- Obfuscate. Some bridge vendors use a standard number for all call-ins, or have a standard number per organization. Others provide for individualized bridge numbers. Standard bridge numbers are public (or semi-public to ex-employees or counterparts). Individual ones aren’t
- Rotate. Participant codes, PIN’s and other entry data should have an expiration date. Think of these just like passwords – every entry data point to your organization should be private, non-guessable and rotated. Require periodic changes – the schedule is up to you. People might complain of the inconvenience, but those complaints are easily mitigated with the next step below
- Refresh. Use the occasion of rotation to republish new bridge information and procedures. This is a good opportunity to build awareness and remind people of secure bridge etiquette: taking attendance, knowing with certainty who is on the wire, how to drop suspected lines, etc. This can also be an excellent forcing function for a larger awareness and refresh of the Business Continuity Plan
- Automate. The bridge function can be re-engineered for automation and therefore security. There are vendors who offer a one-click bridge join function. Many Mass Emergency Notification vendors can send out automated phone calls to team members, “Conference bridge starting, press 1 to join”, and the people are connected straight through. A company called Zipbridge (www.zipbridge.net: full disclosure, ARSC is a partner) has “outbound bridge” as a dedicated offering: the host dials a ‘launch’ number (not the bridge number), and the system reaches out to the participants and pulls them into the bridge. The bridge number and PIN are unknown to participants
- Proctor. Proctored conference calls are another option for confidential meetings. Some conference bridge vendors have a feature where they will have a professional proctor on the call to screen incoming attendees, monitor who is on and perform other functions. They can be used as a line of defense as well
This is the last of a three-part series on an often-unnoticed security flaw: the corporate conference bridge. This essential communications enabler, despite PINs and pass codes, can be easily exploited by former employees, competitors, or other bad actors, who can join your calls with a bit of ingenuity and listen to your confidential conversations with impunity. In Part 1, we discussed the four elements of a conference bridge call and how they can be compromised. In Part 2, we examined two scenarios of how these compromises can actually be executed. So, how do you plug this gap? There are several common-sense steps that every organization can consider. Think ORRAP: Obfuscate, Rotate, Refresh, Automate, Proctor:
In Part 1 of this series, we identified the conference bridge as a potential vector for data leakage and compromise of confidential information. We discussed the four elements of a bridge - the time of call(s), conference phone number, the PIN or participant code, and human factors. We outlined how each can be compromised with a bit of social engineering and ingenuity. Let's now examine two scenarios to show how confidential company secrets can be siphoned off of a bridge. Note: these actions are illegal, and ARSC discusses them for informational purposes only and does not suggest or condone these actions.
Scenario 1:Bob is a former IT employee at www.xyz.com, now unemployed and cash-poor. He gets a call from a friend – “hey, your old job’s Web site is down!” He pulls up the old IT Operations bridge on his phone. It still works! He dials in. There are so many people working the problem that the manager does not hear the ‘join’ tone. Bob listens while IT Ops decides to relax two-factor authentication and open a back door so developers can work the problem. Voila! Bob is now in the system! The files, critical data and opportunity for profit are his for the taking!
Scenario 2: Chuck works for a competitor of StartUp 2.0. He really wishes that he could be a ‘fly on the wall’ for the Product strategy discussions. Chuck belongs to a committee on a local industry professional group – chaired by a StartUp 2.0 employee, Carol. Carol uses her company's bridge for the committee's meetings. She sends the invite out using her company bridge for this association's meetings: Dial-in 1-888-CON-CALL, pin 2067690428. Chuck now knows StartUp’s bridge number and sees that the PIN is Carol’s desk number. He finds out the name of the VP of Product, Alice (Thanks, LinkedIn!). He calls StartUp’s main number after hours and uses the dial-by-name function. He listens to the messages and now knows Alice’s extension and therefore her phone number… and therefore her PIN. Chuck tries the bridge on Monday morning. Nothing! Tries Tuesday morning. Nothing! Tries Wednesday morning. Paydirt! There are already three people on the call. “Who joined?” Chuck stays on Mute. Alice joins. “Who do we have?” “Dan here!” “Erin here!” Frank here, and there’s someone else on I think.” Alice: “Anyone else on? Ha-ha, while they’re hunting for the Unmute button let’s get started. What’s the word on our latest product launch?”
There are other scenarios but they follow a similar pattern: social engineering, a bit of guesswork and under-the-radar listening.
Now that you see how easy it is, we will examine several common-sense basic practices organizations can take to make their conference bridges more secure (not secure, but more secure)... in Part 3!
From the Managing Principal
Thought leadership, observations and more
Key words: Howard Mannella Disaster Recovery Consulting Business Continuity Consulting Crisis Management Consulting Emergency Response Consulting Emergency Management Consulting Business Resiliency Consulting Resilience Organizational Preparedness Security Safety Risk Management Consulting Table Top Exercises