As organizations drastically expand their usage of collaboration platforms during this period of mass remote work, it is crucial to understand and manage the risks that such platforms may introduce. Companies may address these concerns by performing security assessments, properly implementing best practices, and deploying additional security controls. At Mandiant, we believe that both an individual’s privacy and an organization’s intellectual property have to be protected while collaboration tools are in use.
Mandiant does not endorse any specific provider, but recommends that an organization should standardize around a single platform where possible to better manage complexity and risk.
Meeting Security and Privacy
The implementation of the following best practices will help to ensure meetings remain secure and private:
- Meeting Access Control and URL: Be mindful with whom meeting links are shared, and who can join a meeting. Most platforms offer an option to password protect your meeting or create a “Virtual Lobby,” which allows the administrator control of granting access to the actual meeting (e.g. you can ensure that individuals outside your organization need to be admitted to the room). We strongly encourage all users to utilize these features to protect the content of their meetings.
- Participant Awareness: Before beginning each meeting, the organizer should carefully review the list of participants that have connected to ensure they are recognized. Any rogue phone numbers or anonymous participants should be asked to identify themselves, and if they do not respond, they should be removed from the meeting.
- Sharing content: Administrators should always disable the ability for others to share their screens without explicit permission from the meeting organizer. This prevents someone from hijacking the meeting with content that was not intended for viewing by the other meeting participants.
- Entry and exit tone: If available, this feature prevents someone from joining the meeting without your knowledge.
- Recording: No one except the meeting organizer should be able to start the recording of the meeting. The record of the meeting should not be available to all participants "by default" and without explicit approval from the host.
- Meeting invite forwarding: Assess and agree on available controls that prevent users from forwarding meeting invites.
Virtual meetings introduce a different set of complexities into communication that face-to-face conversations generally don’t encounter. The following items should be considered before engaging with others in a remote meeting.
- Video: Be mindful of your surroundings when enabling video. While it is important in many cases to have video enabled for meetings, users should be aware of their environment to prevent the unintended disclosure of private information or details that were not intended to be made public. Some of the products offer possibility to blur the background during the video call. When not using your video, make sure your camera is covered ideally, or disabled.
- Audio: When not actively speaking, ensure the mute button is enabled for the audio portion of the call. If joining a meeting from a location where you can be easily overheard, practice discretion in revealing confidential information or move to a more private location.
Checklist for Securing Collaboration Platforms
Security teams should ensure that the following items have been appropriately assessed and configured:
✔️Confirm that access to a collaboration platform complies with a corporate access and password management practices.
✔️Confirm that access to a collaboration platform is being managed through the centralized identity management solution such as Active Directory (AD).
✔️Consider the implementation of a single sign-on solution to tie corporate and cloud resources together with a common authentication source if the collaboration platform is not a part of the corporate IT ecosystem (e.g. as Microsoft Teams is part of the bigger Office 365 suite, and hosted cloud).
✔️Protect collaboration platform access with multi-factor authentication (MFA). At the very least, an administrative account should protect the creation of new user accounts or security settings changes with MFA.
✔️Review who has access to the collaboration platform on a regular basis.
✔️Ensure that onboarding and off-boarding processes cover access to collaboration platforms.
Security teams should ensure that:
✔️File sharing permissions within your collaboration platform and sanctioned file sharing applications, such as Microsoft OneDrive, Google Drive or Dropbox are restricted within specific groups, depending on usage.
✔️The collaboration platform and sanctioned file sharing applications are covered by a Data Loss Prevention (DLP) solution.
✔️A collaboration platform is integrated into a corporate Data Lifecycle Management (DLM) program and all data processed and stored within a platform complies with corporate data classification, retention, and backup policies.
✔️"Non-repudiation" techniques such as eDiscovery, Legal Hold or Archival have been appropriately configured to capture all communication happening within a corporate collaboration platform.
✔️All conversations, shared files, as well as audio and video recordings are encrypted “in transit” and “at-rest” and reside within regions covered by applicable to your company data protection and privacy regulations like General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA).
✔️Access to a collaboration platform is secured and integrated with a Mobile Device Management (MDM) solution. The rules are in place to allow only pre-defined or company-owned devices to be connected. If such rules are not defined check what compensation controls and policies are in place to protect the confidentiality of the corporate data available through a collaboration platform.
✔️External guest access to a collaboration platform has been assessed and adequately configured or disabled.
✔️Security teams have full visibility into the logs generated by a collaboration platform. Logs should be collected and fed to a corporate SIEM, and relevant Use Cases should be used to detect unauthorized access or unusual user behaviors that have developed.
✔️A collaboration platform is placed behind a Cloud Access Security Broker (CASB) to enforce corporate security policies.
✔️Usage of a collaboration platform is covered by the Acceptable Use Policy (AUP) and all employees are aware of how a collaboration platform can and cannot be used.
Collaboration solutions have become key to enabling remote work, and if the proper steps are taken to securely configure and deploy them, the risks they introduce can be mitigated. As these platforms become used more heavily in regular business, it is increasingly imperative that organizations have threat intelligence feeds in place, and vulnerabilities impacting these platforms are identified and addressed promptly.