I want a "Red Teaming"
Michael Schneider
This is how you secure Cisco WebEx
In the free version, with a current special offer, 100 participants can participate in virtual meetings for an unlimited time and use various collaboration features such as chat, file and whiteboard sharing. More details about the features and also the premium versions can be found on the pricing page of WebEx.
If you want to host meetings, you must create an account with Cisco WebEx. To do this, you need to enter a mail address to which you have access, as well as name and location.
After initial verification of the mail the user is asked to define a password respecting the following requirements:
The following must not be part of the password:
It would be better to use 10 characters or more as well as special characters. WebEx checks the requirements when passwords are entered and always does so as specified.
An interesting aspect of this is that the following words, for example, are recognized with regard to the requirements “easy to guess”: webex
, cisco
, pass
(as in password). However, words that are seen in our analysis of public leaks are not recognized. For example status
, dragon
or even liverpool
. By the way, WebEx defines the username as a complete mail address, so when you choose vontestaccount@xxx.xxxx, part of the password can use testaccount
(which is not recommended).
Adhoc meetings can be set up using Personal Room. To participate, enter the appropriate host user ID on the Meetings Page of WebEx.
However, this variant is not recommended because it cannot be secured with a password. Only entering after starting the meeting can be prevented after a defined period of time; by default this is set to 10 minutes. Instead, scheduled meetings should be implemented.
When you set up a meeting, WebEx insists on defining a password for the meeting. WebEx also suggests a password consisting of 11 characters with numbers, upper and lower case letters. Other variants can be generated via the refresh button.
You can also set your own password, with the following requirements:
A somewhat stricter password policy would also be desirable here, so that weak passwords such as 1111
are not possible. In addition, the word Cisco
is now permitted here, for example. This would mean that different libraries of “easy to guess passwords” are used for account passwords and meeting passwords.
Although a password is generated by default when the meeting is created, this does not mean that the participants have to enter the password. Since the link sent to participants by mail already contain the “password” in the form of an ID, this offers the possibility to forward the link and thus invite people who can participate without entering the password. However, this can be remedied.
If you set up a meeting, there are unfortunately some hidden settings to find. Under Schedule a meeting / Show advanced options / Scheduling options / Exclude password. To do this, the password must be explicitly sent to the participant.
This setting is generally useful, since participants must now be explicitly confirmed by the host before they can join the meeting. The feature is activated with the checkbox at Require attendee registration under Registration.
The meeting overview in the main menu can then be used to confirm the registrations of invited participants under the respective meeting entry.
The registration process is a bit cumbersome. An initial mail for the registration, then another mail for the effective participation in the meeting.
Among the participant privileges all rights should be withdrawn that are not explicitly required. These can also be adjusted under the Attende privileges when creating scheduled meetings.
The blocking of meetings, respectively the refusal of access after the start of an online meeting, is set to 10 minutes by default for adhoc meetings and can be viewed under Preferences / My Personal Room / Automatic lock.
Unfortunately, there is no such setting for scheduled meetings when creating the meeting. However, after starting a meeting, the corresponding function can be activated in the menu.
Last but not least, the configured security settings should be saved as a template to be secured for future meetings. Saved templates can be selected right above when creating a meeting.
The free version of WebEx Online Meetings comes across as a bit simple. No password can be set for ad hoc meetings. The default settings for scheduled meetings give the impression that a password is required to join, but this is not true; participants can join without entering a password using the link provided. However, WebEx provides appropriate settings to secure your online meetings. Ideally, these would already be available as standard settings. With the Save As Template function, however, you can do this yourself.
We are going to monitor the digital underground for you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!