Over the years, videoconferencing (VC) has migrated from a “nice to have” to a “must have” mission-critical service, especially as LTE and early 4G wireless services and mobile devices have become widely deployed. VC has expanded our vision of data to where video, in the near future, will be considered the data carrier in the same sense that TCP/IP is used as the primary protocol across networks.
Because of this, today’s wireless communications managers now need to focus on the exposure presented by videoconferencing when it comes to IP network security threats, whether a VC session is hosted on a secure or a non-secure network. Even though the basic security principles (i.e. confidentiality, integrity, availability, and accountability) are now addressed by the manufacturers of videoconferencing equipment in both hardware and software, we still need to be aware of ongoing security threats that the world of videoconferencing brings with it. The two most important issues are data encryption and the proper handling of data storage.
Data Transmission is one of the most vulnerable areas of videoconferencing security since the data still must traverse across both private and public networks in order to reach its final destination - the other screen. This is addressed by the built-in encryption in today’s VC products; however, not everyone utilizes it properly. The most common of these encryption protocols are 56-bit DES (Data Encryption Standard) and 128-bit AES (Advanced Encryption Standard) encryption.
The weaknesses in the much older DES allows the encryption to be easily broken with various methods of attack and therefore has been replaced with the more common application of AES, which is still impervious to most types of cracking methodologies. The longer 256 bit encryption key available with AES makes it much more difficult for an attacker to break; however, many companies still utilize the “out of the box” setup of their VC equipment in the default 56-bit DES mode.
The information that flows through a videoconferencing system may contain sensitive or even classified information and the storage of this information is sometimes overlooked as a security risk. By using existing hardware/software solutions, an attendee at a conference, for example, can capture and store video data for future playback directly on a mobile device. Unless tightly controlled, an unauthorized individual could easily gain access to sensitive information.
There are primarily three types of videoconferencing systems available; a full VC appliance, PC-based, and mobile-based. The latter two approaches create a far more flexible VC environment; however, it increases security risks due to the potential of the data being stored on internal hard drives. If sensitive information is being broadcast, then one must take additional steps to secure the PC or mobile device by utilizing two different external hard drives - one for secure calls and the other for standard non-secure calls.
With mobile-based Unified Communications (UC) becoming the norm in corporate America, a much more proactive approach is required to secure the information within video endpoints, video bridges, management systems and within the VC environment. “Make sure your organization does so!”
Jeff Koonce is the IT Infrastructure Manager for Our Kids of Miami-Dade, Fl, and a Contributing Editor for Mobile Enterprise.