Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
How secure are chat and webconf tools
1. How secure are
Chat & Webconferencing
Tools?
Jan Guldentops (CEO Better Access, Lector at AP Hogeschool)
Marc Vael (CISO ESKO, president of SAI)
Tuesday 23rd of March 2021
7. The first elephant
the application
• Verify if you have the right & latest application!
• Using applications from a third party, most
providers control or have access to:
• at least meta-data
• most often also the data of the chats & the
webconference itself
• You do not allow such access?
• Careful which provider you choose
• Use end-to-end encrypted solutions but be
aware of the performance impact
• Set up your own chat/webconference platform
and make it secure but be aware of the cost in
manpower to support & maintain
8.
9. The second elephant
the data
• Chat & Webconference applications are
used for all sorts of communication,
including sharing business sensitive or
critical information
• You want to be able to
• Look up that communication again
• Reproduce the chat / webconference for
compliance reasons
• Are you sure you can do this?
• Did you read the SLA?
• Do you have a backup / export?
10.
11.
12. The third elephant
the people
• Communication is done by people
• People do stupid things and are much
harder to train then elephants
• Educate all people regularly on using
chats & webconference tools in a
professional manner
• Explain guidelines / rules of conduct
• Use common sense!
27. 3 modus operandi
1. One-to-one chat & videocall
You talk to 1 person
2. #channel, #teams-based discussion
3. Multi-user chat & videocall
Each choice has
different security paradigms!
34. Advice for using webconference tools
1. Consider first if the information you want to share is best
communicated via webconference tool. Maybe the
information is so sensitive that another tool is better (like
phone call or face to face)
2. Review the Terms & Conditions and the Privacy Policy of the
webconferencing provider. Some may share personal data
with marketing companies.
3. If you are hosting a web conference with external users,
always add a password, disable ‘join before host’, turn-off
annotations and use the waiting room. Do not share meeting
ID for public events.
35.
36.
37. Advice for using webconference tools
4. If you are hosting a web conference with internal users only,
use your internal authentication for accessing the
webconference tool.
5. Turn off any listening devices (like Google Home, Amazon
Alexa, or smart phone apps) near you during your
webconference.
6. Consider whether saving recordings is necessary. If you did
not record conversations or meetings before, should you
record a webconference just because you can? This could
add additional unnecessary privacy risks.
38. Advice for using webconference tools
7. When organising a webconference, verify the identity of
all participants at the start of the meeting and clearly
define the ground rules and the agenda of the meeting
8. When attending an internal or external webconference,
be aware that you can be recorded by other recording
devices (like smartphone) capturing all voice, video, and
text from the meeting.
9. Sign into external webconferences with your partial
name or a nickname. Avoid personal data sharing.
39. Advice for using webconference tools
10. Disable your camera & your microphone, unless needed
to participate.
11. Before switching on your camera or sharing your screen,
ensure confidential information is not visible on your
shared screen. Always use a professional background
picture.
12. Consider who is nearby and what information could be
overheard or seen.
40. Advice for using webconference tools
13. Always verify files which are shared via external
webconferences as they could contain malware.
14.If your profession is governed by a licensing board or
body, check with your governing body for possible
webconferencing guidelines & recommendations.
15. If you have professional liability insurance, check that
your (cyber)insurance also covers webconferencing.
44. Zero-knowledge
a method by which one party (the prover) can prove to another party
(the verifier) that a given statement is true, without conveying
any information apart from the fact that the statement is indeed true.
45.
46. Contact details
Mr. Marc Vael, CISM, CISSP, CRISC
CISO President
Esko SAI
marc.vael@sai.be
http://www.linkedin.com/in/marcvael
@marcvael
j@ba.be
http://www.linkedin.com/in/janguldentops
@JanGuldentops
Mr. Jan Guldentops
CEO Lector Security
BA AP