Cisco WebEx Best Practices for Secure Meetings for Hosts Cisco WebEx Best Practices for Secure Meetings for Hosts 1
Overview of WebEx Security Overview of WebEx Security Cisco WebEx online solutions help enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Cisco WebEx solutions to simplify business processes and improve results for sales, marketing, training, project management, and support teams. For all of these organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security; from scheduling meetings to authenticating participants to sharing content. Cisco WebEx is a secure environment yet it can be configured as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor WebEx to your business needs. For additional information, see the WebEx Security White Paper. 2
Using Your Personal Room (WBS30) As a host, you are the final decision maker concerning the security settings of your meeting. Always remember that you control nearly every aspect of the meeting, including when it begins and ends. Follow the security best practices when scheduling the meeting, and during and after the meeting, based on your business needs for keeping meetings and information secure. Using Your Personal Room (WBS30) Auto Lock Personal Room With WBS30, you have the ability to automatically lock your Personal Room after your meeting starts. This can be done from My WebEx >Preferences > My Personal Room on your WebEx site. We recommend locking your room at 0 minutes. This is essentially the same as locking your room as soon as you enter it. This prevents all attendees in your lobby from automatically joining in the meeting. Instead, you will see a notification in the meeting when attendees are waiting in the lobby. You can then screen and allow only authorized attendees into your meeting. Consider your Personal Room URL as a public URL, and unless the site administrator has configured Personal Rooms to only be used by signed-in users, anyone can wait for you in your lobby. Always check the names before you let the attendees into your room. Personal Room Notifications Before a Meeting When users enter your Personal Room lobby, they can send you an email notification to inform you that they are waiting for a meeting to begin. Even unauthorized users that gain access to your Personal Room lobby can send notifications. We recommend that you review your email notifications before starting a meeting to screen unauthorized attendees. If you have not auto-locked your Personal Room at zero minutes, then all attendees waiting in your Personal Room lobby will enter the meeting when you do. Review the participant list and expel any unauthorized attendees. 3
Scheduling the Meeting If you are seeing too many email notifications from unauthorized attendees, consider turning off these notifications. Go to My WebEx > Preferences and turn off your Personal Room notifications by unchecking Notify me by email when someone enters my Personal Room lobby while I am away. Personal Room Notifications During a Meeting If you lock your Personal Room, you are able to screen anyone waiting in your lobby. After you enter your meeting, you are notified when someone new enters the lobby and you can choose whether to admit the person or not. When multiple attendees are waiting in your Personal Room lobby, you can review the list of names and either select individuals or choose to select all, to admit to the meeting. Scheduling the Meeting Schedule Unlisted Meetings To enhance meeting security settings, hosts can opt not to list the meeting on the meeting calendar. To do this, remove the check mark from this option to help prevent unauthorized access to the meeting and hide information about the meeting, such as its host, topic, and starting time. An unlisted meeting does not appear in the meeting calendar on the Browse Meetings page or on your My Meetings page. To join an unlisted meeting, attendees must provide a unique meeting number. Unlisted meetings require the host to inform the meeting attendees, either by sending a link in an email invitation, or hosts can enter the meeting number using the Join Meetings page. Listing a meeting reveals meeting titles and meeting information publicly. If a meeting is not password protected, anyone can join it. Tip Choose a level of security based on the meeting's purpose. For example, if you schedule a meeting to discuss your company picnic, you probably need to set only a password for the meeting. On the other hand, if you schedule a meeting in which you will discuss sensitive financial data, you may not want to list the meeting on the meeting calendar. You may also choose to restrict access to the meeting once all attendees have joined. Choose the Meeting Topic Carefully A listed meeting or a forwarded invitation email could, at a minimum, reveal the meeting titles to unintended audiences. Meeting titles can unintentionally reveal private information, so ensure that titles are carefully worded to minimize exposure of sensitive data, such as company names or events. Secure Meeting with Complex Password Using complex meeting passwords for every session is the most important step you can take to protect your meeting. While uncommon, site administrators may choose to allow the creation of meetings without passwords. Under most circumstances, protecting all meetings with a strong password is highly recommended. 4
Scheduling the Meeting The most effective step to strengthen the security of your meeting is to create a high-complexity, non-trivial password (strong password). A strong password should include a mix of uppercase and lowercase letters, numbers and special characters (for example, $Tu0psrOx!). Passwords protect against unauthorized attendance because only users with access to the password will be able to join the meeting. Do not reuse passwords for meetings. Scheduling meetings with the same passwords weakens meeting protection considerably. Adding passwords to your meetings does not affect the meeting join experience of authorized attendees. Participants can easily join a meeting by selecting the URL in the meeting invitation or from the WebEx site. Exclude Meeting Password from Invitations If you invite attendees to a meeting, the meeting password does not appear in the email invitations that attendees receive. You must provide the password to attendees by another means, such as by phone. For highly sensitive meetings, exclude the meeting password from the invitation email. This prevents unauthorized access to meeting details if the invitation email message is forwarded to an unintended recipient. Require Attendees to Have an Account on Your Site When this setting is enabled, all attendees must have a user account on your site to attend the meeting. For information about how attendees can obtain a user account, ask your site administrator. In the Meeting Center Advanced Scheduler, check Require attendees to have an account on this Website in order to join this meeting. Use Entry or Exit Tone or Announce Name Feature Using this feature prevents someone from joining the audio portion of your meeting without your knowledge. This feature is enabled by default for Meeting Center and Training Center. For notifications, select Audio Conference Settings > Entry and exit tone > Beep or Announce Name. Otherwise, select No Tone. Restrict Available Features Limit the available features, such as chat and audio, if you allow attendees to join the meeting before the host. Request that Invitations not be Forwarded Request that your invitees do not forward the invitation further, especially for confidential meetings. Assign an Alternate Host Assign an alternate host to start and control the meeting. This keeps meetings more secure by eliminating the possibility that the host role will be assigned to an unexpected, or unauthorized, attendee, in case you inadvertently lose your connection to the meeting. 5
During the Meeting When inviting attendees to a scheduled meeting, you can designate one or more attendees as alternate hosts for the meeting. An alternate host can start the meeting and act as the host. Thus, an alternate host must have a user account on your Meeting Center website. During the Meeting Restrict Access to the Meeting Lock the meeting once all attendees have joined the meeting. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress. To lock a meeting, Select Meeting > Restrict Access. Tip This option prevents anyone from joining the meeting, including participants who have been invited to the meeting but have not yet joined it. To unlock a meeting, select Meeting > Restore Access. Validate Identity of all Users in a Call Accounting for every attendee by using a roll call is a secure practice. Ask users to turn on their video or state their name to confirm their identity. To attend a meeting using a phone, a caller only needs to know a valid WebEx dial-in number and the nine-digit meeting ID. Meeting passwords do not prevent attendees from joining from the audio conference portion of WebEx. If attendees without an account are allowed to join the meeting, then unauthorized users can identify themselves with any name in your meeting. Remove a Participant from the Meeting Participants can be expelled at any time during a meeting. Select the name of the participant whom you want to remove, then select Participant > Expel. Share Application, Not Screen Use Share > Application instead of Share > Screen to share specific applications and prevent accidental exposure of sensitive information on your screen. 6
After the Meeting After the Meeting Assign Passwords to Recordings The best way to prevent unauthorized access to recordings is to not create recordings. If recordings must be created, you can edit meeting recordings and add passwords before sharing them to keep the information secure. Password-protected recordings require recipients to have the password in order to view them. Delete Recordings Delete recordings after they are no longer relevant. Personal Conferencing for Hosts In the My WebEx Preferences section of your WebEx site, create a strong Audio PIN and protect it. Your PIN is the last level of protection for prevention of unauthorized access to your personal conferencing account. Should a person gain unauthorized access to the host access code for a Personal Conference Meeting (PCN Meeting), the conference cannot be started without the Audio PIN. Protect your Audio PIN and do not share it. 7