Executive Summary
INTRO – what are we talking about? Technology always evolving and our business and company can can develop more efficient practices. WHAT KIND OF PRACTICES? Technologists have identified that our company would benefit from secure video-conferencing. WHAT ARE SOME ADVANTAGES?
THE PURPOSE OF THIS PAPER? Our company is researching and going to adopt a secure video-conferencing platform. WHAT WILL THE PLATFORM DELIVER? As our company goes face to face communication will get more difficult with people be more spread out. That is why picking a secure video conferencing host is very important to our organization. It will provide us the ability to hold meetings and not all have to crowd in a small conference room or hold the same meeting multiple times. Employees will be able to open the video conferencing tool and join anywhere ever they may be.
DEFINE OUR COMPANY’S VIDEO-CONFERENCING NEEDS WHAT ARE THE FUNCTIONAL REQUIREMENTS? HIGHLIGHTS? ENCRYPTION? GEOGRAPHY BENEFITS? TIMWE BENEFITS?
REVIEW SEVERAL PRODUCTS AND NARROW IT DOWN TO THREE PLATFORMS Zoom, Skype, Microsoft Teams, and GoToMeeting. WHAT MADE YOU CHOOSE THESE PRODUCTS? WHO DID YOU DECIDE TO GO WITH?
Zoom does not come without challenges of implementations. That is how the employee cooperation will come in. We will need each one of them to download Zoom to their personal devices or the IT department can do it on company own devices. Once this is done a conference can be started and anyone with access can join.
Functional Requirements
Functional requirement describes how an information system should behave or determine what the system should do. They should be defined before anything is put in place or developed so that everything can work together properly. Some example of these requirements would be:
- 24-hour operation capability (our plan is for global operations this is a necessity)
- Secure messaging
- HD video quality
- Screen sharing
- High level of security and encryption
- It must be interoperable with all technology on the system
- Must be able to support 25 people at a time
- Must have a way of authentication who is on the call
In our current environment, we do not have a way of secure video conferencing. Some examples of video conferencing technology we could get is zoom, skype, and GoToMeeting. We have research these three while there are many more out there in an effort to pick one for use.
Zoom was founded in 2011 by Eric Yuan who had previously worked as a lead engineer for WebEx. It is a fast-growing leader in modern video communication which allows for a reliable cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, phones, and room systems (video conferencing, n.d.). While zoom is a newer video conferencing tool it is very well designed and user friendly.
Zoom advantages include a free version that allows up to 100 people on at a time as long as it is not longer than 40 min. This is a great option for us since right now we only need to support 25 and for no longer than 30 minutes. It also offers a paid version that is easy to scale and could have up to 1000 video participants and multiple participants can share their screens simultaneously. Zoom offers end –to-end encryption, role based user security, and password protection, it also allows you to record the conference to stream and play back later, sinks with your calendar. Zoom has 24.7 availability which will be a must when we go global. Zoom is cross platform compatible. The biggest plus of zoom is the HD video which ends the days of PowerPoint slide after slide and allows for more interaction with the participants.
Zooms disadvantages are that the signup process is confusing and the add-ons that you need and don’t need is convoluted. If we go with the free option then everyone will have to go through this same set up process. While zoom does offer a document sharing feature it does not let you share them in real time.
Vulnerability of zoom include the GHOST vulnerability which is a buffer overflow bug affecting the Gethostbynam() and gethostbyname2(). This vulnerability allows a remote attacker is able to make an application call to either function to execute arbitrary code. This can be mitigated by updating the glibc (security:GHOST,n.d.). Another vulnerability list on the CVE is CVE-2004-0680 Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access (vulnerability details, n.d.). This vulnerability is very serious and could open the network and all file up to an attacker.
Skype is the next video conferencing tool we will review. Some of the advantages of Skype are screen sharing options are available to various uses. Which works great within our current environment. Also, information that is shared can be viewed independently by each party. This provides us a great method to facilitate discussions. With Skype for business you can add up to 250 people to an online meeting. Skype is incredibly easy to install. Just downloading of the application and Skype configures itself to work on your system, user simply needs to link to some other account for login or create a new account. Skypes 24/7 availability is valuable as well. Skype is owned by Microsoft and is integrated with office apps, so staff won’t need to be retrained to use new software. Skype is secure, security measures have been taken to insure communications remain confidential.
Disadvantages of Skype include if you don’t have Microsoft office then it cost $2 per person. For any of the add on features you have to pay additional fees to get them. You also have to pay extra to set up phone numbers and make phone calls.
Know vulnerabilities of Skype are it allows attackers to crash systems and execute code.
On the Common vulnerabilities and Exposure (CVE) CVE-2017-9948 A stack buffer overflow vulnerability has been discovered in Microsoft Skype 7.2, 7.35, and 7.36 before 7.37, involving MSFTEDIT.DLL mishandling of remote RDP clipboard content within the message box. A CVSS score of 7.2 it is considered dangerous as it can be executed by both local and remote attackers without any interaction on the victims account, only a skype user account with low privileges is necessary for attackers. The vulnerability was made know to Microsoft on May 16th and a patch was available June 8th.
Lastly, we will review GoToMeeting. IT is an all in one app and can be used on all of the platforms we will have. You can use GoToMeeting anytime anywhere so that would be very convenient when we are able to go global with our system. It also has a free trial version that will allow up to 50 people.
Some advantages of GoToMeeting are capable of sharing screen and a user can give control or take control of other participants machine. Document sharing can happen in real time. The add-ons feature if we choose to purchase them are in a package that is an all in one buy. The meetings can be recorded and played back at a later date.
Disadvantages of GoToMeeting are the internet connection being used has to be fast and cannot have any time out periods. The devices being used for the meeting has to be newer because the tool does not like older machines.
GoToMeeting is fairly secure. Only one vulnerability was found during research, CVE- 2014-1664. The Citrix GoToMeeting application 5.0.799.1238 for Android logs HTTP requests containing sensitive information, which allows attackers to obtain user IDs, meeting details, and authentication tokens via an application that reads the system log file (Citrix, n.d.).
Cost benefits of each of the three meeting tools.
| Product | Cost | Key Benefits |
| Zoom | Free Until we go over 100 people or meeting longer than 40 minutes | It is free, will require each person to download |
| Skype | $3750 annually for 25 people | This also include Microsoft office for each person |
| GoToMeeting | $29 a month for up to 150 participants | Has been around awhile and has great customer support |
Implementation Challenges
The main challenge for each of these products is the installation of the software and getting each person set up with an account. Each tool has end to end security so that all of our video conference will be secure. During these calls, no customer PII or credit card information will be getting shared. There may be company proprietary information being shared. Other issues may be getting through our firewall which we can configure to allow these conference calls.
We are going to choose Zoom for now. It serves all of the purposes of our team and satisfies all of the functional requirements we have. We might have some growing pains with it at the beginning getting everyone set up but a strong free option is the best choice until this project has gone well.
Privileged identity management are accounts that are super users. These accounts will have elevated privileges to take care of system issues and add and take things away from the network. These accounts are very dangerous if they are able to be hacked and a malicious person is able to take control. For this reason, only our database administrator (DBA), system administrator (SA), and executives will have privileged accounts. The DBA and SA will get to designate one person as their backup. These accounts must have strong and complex requirements to prevent them from being accessed. Each of these designated people will also have an account that is meant for everyday use along with all of the other users in the company. The only reason that one of the privileged accounts should be used is to take care of a specific purpose. When these accounts are being used will be logged and anyone abusing the account
will have it taken away and may face other discipline. All accounts will have Role Based Access Controls applied.
Data exfiltration with video share could also be a serious issue. Data exfiltration is when data is removed from a system either by a hacker gaining unauthorized access to the system and removing it or by a malicious employee removing it. With each of the system this could result with the file sharing portion of the tool. It is a time period when large amounts of data are being used so if an attack was able to launch an attack during a conference call then a large amount of data being removed from the system could easily go undetected.
Best Practices
Implementing security best practices will help protect the company and the data that we own. Since we have a BYOD program we need to ensure that we have a strong policy that protects us and the users. This will be accomplished with the help of our device management software and through other policies we have implemented. Other recommendations are for our SA to make sure monthly security patches are completed, ensure any patches associated with the video conferencing tools are up to date, and we also need to encrypt the data we have stored or in transit through our system. We will also have a password policy that enforces a password length and complexity and a role bases access control policy that limits what each person has access to based on their job.
These practices will help with data exfiltration by ensuring that our network is hardened to the best of our abilities. It will limit who has access to certain data decreasing the chances that data can be leaked either intentionally or unintentionally. It will also decrease the chance of snooping on the system because the system will be hardened to help with keeping attackers
out. Snooping in the aspect of looking over the shoulder or listening to conversations will fall on training the employees to monitor what they say in certain areas and who they are talking to and who is around.
References
Citrix » GoToMeeting : Security Vulnerabilities. (n.d.). Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-422/product_id-26987/Citrix- Gotomeeting.html
Security: GHOST Vulnerability. (n.d.). Retrieved from https://support.zoom.us/hc/en- us/articles/203475139-Security-GHOST-Vulnerability
Video Conferencing, Web Conferencing, Webinars, Screen Sharing. (n.d.). Retrieved from https://zoom.us/about
Vulnerability Details : CVE-2004-0680. (n.d.). Retrieved from https://www.cvedetails.com/cve/CVE-2004-0680/
