examples have inspired you to take a second look at your conference call protocols and providers. There are several factors to consider when looking into the security of conference call services. Use the in-depth checklist below to ask your current provider, and possibly new providers should you find a need to switch.

Ability to Secure Access

Your conference calling service should provide you the ability to set up some general parameters for your call. These are not only helpful in managing meetings but are also great for monitoring security as well. Some secure access features to look for are:

  • Maximum or set number of participants
  • Sub-conference rooms
  • Inactive time tracking – track movement
  • Conference locks – locks call at the start of the meeting
  • Host controlled access – the host lets participants in one-by-one

Role and Privilege Setting

Most conference call providers have some type of contact list or directory within the platform where you can see who is all on your call. What’s important, is that you have the ability to manage these conference attendees. Some basic questions to ask your service provider are:

  • How do I access the contact list or directory within the call?
  • Can I remove an individual from the call?
  • Do I have the ability to mute individuals in the call?
  • Can I revoke screen sharing access from an individual in the call?

Access Codes & PINs

In most cases, as long as someone has the conference line number or URL it can be fairly easy for them to access your call. Asking your conference call provider about the following access options can add an extra layer of security to your calls:

  • Do I have the ability to set a personal identification number (PIN)? A PIN is set up for the host of the call. This ensures that only the host with the PIN can manage the conference call settings and designate access to the room.
  • Am I able to provide conference codes to attendees? These are unique sets of numbers that are given to assigned attendees. You can have all attendees use the same code, or generate individualized codes.

On-Call Conference Call Security

You should also be asking your conference call service provider about security measures that are in place for when the call is in motion. These features also add an extra layer of security to your call once you have all of the initial parameters in place.

  • Host dial-out: This gives the host the ability to manually add attendees to the call, and while it’s a little extra work, if security is a big concern for a particular call, this is the way to go. Rather than administer codes beforehand, as the host, you manually dial in all attendees.
  • Meeting roll-call: This feature has the attendee record their name which will be announced once they enter the call. This way, you know exactly who is in the room. This can also be used when attendees leave the call (i.e. “John Smith has left the call”…to probably watch basketball).
  • Muting: This feature is pretty obvious, but if you have an attendee who is sharing sensitive information unknowingly, or has a bunch of background noise you should be able to shut their microphone off.
  • Move to a different room: If some information is being shared on a call that one or more attendees should not be hearing, the host needs to be able to move an attendee to a sub-conference room without dropping them completely.
  • Manual disconnect: Let’s say John Smith is announced as entering the call, and he is definitely not supposed to be there, you should have the ability to remove him from the conference line.

Encrypted Recordings (Symmetric & Asymmetric)

The ability to record a conference call is very useful because not only can you reference them later, but they can be used to train new employees and catch-up absent attendees as well. However, it’s nice to know that your recordings are safe too.

You should ask your conference call provider about the Conference Call Security and how the recording is stored and managed. Ideally, they can be stored via Symmetric Encryption or Asymmetric Encryption. The difference is that either one code is sent only to you and the provider (symmetric), or a private and public code is generated to share with attendees (asymmetric).

Conclusion

Ultimately, if you’re paying for a subscription to a conference call service, you should be sure that it’s offerings are not only robust in features that make your calls seamless, but also secure.

Using the provided Conference Call Security checklist, you should determine what security features your current service provides, then make a decision whether or not you need to start vetting other services.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to...

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team...

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload...

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to...

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team...

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload...