The US National Security Agency (NSA) has published a short guide on choosing a service for tele- and web-conferences for employees of federal agencies.
During a global pandemic or other emergency, many US government employees must work from home while continuing to perform critical for the nation functions and maintain the continuity of public services.
In such circumstances, the use of conference services becomes inevitable”, – say NSA representatives.
The NSA document provides a brief overview of best practices and criteria, and was agreed with the US Department of Homeland Security, which issued a similar guide: “Cybersecurity guidelines for federal agencies when using video conferencing solutions”
The following criteria determine the risks and functions that public employees should consider when choosing services for conferences:
1. Does the service has end-to-end encryption?
Thanks to end-to-end encryption, messages, photos, videos, voice messages, documents, status updates and calls are protected from falling into the wrong hands.
2. Are strong, well-known and verifiable encryption standards used?
Even in the absence of end-to-end encryption, the NSA recommends that you use strong encryption standards, preferably NIST-approved algorithms, and the current standards for a secure protocol by the Internet Engineering Council.
3. Is multi-factor authentication available to verify user identity?
Without MFAs, hackers may use weak or stolen passwords to access user accounts.
4. Can users see and control who is connecting to conference sessions?
The service should allow conference organizers to restrict access to communication sessions only to those users, who are invited.
5. Does the service’s privacy policy allow third parties to provide data?
Although conferencing services often collect the information they need to work, they must protect the confidential data of users. The exchange of information should be clearly stated in the privacy policy.
6. Do users have the ability safely delete data from the service and its repositories as necessary?
Although none of the services can support the completely secure overwrite/delete capabilities, users should be given the opportunity to delete content (for example, shared files, chat sessions, saved video sessions) and permanently delete accounts that are no longer in use.
7. Has the service been tested or certified for use by a government security agency?
The NSA recommends evaluating cloud services through the FEDRAMP program of the US Office of Fiscal Administration.
Recommendations of this kind apparently arose after a series of security problems that experts discovered in the popular Zoom application. For example, we recently reported that cybercriminals are trading exploits for the 0-day vulnerability in Zoom.
Recently Mozilla also explores security of video conferencing applications.