With seemingly everyone teleworking, the only way people can meet is through some awkward application or another. Teleconferencing can also mean fresh cybersecurity challenges. To help, the National Institute of Standards and Technology has rushed out some guidelines. Federal Drive with Tom Temin spoke to Director of the National Cybersecurity Center of Excellence Jeff Greene, to learn what to watch out for.
Insight by Tanium: National Cancer Institute, Treasury, FEMA and the Army explore how technology risk management lets organizations better ensure that the IT is doing what agencies need it to do in this free webinar.
Tom Temin: Jeff, good to have you on.
Jeff Greene: Good to be here. Thanks for the opportunity.
Tom Temin: I guess it’s fair to say NIST is using the same champagne because you’re all teleworking also, correct?
Jeff Greene: We are, indeed, except for mission critical, we are all now teleworkers, newly christened or otherwise.
Tom Temin: That’s right. Somebody’s got to keep the chimpanzees alive if you’ve got any in there. But this – lots of agencies are using lots of applications. I don’t know, Skype and Ring Central, and there’s dozens of them I guess. And what are the chief cybersecurity dangers with those?
Jeff Greene: Probably the single biggest one, from my perspective, is people not realizing that they have a security or privacy risk when they’re using conference calls or webinars or other web based tools. The way this, our initial effort came about was walking in from the parking lot conversation, a couple of us, and we started thinking about how things may change as people go to increased telework. And one of the first things I thought of was in a previous life, I was at a security company and I was reusing the same conference call number endlessly, and I thought, “Wow,” like, how do I not realize that was a risk? And if I as a paranoid security company worker wasn’t thinking about it than other people might not be, too. And we checked with a few folks, and they all had the same reaction that some basic guidance to have people just start thinking about this. And that’s true in tele-calls or conference calls – any type of security oftentimes, the hardest thing is to get people to stop and think about it, and actually take a first step. Then once they start working on it and thinking about it they’ll make good decisions. But it’s getting people focused and willing to actually jump in and try something.
Tom Temin: And when using some of these applications, they in turn rely on the public network to do their work. And so the tie in to the Internet or to the phone system, the standard pots phone system, is that an interface that needs to be watched also?
Jeff Greene: You know, it can be the standard pot system. We didn’t address that in the guidance, but, if you were using pure web based, it’s good to know that you’re on a network you can trust, whether, now a lot of home networks or if you’re connecting, like when I connect to work now I’m through a virtual private network or VPN, so I have a good level of confidence that that connection is secure. But if you’re sitting at the Starbucks, you need to think about well, I guess we’re not doing that now. But if you’re out on a public WiFi network, you want to make sure you’re using some basic security, VPN or otherwise. And you also need to think about the people sitting around you because you never know who might be eavesdropping when you’re out in public. But yeah, paying a little attention base level to how you’re connecting is important. Make sure that you’re on a secure network.
Tom Temin: Yeah it seems like for a long time people were using the lack of social distancing as a way to kind of show off how important they are and babbling about their business on a phone somewhere. And what about agencies that may have security clearance and security and top secret related types of calls that they have to make? Can these types of public applications be used safely for those?
Jeff Greene: So our rule number one in all of our guidance is follow your agency’s rules, check to see – or your organization, your company. So any type of high level secure call, you’re gonna have guidance that’s gonna be there from that agency. They’re gonna have approved applications methods. And we don’t delve into that in our guidance, we’re really focused on the general teleworker, be it private sector government or there are people out there have a lot of virtual happy hours now. And maybe you want to keep a snooper out of that. But if you’re working at that high side, you definitely, one of your first stops is going to be to check with your supervisors, your security officers and make sure you follow whatever rules you have there. I suspect there’s a lot of work going on in the back end there to make sure that they can adapt to the volume of people who potentially could be remote now.
Tom Temin: We’re speaking with Jeff Greene. He’s director of the National Cybersecurity Center of Excellence. And so the basic piece of advice then that people can actually do aside from follow policy, what you’re saying is just be really careful about pass codes and pins and keep changing them a lot so that maybe past participants can’t get in on future meetings.
Jeff Greene: That is an important starting point, but it’s also important to think about the nature of the call. Not every call is gonna be created equal. You may have a call that is not sensitive at all, and that could be just three people. It could be 300 people. The flip of it, you could have a call with 300 people that is highly sensitive. So start, you know, once you make that first step of okay, I need to think about security. The next step we recommend is think about the nature of the topic of the call and think about – view that conversation like you would any data or any document. Decide how secure you think it needs to be, how sensitive it is. It could be sensitive business information, could be personnel information about your employees. It could be personal information. You know, apply the old Washington Post test: Is it something you’d want to see out in the public? And then once you make that determination, we’ve published a one-pager as part of our blog that gives you some tips depending upon the level of security you think you need. But it’s also important not to lose sight of usability. We don’t want to make it too hard for people to connect that they’re just gonna put aside security because too many complications have come in. So if you have a very public call, not sensitive, but you are using one time pass codes that are distributed five minutes before the call, you’re gonna lose people. You don’t need that level of security there, so it’s appropriate security to the situation. And once you started thinking about that security, don’t lose sight of the usability because if security gets too hard, it’s going to get dropped off too quickly. We want to make this a new practice as opposed to a one time thing.
Tom Temin: And are there any special considerations, if you are using video chatting or multiple people on videos where you can see people?
Jeff Greene: Yep, definitely video. You can find plenty of instances where people have been on video chat and had either sensitive information or including their passwords displayed behind them or their documents can be seen. And the same is true for screen sharing. Screen sharing is really common for a good reason. It makes it easy to collaborate. But a couple things that people are generally pretty good about closing things that are open but they might not think about. If you have three tabs open in a browser, someone can – and you only have, you’re on the browser you want to show the browser tab, people can see the titles of the other tabs. They might get information from that.
Tom Temin: They could tell you’re shopping for toilet paper.
Jeff Greene: Right, exactly. The desperate search that we’re all in right now. The same is true, though, for pop up alerts like you may have an email alert pop up and that can give away information or a text alert or other things. So if you’re going to be sharing, make sure that anything that could accidentally pop up sensitive information is not gonna happen. You know, I’ve been on plenty of calls where people’s emails have popped up, and I’ve never personally picked up anything sensitive off that. Try not to, but but it can definitely happen. And once the toothpaste is out of the tube, you really, you’re doing damage control.
Tom Temin: Yeah, with video and screen sharing just the possibilities are endless. Even if they’re not cybersecurity, they could sure be embarrassing, I guess.
Jeff Greene: Absolutely
Tom Temin: All right, any other advice that you want to make sure people don’t overlook as we go virtual in our interactions?
Jeff Greene: Really think about whether you’re recording a call. Some services will record by default. But as with security, you want it to be a conscious choice as to whether you’re recording or not recording. And if you do record and if it is particularly sensitive, make sure that either you’re encrypting it if you’re storing it locally, or if your vendor is that they’re encrypting it. If there’s a data leak and it’s not encrypted, it’s out there. So a lot of these services, as I said, will record by default when you set up your account, so pay attention to that. Whatever you do, you want it to be a conscious choice.
Tom Temin: I guess maybe one implication then also is that you should use the corporate or agency version, the enterprise version, where IT can have some control over the controls, versus a personal version of these kinds of products.
Jeff Greene: Yeah, if, for whatever organization you’re a part of your first stop should be to figure out what they have provided you and follow their rules, because that way there’s often – you may not even be aware of – tools on the back end to try to control it if you make a wrong turn. But if you’re doing it on your own, you’re much more out hanging out by yourself if there’s a problem.
Tom Temin: Jeff Greene is director of the National Cybersecurity Center of Excellence, and that’s at the National Institute of Standards and Technology. Thanks so much for joining me.
Jeff Greene: Great, thanks for having me.
Tom Temin: We’ll post this interview at www.federalnewsnetwork.com/FederalDrive. Hear the Federal Drive on your schedule. Subscribe at Apple Podcasts or Podcastone.