With rapid change going on in most businesses, it's little surprise that speculation and hasty conclusions can supersede taking the time to validate the facts for ourselves. Many articles have come out recently about vulnerabilities in video conferencing tools, but even when the vulnerabilities are real, we shouldn’t draw the wrong conclusions from them. In recent days, I have heard a number of statements that I would suggest go too far. I’ve heard people saying, “Use this solution, as that one is insecure!” and so on.
It’s possible to look up current known vulnerabilities for any popular conferencing tools. Sites such as CVE Details maintain records of vulnerabilities. You can visit them and see for yourself how many known vulnerabilities in conferencing tools there are and when they were discovered.
So what you should take away from what you find?
- All tools have had vulnerabilities. Just because one is in the news this week for a new vulnerability, it shouldn’t necessarily mean you should change to a different tool. Always ensure you have a patching process in place, and consider what tools can give preventative controls to allow you the time to test and deploy patches in a strategic way. For example, these tools could include your gateway, firewall or VPN/endpoint security.
- Stick to the facts. I’m sure we all have heard people saying they can’t use capability X because it’s unsafe versus capability Y. With many people in the world working from home now, we need to consider whether staff are shifting tools by themselves. You must be able to continue to assess what tools are being used across your networks and only allow those you are supporting – and securing. At the very least, control what content and connectivity follows between the tools you secure, and other personal-use tools, if you allow this practice.
- No matter which video conferencing tool you leverage, follow best practices for video conferencing security. Leverage the security capabilities your tools provide, but also consider what your own security capabilities can do to bolster that security where required. It’s important to ensure we embrace Security 101 logic, especially during challenging times or situations. For more about this, read my previous blog, “The Rush to Video Conferencing – Are We Failing to Use Good Cyber Hygiene?”
Also, don’t forget that not all risks are equal. It's worth checking through vulnerabilities as they are posted to assess how much of a risk they pose to your organization.
Understanding the risk a vulnerability poses to your organization will help you determine the right balanced response steps to take.
All too often, we forget to take into account how the specific vendor responds to a vulnerability. The reality is that all code will have errors. It's written by humans, and we aren’t perfect. What makes the real difference is what comes after the vulnerability is revealed.
- Does the vendor respond to the vulnerability in a timely fashion?
- Do they give you the right information to make an informed decision?
- How quickly do they release the patch or fix?
- How good is that fix? The last thing anyone needs is to patch a fix.
It's only human nature that in heightened times we have to make decisions faster. We should remember that emotions take hold in our brains much faster than logic (read “Thinking, Fast and Slow,” by the Nobel-Prize winner Daniel Kahneman). Most of us are already in an emotional state with the world challenges we face, and as such, we have to pay additional attention to allow our logical brains to make the right decisions. As security teams work to adjust to organizational changes and increases in remote work, it’s key to remain logical as we assess how to react to vulnerabilities in the tools we use to enable our daily work.
Read more about best practices for video conferencing security.