Cisco WebEx Online Meeting Security - Securing Virtual Meetings

Cisco WebEx Online Meeting Security

Securing Virtual Meetings

Dominik Altermatt
by Dominik Altermatt
on May 14, 2020
time to read: 8 minutes

Keypoints

This is how you secure Cisco WebEx

  • Due to the COVID-19 pandemic, many meetings, lectures, and training sessions are held online
  • WebEx Online Meeting is another free alternative
  • the default settings are not advantageous or even somewhat misleading
  • however, basic security features such as meeting passwords and attendee registration can be configured

Another tool for virtual meetings in the times of Covid-19 is WebEx Online Meeting by Cisco. Following the contributions to Zoom and Microsoft Teams, this article explains what security features WebEx offers and how to use them. The article refers to the version of WebEx Online Meetings, which can be downloaded at webex.com for free.

In the free version, with a current special offer, 100 participants can participate in virtual meetings for an unlimited time and use various collaboration features such as chat, file and whiteboard sharing. More details about the features and also the premium versions can be found on the pricing page of WebEx.

Sign Up

If you want to host meetings, you must create an account with Cisco WebEx. To do this, you need to enter a mail address to which you have access, as well as name and location.

After initial verification of the mail the user is asked to define a password respecting the following requirements:

The following must not be part of the password:

It would be better to use 10 characters or more as well as special characters. WebEx checks the requirements when passwords are entered and always does so as specified.

An interesting aspect of this is that the following words, for example, are recognized with regard to the requirements “easy to guess”: webex, cisco, pass (as in password). However, words that are seen in our analysis of public leaks are not recognized. For example status, dragon or even liverpool. By the way, WebEx defines the username as a complete mail address, so when you choose vontestaccount@xxx.xxxx, part of the password can use testaccount (which is not recommended).

Adhoc Meetings

Adhoc meetings can be set up using Personal Room. To participate, enter the appropriate host user ID on the Meetings Page of WebEx.

Adhoc Meeting as Personal Room

However, this variant is not recommended because it cannot be secured with a password. Only entering after starting the meeting can be prevented after a defined period of time; by default this is set to 10 minutes. Instead, scheduled meetings should be implemented.

Set up a scheduled meeting

Protect Meeting with Password

When you set up a meeting, WebEx insists on defining a password for the meeting. WebEx also suggests a password consisting of 11 characters with numbers, upper and lower case letters. Other variants can be generated via the refresh button.

Protecting a scheduled meeting with a password

You can also set your own password, with the following requirements:

A somewhat stricter password policy would also be desirable here, so that weak passwords such as 1111 are not possible. In addition, the word Cisco is now permitted here, for example. This would mean that different libraries of “easy to guess passwords” are used for account passwords and meeting passwords.

Although a password is generated by default when the meeting is created, this does not mean that the participants have to enter the password. Since the link sent to participants by mail already contain the “password” in the form of an ID, this offers the possibility to forward the link and thus invite people who can participate without entering the password. However, this can be remedied.

If you set up a meeting, there are unfortunately some hidden settings to find. Under Schedule a meeting / Show advanced options / Scheduling options / Exclude password. To do this, the password must be explicitly sent to the participant.

Exclude the password in mails sent to participants

Require Attendee Registration

This setting is generally useful, since participants must now be explicitly confirmed by the host before they can join the meeting. The feature is activated with the checkbox at Require attendee registration under Registration.

Require registration of all attendees

The meeting overview in the main menu can then be used to confirm the registrations of invited participants under the respective meeting entry.

Manage registration of a scheduled meeting

The registration process is a bit cumbersome. An initial mail for the registration, then another mail for the effective participation in the meeting.

Participant Privileges

Among the participant privileges all rights should be withdrawn that are not explicitly required. These can also be adjusted under the Attende privileges when creating scheduled meetings.

Manage privileges attendes

Details of different privileges

Locking a Meeting

The blocking of meetings, respectively the refusal of access after the start of an online meeting, is set to 10 minutes by default for adhoc meetings and can be viewed under Preferences / My Personal Room / Automatic lock.

Unfortunately, there is no such setting for scheduled meetings when creating the meeting. However, after starting a meeting, the corresponding function can be activated in the menu.

Subsequent locking of a scheduled meeting

Save as Template

Last but not least, the configured security settings should be saved as a template to be secured for future meetings. Saved templates can be selected right above when creating a meeting.

Save settings as template

Conclusion

The free version of WebEx Online Meetings comes across as a bit simple. No password can be set for ad hoc meetings. The default settings for scheduled meetings give the impression that a password is required to join, but this is not true; participants can join without entering a password using the link provided. However, WebEx provides appropriate settings to secure your online meetings. Ideally, these would already be available as standard settings. With the Save As Template function, however, you can do this yourself.

About the Author

Dominik Altermatt

Dominik Altermatt is working since 2003 in the IT business and was responsible for Data Leakage Prevention at a Swiss bank for many years. Besides traditional penetration testing he is also focusing on the introduction and improvement of IT security management processes. (ORCID 0000-0003-4575-4597)

Links

You need support in such a project?

Our experts will get in contact with you!

×
TIBER-EU Framework

TIBER-EU Framework

Dominik Altermatt

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here