The year 2020 will be forever ingrained in history books—but without education, who will write the chapters and draw conclusions and, ultimately, will our children even have a chance to read them?
In the early days of the coronavirus outbreak, many schools and educational institutions were forced to hastily shift to 100% remote learning models, with little-to-no preparation. Parents and other caregivers—often grandparents, and children needed to adapt to new regimens at home, school, playing sports, and work amidst continuously evolving coronavirus news and guidelines. Often, parents and caregivers found themselves providing additional support as “teachers” while their children received school work via text messages, websites, and emails. This compounded the stresses of everyone crowded into a home for a long duration of time. Simply put, for many, the first go-around for remote schooling did not go smoothly. For some, it’s felt like being mired in a virtual Groundhog Day.
While, at least in the U.S., most children got a reprieve from schooling and the complications of distance learning over the summer months, many people have continued working from home using video conferencing solutions and other technologies. By many measures, this adaptation to remote work has gone remarkably well. Daily interruptions from children, pets, and even the occasional delivery are now perfectly acceptable (within reason, of course) within this “new normal.”
While many families, students, teachers, and schools yearned optimistically for a return to in-class teaching for the Fall semester, lack of progress in keeping coronavirus at bay has squashed these hopes in regions that continue to be hard hit by the pandemic.
Are You Prepared for Remote Learning this Fall?
With that initial remote learning test drive now months behind us, how prepared are schools for distance learning in the Fall? The answer varies widely from district to district, and even classroom to classroom, but there is still time to prepare.
Those districts that didn’t flinch at the decision to commit months ago to full remote learning for the Fall semester are doubtlessly much better prepared. However, for those many districts that have been painstakingly grappling with a multiplicity of different scenarios—from complete in-class training to all sorts of hybrid models, the time to get remote learning right will be more of a struggle, since their focus has been divided. This blog is not judging that decision—the stakes for our children’s education and the health of the communities in which we live could not be higher.
Any decision regarding in-class or virtual learning is fraught with difficult to gauge implications and tradeoffs both for today and for the long-term. This is all just part of the complex reality of operating within a pandemic. There are many choices, but few come easy, and almost none of them seem to come with consensus. Whatever stage you are at, this blog is aimed to help you get the security part of remote learning and teleconferencing right.
Videoconferencing Solutions Explained
So, what exactly are video conferencing solutions? These solutions, also referred to as web conferencing, are designed to allow voice, video, and content sharing (applications) for one-to-one, one-to-many, and many-to-many people or conference rooms at the same time. Video teleconferencing sessions can be recorded for future playback in case someone misses a call or needs to review the content.
The technology for video conferencing is available in dedicated hardware, conference rooms, computers, and mobile devices to facilitate communications anywhere a person has Internet connectivity. In theory, this allows everyone to stay connected to anyone else using as many senses as possible to communicate a message, discuss a topic, or provide training and education. This includes the application of cameras, microphones, screen sharing, polling, file sharing, instant messaging, chat, background augmentation, noise cancellation, and even attention monitoring technology.
Video conferencing technology is available from a variety of vendors. Solutions range from enterprise-class that provide robust features and come with an enterprise-class price tag to match, to free solutions that provide the basics for no-frills communication – typically audio and video only – while providing minimal, if any security controls. Regardless, it is ultimately the design and implementation of the technology that has risks—just because someone pays for one solution over another does not necessarily make it more secure.
Now to the problem. We need to continue to educate our youth and video conferencing is a valid solution for remote education – whether k-12 or college, post-grad, or continuing education. With that in mind, many educational institutions are using the tools they can find that are cost-effective or free to meet their needs. No one budgeted to have a robust video conferencing solution for this pandemic.
During the pandemic, solutions like Zoom, Google Hangouts, FaceTime, GotToMeeting, and Webex have become household names and have been highlighted by the media as viable solutions to meet the demand. Now enter the threat actor with no morals or scruples and they begin hacking and exploiting these tools for their own personal gain or malicious intent.
What the threat actors are finding is true for almost every software that has been made available. Some solutions are trivial to exploit, have poor security, and can be compromised by nearly anyone. Other solutions are more mature, security-conscious, and prove that cost is not a deciding factor for security – just that they were developed and released with security in mind.
Top Methods of Exploit for Video Conferencing Software
The security of video conferencing solutions can be compromised by the following types of attacks:
- A denial of service (DoS) stopping or interrupting a broadcast
- Inappropriate users forcibly joining sessions and exposing illicit or illegal material to students (session jacking)
- Hijacking paid accounts and using them for malicious intent outside of classroom time
- Phishing students to join a session that contains malware or inappropriate material using fake emails, text messages, or even fake phone calls
- Hacking the video conferencing solution to obtain credentials and perform remote code injection on users’ computers
- Downloading or uploading recorded classes and leveraging the content for in an inappropriate manner. (i.e. content was replaced with illicit material)
Some of the exploits on teleconferencing tools have been well publicized and have set back virtual learning, and even led to the banning of certain tools across school districts.
Best Practices for Ensuring Safe & Secure Teleconferencing
To protect video conferencing sessions used for students, regardless of age, consider implementing the following five security controls:
1) Frequently change the URL for a class. The URL should not be the same link for the entire course. Ideally, it should change daily, but weekly or monthly is sufficient for most environments.
2) The video conferencing classroom session should have a password to join. Classes should not be available to join based on a URL alone and the password should change frequently and be shared with students via a separate correspondence.
3) If the video conference is being recorded, make sure that all students acknowledge their acceptance and parents have given permission for the students to be recorded. Not all regional laws allow for this, and schools will have to check with their data privacy officers to ensure the recordings are stored within an acceptable location (especially for cloud-based conferencing solutions).
4) Ask students to accept a code of conduct that includes best practices and decorum for video conferencing. This encompasses everything from cheating to ensuring they are appropriately dressed when the camera is on.
5) Protect the administrative accounts for video conferencing solutions with a privileged access management (PAM) solution to ensure your on premise or cloud-based SaaS instance does not get compromised by a privileged attack vector.
A Foundation for Effective & Safe Remote Learning
COVID-19 has changed, at least in the short term, how we educate our children and enable learning through our schools and universities. Video conferencing technology provides a valid way to take the education experience from the classroom to the home, or any remote location.
While some may argue the virtual classroom experience will never be the same as in-person learning, especially for those at the younger grade levels, it’s the next best thing, and it supports learning initiatives while helping preserve the health of students, educators, their families, and the public at large, by reducing transmission rates of coronavirus.
Despite the benefits for learning and community health, the technology risks of teleconferencing and other remote learning technologies are significant. The stakes of security are high, especially for the youngest of pupils. Fortunately, the technology risks are well understood and so are the security controls to eliminate or mitigate them. If we provide teachers, students, and administrators basic guidance on how to safely use video conferencing, regardless of the use case, we will all be better off. We can learn from home, safely return to the classroom when appropriate, and be cyber secure as well.
If you are involved with supporting remote learning/teaching, I encourage you to take the extra effort to understand your teleconferencing tools to ensure they are configured and implemented correctly, used appropriately, and do not become a liability.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.