Monday, July 15, 2024

Conference Call Security Checklist – Best Practices in On-Call Security

When you’re hosting a conference call there’s usually a handful of things you’re worried about, the integral part in the Conference Call Security for example:

  1. “Can you see my screen?”
  2. “I’m getting lots of echoes, can everyone be sure and mute.”
  3. The magic trick of casting your screen to the conference room TV while not losing the screen on your conference call.
  4. “I can’t see your screen, I dialed in today.”
  5. Or the dreaded, yet classic line to try and save face: “I swear these things work about 30% of the time.” After dropping the connection on your new client kickoff call…again.  

However, there is one aspect of conference calling that is often overlooked, and that is the security of the service provider. While you don’t often hear about it, conference calls can be easily compromised and be a huge detriment to your business and reputation. Imagine this scenario:

Your leadership team is having their weekly meeting. In this meeting, there’s probably a decent chance that confidential information is being shared about the company. Now, let’s say you have a disgruntled employee who is able to access that call, this is known as an internal leak.

Nowaday’s, it’s common for co-workers to be able to view each other’s calendars so you can find meeting times that work for everyone. However, you can also see existing meetings, and invite links, on those calendars as well. A careless overlook of the attendees on that conference call could allow that disgruntled employee to share any information shared in that leadership meeting.  

Another instance could be if someone outside your organization tried to gain access to a conference line, this is known as call snooping. The same thing could happen in which confidential information from that meeting could be leaked to the public.

I know you’re thinking these are unlikely scenarios, and it probably couldn’t happen to you; but, this exact scenario happened in 2012 when the group Anonymous, hacked into a conference call between the FBI and Scotland Yard. The result of this conference call breach was that details regarding various cyber-crime investigations were leaked to the public.

Hopefully, these examples have inspired you to take a second look at your conference call protocols and providers. There are several factors to consider when looking into the security of conference call services. Use the in-depth checklist below to ask your current provider, and possibly new providers should you find a need to switch.

Ability to Secure Access

Your conference calling service should provide you the ability to set up some general parameters for your call. These are not only helpful in managing meetings but are also great for monitoring security as well. Some secure access features to look for are:

  • Maximum or set number of participants
  • Sub-conference rooms
  • Inactive time tracking – track movement
  • Conference locks – locks call at the start of the meeting
  • Host controlled access – the host lets participants in one-by-one

Role and Privilege Setting

Most conference call providers have some type of contact list or directory within the platform where you can see who is all on your call. What’s important, is that you have the ability to manage these conference attendees. Some basic questions to ask your service provider are:

  • How do I access the contact list or directory within the call?
  • Can I remove an individual from the call?
  • Do I have the ability to mute individuals in the call?
  • Can I revoke screen sharing access from an individual in the call?

Access Codes & PINs

In most cases, as long as someone has the conference line number or URL it can be fairly easy for them to access your call. Asking your conference call provider about the following access options can add an extra layer of security to your calls:

  • Do I have the ability to set a personal identification number (PIN)? A PIN is set up for the host of the call. This ensures that only the host with the PIN can manage the conference call settings and designate access to the room.
  • Am I able to provide conference codes to attendees? These are unique sets of numbers that are given to assigned attendees. You can have all attendees use the same code, or generate individualized codes.

On-Call Conference Call Security

You should also be asking your conference call service provider about security measures that are in place for when the call is in motion. These features also add an extra layer of security to your call once you have all of the initial parameters in place.

  • Host dial-out: This gives the host the ability to manually add attendees to the call, and while it’s a little extra work, if security is a big concern for a particular call, this is the way to go. Rather than administer codes beforehand, as the host, you manually dial in all attendees.
  • Meeting roll-call: This feature has the attendee record their name which will be announced once they enter the call. This way, you know exactly who is in the room. This can also be used when attendees leave the call (i.e. “John Smith has left the call”…to probably watch basketball).
  • Muting: This feature is pretty obvious, but if you have an attendee who is sharing sensitive information unknowingly, or has a bunch of background noise you should be able to shut their microphone off.
  • Move to a different room: If some information is being shared on a call that one or more attendees should not be hearing, the host needs to be able to move an attendee to a sub-conference room without dropping them completely.
  • Manual disconnect: Let’s say John Smith is announced as entering the call, and he is definitely not supposed to be there, you should have the ability to remove him from the conference line.

Encrypted Recordings (Symmetric & Asymmetric)

The ability to record a conference call is very useful because not only can you reference them later, but they can be used to train new employees and catch-up absent attendees as well. However, it’s nice to know that your recordings are safe too.

You should ask your conference call provider about the Conference Call Security and how the recording is stored and managed. Ideally, they can be stored via Symmetric Encryption or Asymmetric Encryption. The difference is that either one code is sent only to you and the provider (symmetric), or a private and public code is generated to share with attendees (asymmetric).


Ultimately, if you’re paying for a subscription to a conference call service, you should be sure that it’s offerings are not only robust in features that make your calls seamless, but also secure.

Using the provided Conference Call Security checklist, you should determine what security features your current service provides, then make a decision whether or not you need to start vetting other services.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles