[Cryptography] NSA security guidelines for videoconferencing

[Henry Baker]

FYI --

https://www.hstoday.us/subject-matter-areas/cybersecurity/to-zoom-or-whatsapp-nsa-lays-out-security-details-of-videoconferencing-services-for-teleworkers/

To Zoom or WhatsApp?

NSA Lays Out Security Details of Videoconferencing Services for
Teleworkers

April 29, 2020 Bridget Johnson

With coronavirus forcing federal workers to conduct meetings via
videoconferencing tools, the National Security Agency compiled a guide
on security advantages and deficits of popular online meeting
platforms.

https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF

NSA detailed whether the video tools, including Zoom and Skype,
offered security features such as multi-factor authentication,
transparency on which users are joining sessions, and end-to-end
encryption.

"With limited access to government furnished equipment (GFE) such as
laptops and secure smartphones, the use of (not typically approved)
commercial collaboration services on personal devices for limited
government official use becomes necessary and unavoidable" due to
COVID-19, notes the guidance.

NSA coordinated with the Department of Homeland Security, which will
be issuing its own guide, "Cybersecurity Recommendations for Federal
Agencies When Using Video Conferencing Solutions." It's intended to be
"responsive to a growing demand amongst the federal government to
allow its workforce to operate remotely using personal devices when
deemed to be in the best interests of the health and welfare of its
workforce and the nation," and the recommendations are subject to
change as web tools and vulnerabilities evolve.

NSA did not include in its guidance government online meeting services
intended for secure communications such as Defense Collaboration
Services or Intelink Services. The agency also "strongly recommends"
using a secure government service before any of the commercial
collaboration services. The NSA guidance also does not override
specific telework guidance agency by agency.

The criteria was drafted to align with U.S. government guidance
including NIST SP 800-171r2 – Protecting Controlled Unclassified
Information in Non-Federal Systems and Organizations (Feb 2020) and
NIST SP 800-46r2 Guide to Enterprise Telework, Remote Access and BYOD
Security (Apr 2016).

Evaluating an online collaboration service includes asking:

1. Does the service implement end-to-end encryption?: "Some services
such as large-scale group video chat are not designed with end-to-end
encryption for performance reasons."

2. Are strong, well-known, testable encryption standards used?: "Use
of published protocol standards, such as TLS and DTLSSRTP, is
preferred. If the product vendor has created its own encryption scheme
or protocol, it should undergo an independent evaluation by an
accredited lab."

3. Is multi-factor authentication (MFA) used to validate users'
identities?: "Without MFA, weak or stolen passwords can be used to
access legitimate users' accounts and possibly impersonate them during
use of the collaboration service."

4. Can users see and control who connects to collaboration sessions?:
"Users should also be able to see when participants join through
unencrypted/unauthenticated means such as telephone calls."

5. Does the service privacy policy allow the vendor to share data with
third parties or affiliates?: "Collaboration information and
conversations should not be shared with third parties. This could
include metadata associated with user identities, device information,
collaboration session history, or various other information that may
put your organization at risk."

6. Do users have the ability to securely delete data from the service
and its repositories as needed?: "Users should be given the
opportunity to delete content (e.g. shared files, chat sessions, saved
video sessions) and permanently remove accounts that are no longer
used."

7. Has the collaboration service's source code been shared publicly
(e.g. open source)?: "Open source development can provide
accountability that code is written to secure programming best
practices and isn't likely to introduce vulnerabilities or weaknesses
that could put users and data at risk."

8. Has the service and/or app been reviewed or certified for use by a
security-focused nationally recognized or government body?: "NSA
recommends that cloud services (which collaboration apps rely on) be
evaluated under the Office of Management and Budget (OMB) FEDRAMP
program. NSA also recommends that collaboration apps be evaluated by
independent testing labs under the National Information Assurance
Partnership (NIAP) against the Application Software Protection Profile
(PP)."

9. Is the service developed and/or hosted under the jurisdiction of a
government with laws that could jeopardize USG official use?: "Users
should be aware that the country of origin where products were
developed is not always public knowledge."

https://www.hstoday.us/wp-content/uploads/2020/04/Screen-Shot-2020-04-29-at-1.34.40-PM.png

NSA stressed that collaboration software should only be downloaded
directly from an official app store and that those using browser-based
services should check that HTTPS is enabled.

Meeting invites should also be sent through encrypted and
authenticated means instead of posted in public forums, if
possible. One person should be in charge of monitoring participants
joining the videoconference, keeping an eye out for unverified
intruders.

"Be aware of screen-sharing features so that you only share your
screen to display content salient to the collaboration session. If
content is sensitive, ensure that it is appropriate to share with all
participants. Be mindful of the affiliations of those with whom you
connect," the NSA guidance added. "Be aware of your surroundings
including any other communications going on (e.g. family members on
phone calls or video chats, location hints if working from a sensitive
location). Disable unnecessary app permissions (e.g. location
services). Ensure there is no other software on your device that is
actively sharing microphone data back to a remote server. Note that
less-trusted devices, to include Internet of Things (IoT), often have
microphones or cameras, so it may be wise to leave personal cell
phones or computers in a different room if they are not being used for
work."

Bridget Johnson is the Managing Editor for Homeland Security Today. A
veteran journalist whose news articles and analyses have run in dozens
of news outlets across the globe, Bridget first came to Washington to
be online editor and a foreign policy writer at The Hill. Previously
she was an editorial board member at the Rocky Mountain News and
syndicated nation/world news columnist at the Los Angeles Daily
News. Bridget is a senior fellow specializing in terrorism analysis at
the Haym Salomon Center. She is a Senior Risk Analyst for Gate 15, a
private investigator and a security consultant. She is an NPR on-air
contributor and has contributed to USA Today, The Wall Street Journal,
New York Observer, National Review Online, Politico, New York Daily
News, The Jerusalem Post, The Hill, Washington Times, RealClearWorld
and more, and has myriad television and radio credits including
Al-Jazeera and SiriusXM.