Friday, March 29, 2024

Conference Call Security Checklist – Best Practices in On-Call Security

When you’re hosting a conference call there’s usually a handful of things you’re worried about, the integral part in the Conference Call Security for example:

  1. “Can you see my screen?”
  2. “I’m getting lots of echoes, can everyone be sure and mute.”
  3. The magic trick of casting your screen to the conference room TV while not losing the screen on your conference call.
  4. “I can’t see your screen, I dialed in today.”
  5. Or the dreaded, yet classic line to try and save face: “I swear these things work about 30% of the time.” After dropping the connection on your new client kickoff call…again.  

However, there is one aspect of conference calling that is often overlooked, and that is the security of the service provider. While you don’t often hear about it, conference calls can be easily compromised and be a huge detriment to your business and reputation. Imagine this scenario:

Your leadership team is having their weekly meeting. In this meeting, there’s probably a decent chance that confidential information is being shared about the company. Now, let’s say you have a disgruntled employee who is able to access that call, this is known as an internal leak.

Nowaday’s, it’s common for co-workers to be able to view each other’s calendars so you can find meeting times that work for everyone. However, you can also see existing meetings, and invite links, on those calendars as well. A careless overlook of the attendees on that conference call could allow that disgruntled employee to share any information shared in that leadership meeting.  

Another instance could be if someone outside your organization tried to gain access to a conference line, this is known as call snooping. The same thing could happen in which confidential information from that meeting could be leaked to the public.

I know you’re thinking these are unlikely scenarios, and it probably couldn’t happen to you; but, this exact scenario happened in 2012 when the group Anonymous, hacked into a conference call between the FBI and Scotland Yard. The result of this conference call breach was that details regarding various cyber-crime investigations were leaked to the public.

Hopefully, these examples have inspired you to take a second look at your conference call protocols and providers. There are several factors to consider when looking into the security of conference call services. Use the in-depth checklist below to ask your current provider, and possibly new providers should you find a need to switch.

Ability to Secure Access

Your conference calling service should provide you the ability to set up some general parameters for your call. These are not only helpful in managing meetings but are also great for monitoring security as well. Some secure access features to look for are:

  • Maximum or set number of participants
  • Sub-conference rooms
  • Inactive time tracking – track movement
  • Conference locks – locks call at the start of the meeting
  • Host controlled access – the host lets participants in one-by-one

Role and Privilege Setting

Most conference call providers have some type of contact list or directory within the platform where you can see who is all on your call. What’s important, is that you have the ability to manage these conference attendees. Some basic questions to ask your service provider are:

  • How do I access the contact list or directory within the call?
  • Can I remove an individual from the call?
  • Do I have the ability to mute individuals in the call?
  • Can I revoke screen sharing access from an individual in the call?

Access Codes & PINs

In most cases, as long as someone has the conference line number or URL it can be fairly easy for them to access your call. Asking your conference call provider about the following access options can add an extra layer of security to your calls:

  • Do I have the ability to set a personal identification number (PIN)? A PIN is set up for the host of the call. This ensures that only the host with the PIN can manage the conference call settings and designate access to the room.
  • Am I able to provide conference codes to attendees? These are unique sets of numbers that are given to assigned attendees. You can have all attendees use the same code, or generate individualized codes.

On-Call Conference Call Security

You should also be asking your conference call service provider about security measures that are in place for when the call is in motion. These features also add an extra layer of security to your call once you have all of the initial parameters in place.

  • Host dial-out: This gives the host the ability to manually add attendees to the call, and while it’s a little extra work, if security is a big concern for a particular call, this is the way to go. Rather than administer codes beforehand, as the host, you manually dial in all attendees.
  • Meeting roll-call: This feature has the attendee record their name which will be announced once they enter the call. This way, you know exactly who is in the room. This can also be used when attendees leave the call (i.e. “John Smith has left the call”…to probably watch basketball).
  • Muting: This feature is pretty obvious, but if you have an attendee who is sharing sensitive information unknowingly, or has a bunch of background noise you should be able to shut their microphone off.
  • Move to a different room: If some information is being shared on a call that one or more attendees should not be hearing, the host needs to be able to move an attendee to a sub-conference room without dropping them completely.
  • Manual disconnect: Let’s say John Smith is announced as entering the call, and he is definitely not supposed to be there, you should have the ability to remove him from the conference line.

Encrypted Recordings (Symmetric & Asymmetric)

The ability to record a conference call is very useful because not only can you reference them later, but they can be used to train new employees and catch-up absent attendees as well. However, it’s nice to know that your recordings are safe too.

You should ask your conference call provider about the Conference Call Security and how the recording is stored and managed. Ideally, they can be stored via Symmetric Encryption or Asymmetric Encryption. The difference is that either one code is sent only to you and the provider (symmetric), or a private and public code is generated to share with attendees (asymmetric).

Conclusion

Ultimately, if you’re paying for a subscription to a conference call service, you should be sure that it’s offerings are not only robust in features that make your calls seamless, but also secure.

Using the provided Conference Call Security checklist, you should determine what security features your current service provides, then make a decision whether or not you need to start vetting other services.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles