At Delta College in Stockton, the first Associated Students town hall of the school year, held over Zoom, was disrupted by pornographic images. In another incident, a church service in Greensboro, North Carolina, was hit with hate speech and pornographic images.
These are two examples of a practice called Zoom bombing, where uninvited participants cause havoc in meetings.
With more people working remotely, video teleconferencing has become more prevalent. While beneficial to facilitate telecommuting, there are also pitfalls to avoid.
California Department of Technology’s Office of Information Security released guidelines to help secure video teleconference meetings.
Video teleconference security tips
The FBI issued a warning for video teleconferencing users. Hijacking of video sessions, also known as Zoom bombing, has happened across the country.
The FBI received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. In the wake of reports of this activity being reported to the FBI’s Internet Crime Complaints Center, they have published the following recommendations:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Additionally, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a notice regarding this activity. They added the following recommendations as this issue applies to all video teleconferencing (VTC) software:
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date.
User security best practices for video teleconferencing tools
- Set a password! Passwords protect against unauthorized attendance since only users with access to the password will be able to join the meeting. Do not reuse passwords for meetings.
- Do not make meetings public. In addition to password, make sure you are aware of attendees. Use the waiting room feature if available and control the admittance of guests.
- Do not share a link to a teleconference publicly. Provide the link directly to individuals.
- Assign a host or presenter to monitor the meeting and prevent audio and video intrusions.
- Be aware of recording of teleconferences. It may be illegal to record teleconferences. Be sure to understand your laws regarding the recording of audio and visual communications. Understand where your recordings will be stored to prevent unauthorized access.