The Pandemic has catapulted videoconferencing to the very top of the tech world. But security concerns have risen with it. Golden Star Technology designs conference systems and Dennis Wang is here with the latest threats and solutions for keeping videoconferencing secure.
SVC: Welcome Dennis and thanks for joining us from Golden Star Technology, GST, in Cerritos, California. Good to have you with us.
Dennis Wang: Thank you. Pleasure to be on.
We’re talking today about a very timely topic. Nearly every day there is a news story on videoconferencing security or lack of it. GST does a lot of conferencing systems so what’s been happening there lately?
It’s definitely a very trying and very tiring time with everything going on, especially over the last six months. From a GST perspective we’ve seen a lot of our clients, both in the public sector and the commercial space, change strategies and change gears. Projects or goals from the beginning of the year have now shifted to remote use, remote education, how to get their remote workers to continue to collaborate and be highly effective.
It’s a tough time and people are having to get pretty inventive. I think you have eight offices around the world.
Yeah, we do. We cover both the United States and then we have three offices overseas as well in the Asia-Pacific rim.
And both government and corporate projects.
Yes. We cover both of the vertical markets so we do have a unique perspective on what’s going on in both of those markets.
Among the recent projects are a good many videoconferencing installations.
We have been doing a lot of videoconferencing systems. A lot of customers are trying to enable and fully utilize their platforms that could include Zoom, Microsoft Teams, and BlueJeans and things like that. So we’ve definitely been very busy in helping our customers with both the IT and the audio-visual angle of videoconferencing.
We’ve heard a lot of horror stories on videoconferencing security. We have the use of conferencing systems skyrocketing while at the same time budgets, including those for security, are getting tighter.
Yeah, I totally agree. And to add another layer to that you have end users who haven’t been properly trained who might have been afraid of technology.
Conferencing system companies are trying to improve their products. You’ve heard a lot about Zoom, which we’re using now, but there are still lingering issues.
Yeah. There are still a lot of lingering issues on both the IT and the AV perspective of videoconferencing. From an IT perspective, you’re still having many customers and many companies still unsure of how they’re writing their firewall protocols, all the security functions and features for the endpoint devices, and then just ensuring that the connectivity is secure and safe. And then from an AV perspective you still have a lot of users who haven’t really thought about the visual hacking that’s possible. Things like what are the camera angles? What is visible when somebody is speaking, as well as what is able to be caught on mics? So there are just so many different things to factor in when you’re trying to do these security assessments when you redo these installs.
We’re not only concerned with simple eavesdropping on conferencing but those conferencing systems are potential in-points for hackers.
Yeah. Yeah. In the beginning when Zoom was being readily adopted earlier this year they realized that any type of links or files that individuals were sharing within a Zoom meeting were actually never secure, so a bad actor could easily come in and steal any of that data, those meeting notes, or a recording of the meeting. So that was definitely a security hole and something that people just weren’t really thinking about because the usage just wasn’t wide-scale like it is now.
Users who take this seriously call companies like yours to come in and give them an assessment. When you’re called in, what do you consider in performing a videoconferencing security assessment?
The first thing we do, actually, is just talk to the IT folks and how they’re setting up their security policies and protocols. Just asking them some basic questions will give us a sense of how much they’ve thought about videoconferencing security and the different things that might be involved by having a larger base of remote users. Then we kind of test it out ourselves. So we’ll actually try to run a meeting with whatever they have and then we try to see what the pitfalls are right off the bat. So at a minimum we can get them to a baseline before we do final recommendations and do a final installation of a system.
So good communication with the local IT people is a basic foundation.
And especially as you mentioned earlier for a lot of these companies the budget just isn’t there. They haven’t really invested in their security or even in their videoconference solution, so a lot of people are playing catchup. A lot of people are trying to do this on the cheap and it’s definitely going to hurt them in the long run.
Something else we’ve seen quite a bit, what do you think when you see thousands of laptops being handed out to students for online classes?
When I see that Chromebooks and laptops and all these devices are being handed out to students in the tens of thousands, it’s definitely a big concern. Kids are very savvy with these tools. You also just don’t know what kids might be clicking on. They’re unaware of these phishing attacks, which are very sophisticated now. So anytime you see news like that, I’m always just concerned about how easy it is for a school or a school district to get hacked. In fact, here in California there was a school district recently that got hacked and they actually had to have all students return their Chromebooks, almost 20,000 units, just so they could properly clean, wipe down, and ensure that the malicious malware was not lingering in anybody’s system.
And when it comes to phishing which is a very popular way for hackers to gain entry, that involves not as much a software or hardware answer as much as a user training solution.
Exactly. It’s always a big threat. It’s never always just about the security solutions that you have; the software, the applications. A lot of times these attacks are successful because of the individual. The individual not understanding what they’re clicking on or responding to the email that they shouldn’t. That’s really what does create a lot of havoc for a lot of these customers and school districts.
Those phishing emails can have the corporate or school logo and look just like the real thing.
Or a teacher sending a lesson plan and the student not realizing that it’s a spoof email. There are just so many different ways and angles that these bad actors are implementing now.
Working on a solution, we have to divide the problem between physical security of the system and then the conferencing signal itself.
Yeah. You really have to approach it in two different ways. The conferencing signal itself is just anything that the IT department can do to ensure that the connectivity, the devices are secure. And then you’re going to have the physical concerns, too, with whether someone can hijack the systems and anything around that realm. It is definitely a twoprong approach and a two-prong thought process when you’re talking about security now.
System owners may not consider someone unauthorized getting into the conference room and adjusting things even if not maliciously but just jiggling things around so it doesn’t work right.
You definitely we have a lot of situations where if they’re not educated or they’re not trained they definitely will break the system, or create a situation where things are not working as they should be.
In corporate and education conferencing we’ve heard quite a bit in the last ten years or so on BYOD or Bring Your Own Device. So in allowing that, it brings in some security issues as well doesn’t it?
BYOD has definitely been a hot trend over the last few years with many people preferring to bring their own devices or their preferred vendor devices to an environment; that continues to still be a challenge for many entities. Still, from an education standpoint, we’ve seen a lot of school districts simply say you can only use this one device because IT staff just doesn’t want to worry about students bringing their own devices. In the commercial realm, it’s getting better—there are good applications to help with secure network access, to control devices and so forth. But again you’re still seeing many IT departments tell their end users that only certain devices are approved and can be utilized on the network.
Sometimes inconvenient but safer. What steps should be taken for physical endpoint security? There are a lot of things to do there.
Yeah, from a physical endpoint side we always recommend our customers to look at locking mechanisms. These can be cages for projectors. It can be certain shelves or coverings for devices on the table or lecterns. And then secondly we always recommend to our customers never have one type of master key for everything; they should definitely be using different type of keys for different buildings or different floors just to ensure that physical security layer is there.
And explain to us about endpoint detection response. We’re bringing an aspect of artificial intelligence into it now.
Yeah, that is also beginning to be a huge, growing trend in the marketplace right now. As we mentioned earlier, many of these customers and these clients don’t have the budget. They don’t have big staff. A lot of these users are utilizing AI now where AI is able to detect a device that might be getting malware, might be getting a virus, and then the software detects what it is and puts it to the side and then does the remediation as well. So a lot of these turnkey type of solutions using AI have definitely been very popular and seem to be pretty effective for many of these customers.
One of the simpler things is just to keep your OS patches and updates current. We even see that hospitals hit with ransomware did not have updates that had been available for months.
That’s one of the low-hanging fruits for a customer to improve their security posture. It’s just to ensure that they are utilizing the latest versions, ensuring they are doing patching, and they’re not behind on the firmware updates. It just seems to be a head scratcher when you hear about these hacks and that was the root cause. Even for hospitals and for many customers too. Many of their devices are now IP-based where they connect to the network or the Wi-Fi; there are just so many more things and devices that IT never thought about. They were always more concerned about your laptops, your tablets, your cameras. But now we have to think about the doctors’ X-ray machine that’s now IP-based. So the number of threats continues to grow in anybody’s environment.
Trading security for convenience. Now, we’ve talked about physical endpoint security, what about conferencing signal security?
Yeah, from a conference security standpoint a lot of these platforms are now starting to build in some really good security functions such as passwords for meetings, and enabling waiting rooms so you can double check who is actually coming into the conference or the virtual meeting. It’s beginning to look a lot stronger and it just takes IT to ensure all those protocols are put in place.
The IT people have to be concerned with training so that users can operate the systems securely and are aware of the system’s security features.
I think a lot of times end users are just simply not aware that these security settings are there or that they can even have them as options. So it really does depend on both parties, the end users and the IT teams, to be on the same page and to really understand how these meetings can be done in a secure manner.
That can be as simple as just using strong passwords.
Passwords and just making sure that there are cheat sheets to go through the settings. Or we’re even starting to see a lot of customers just click the settings as default so that it ensures the layer of security is there.
IT people are also responsible for security of the AV control systems. Over the years of IT/AV convergence it seems like IT staff didn’t know exactly what to do with AV.
I totally agree with that assessment. When the IT and the AV industries started to converge, a lot of the IT folks started to have AV part of their domain where it used to fall on facilities or the office admin. Then a lot of the IT guys were definitely struggling to understand the AV part of the business. It’s been 10 years now, but you still see that continual struggle to understand AV signal flows and what the AV devices are capable of doing and how it all impacts on the network.
AV control systems tend to run on fixed IP addresses and as soon as they’re on the network they become just as attractive a target as laptops and IoT devices.
Whenever you put devices onto the network there’s just one more entryway for threats.
What would you say are the top current trends in cybersecurity threats right now?
The different things that we’re still seeing as cybersecurity threat trends are ransomware, phishing, data loss where companies or schools are down for days or even for weeks because they’ve been hacked. And even to some extent we see cyberbullying, both in the education and the commercial area. It’s even more of a big issue because everybody is remote and not in the office or at school.
Yes, when there’s an incident, they’ve first got to sort out whether it’s just some local kid having fun or possibly a more sophisticated attack that could shut down the whole school system.
Exactly.
So what do you have coming up with conferencing system projects?
Here in California, we’re starting to see a lot of the federal CARES funding start to come through the school districts, the higher-education clients, and some of the local cities and local government as well. So we do have, very fortunately, a robust pipeline of clients utilizing CARES money to upgrade their infrastructure to put in more video conferencing solutions as well as anything that relates to remote users. We are very fortunate that the pipeline is pretty robust. We are continuing to design, install, implement, and test out a lot of these solutions for our clients.
It looks now as though video conferencing and working from home are going to be long-term trends even after we emerge on the other side of the pandemic.
Yeah, I totally agree. I think this new normal that we’ve been living through for the last few months will continue to be our new normal baseline moving forward, and I do believe that a hybrid work environment, learning environment is just going to be a part of our daily lives now.
