Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

NIST, DHS Publish Guidance on Securing Virtual Meetings, VPNs

With people worldwide forced to work from home due to the coronavirus epidemic, NIST and DHS published a series of recommendations on how to ensure that virtual meetings and connections to enterprise networks are protected from prying eyes.

With people worldwide forced to work from home due to the coronavirus epidemic, NIST and DHS published a series of recommendations on how to ensure that virtual meetings and connections to enterprise networks are protected from prying eyes.

Conference calls and web meetings have long been part of modern work, as they play a vital role in ensuring the necessary communication with remote workers (teleworkers).

The security of virtual meetings might often be an afterthought, but basic precautions can ensure that they don’t lead to data breaches or other security incidents, says Jeff Greene, director of the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST).

Most virtual meeting services have built-in security features, but following an organization’s policies for virtual meeting security should ensure strong protection. Organizations should also consider limiting the reuse of access codes, using one-time PINs or meeting identifier codes, and adopting multi-factor authentication.

Additionally, Greene encourages the use of a “green room” or “waiting room,” enabling notification when attendees join in, using a dashboard to monitor attendees, recording of the meeting only when necessary, and disabling features that are not required, such as chat or file sharing.

Furthermore, attendees should be instructed to make sure that no sensitive information is inadvertently disclosed during the meeting when sharing their screens.

He also underlines that, when sharing highly sensitive information, additional steps should be considered, such as the use of approved virtual meeting services only and of unique PINs or passwords for each attendee, a dashboard feature, locking the call once all attendees are online, encrypting recordings, and conducting web meetings on organization-issued devices only.

“This list is not all-encompassing, nor must you use every tool for every virtual meeting. Know your organization’s policies, think about the sensitivity of the topics to be discussed, factor in the logistics of the meeting, and pick the measures that make sense for each situation,” Greene notes.

Advertisement. Scroll to continue reading.

In an alert, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is providing recommendations on how organizations could ensure that the use of virtual private network (VPN) solutions to connect to the organization’s network will not pose a security risk.

Issues that could emerge in such situations include the specific targeting of VPNs to find ways to exploit them for malicious use, increased phishing for login credentials, and the lack of multi-factor authentication (MFA) for remote access and of sufficient VPN connections to ensure all employees can telework.

What’s more, some organizations might not apply important updates or patches in due time if their VPN solutions are in use 24/7.

Organizations are advised to always update their VPNs, and ensure that the network infrastructure and the devices used to remotely connect to work environments have the latest software patches and security configurations.

Organizations should also alert employees to expect an increase in phishing attempts, ensure their security teams are prepared to ramp up remote access cyber-security tasks (e.g. log review, attack detection, and incident response and recovery), that MFA is in use on all VPN connections, and that the adopted VPN solution has been tested for mass usage.

Related: The Other Virus Threat: Surge in COVID-Themed Cyberattacks

Related: Enterprise VPN Vulnerabilities Expose Organizations to Hacking, Espionage

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.