Connecting state and local government leaders
IT leaders are warning users that the pandemic’s disruption of normal work processes has created wide avenues for malicious third parties to access and exploit government systems.
As telework surges in the public sector, IT leaders are warning users that disruption of normal work processes has created wide avenues for malicious third parties to access and exploit government systems through web conferencing vulnerabilities.
An email from the CIO at the Department of Health and Human Services to employees and contractors flagged a number of potential attacks, such as interruption and disruption, use of fake web addresses to trick conference attendees into downloading malware and release of newly discovered zero-day exploits.
Conference managers were asked to be mindful about who they authorize to attend web meetings, institute controls on who can share their camera, microphone or screen, and configure password protections for all meetings. The email also advised against posting about upcoming web meetings on social media or configuring them to be accessible to the public "unless necessary."
Other recommendations included restricting physical access to work devices, using separate accounts on personal computers and utilizing root administrative access sparingly. Even with these controls, the CIO’s office advised employees to operate as if their discussions will reach others.
"Assume that information shared in a [video teleconference] conference will be disseminated beyond the authorized attendees," the email stated.
Agencies like the National Institute of Standards and Technology have raced to develop updated guidance to agencies and the private sector for how to conduct their work safely in a remote environment.
A note posted last month by Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence, warned users to immediately report "unusual web meeting requests" to their IT managers and get confirmation over the phone or other means before accepting invitations.
Greene said his agency quickly flagged virtual meeting security as a top concern going into the lockdown. Whether using video teleconferencing or phone meetings, groups should examine their default settings around recordings or cloud storage, login information and attendee access to ensure their choices are deliberate and use one-time identification numbers for high-sensitivity discussions, he advised.
"With respect to approaching anything more than a routine call … we suggest that you think about the sensitivity of the information you're going to discuss, think about the privacy implications if it came out and group it in your mind … in a low, medium and high [risk] context," Greene said during a March 23 webinar hosted by the Cybersecurity Coalition.
Such oversights are common, Greene said, even for those who deal with cybersecurity issues on a regular basis.
"I can't count the number of times in my last job that I reused the same call-in phone number and passcode, and it was easy because I memorized it and could type it in quickly,” he said. “But from a security perspective, it was not probably the best practice."
A longer version of this article was first posted to FCW, a sibling site to GCN.
NEXT STORY: What’s your cloud safety plan?