Another tool for virtual meetings in the times of Covid-19 is WebEx Online Meeting by Cisco. Following the contributions to Zoom and Microsoft Teams, this article explains what security features WebEx offers and how to use them. The article refers to the version of WebEx Online Meetings, which can be downloaded at webex.com for free.

In the free version, with a current special offer, 100 participants can participate in virtual meetings for an unlimited time and use various collaboration features such as chat, file and whiteboard sharing. More details about the features and also the premium versions can be found on the pricing page of WebEx.

Sign Up

If you want to host meetings, you must create an account with Cisco WebEx. To do this, you need to enter a mail address to which you have access, as well as name and location.

After initial verification of the mail the user is asked to define a password respecting the following requirements:

• at least 8 characters
• at least 2 letters
• at least one combination of upper and lower case letters
• at least one number

The following must not be part of the password:

• Your own name, user name or company name
• The last three passwords
• Words easy to guess
• All characters that are repeated more than 2 times

It would be better to use 10 characters or more as well as special characters. WebEx checks the requirements when passwords are entered and always does so as specified.

An interesting aspect of this is that the following words, for example, are recognized with regard to the requirements “easy to guess”: webex, cisco, pass (as in password). However, words that are seen in our analysis of public leaks are not recognized. For example status, dragon or even liverpool. By the way, WebEx defines the username as a complete mail address, so when you choose vontestaccount@xxx.xxxx, part of the password can use testaccount (which is not recommended).

Adhoc Meetings

Adhoc meetings can be set up using Personal Room. To participate, enter the appropriate host user ID on the Meetings Page of WebEx.

However, this variant is not recommended because it cannot be secured with a password. Only entering after starting the meeting can be prevented after a defined period of time; by default this is set to 10 minutes. Instead, scheduled meetings should be implemented.

Protect Meeting with Password

When you set up a meeting, WebEx insists on defining a password for the meeting. WebEx also suggests a password consisting of 11 characters with numbers, upper and lower case letters. Other variants can be generated via the refresh button.

You can also set your own password, with the following requirements:

• at least 4 characters
• no easy to guess keywords
• no special characters, e.g. spaces

A somewhat stricter password policy would also be desirable here, so that weak passwords such as 1111 are not possible. In addition, the word Cisco is now permitted here, for example. This would mean that different libraries of “easy to guess passwords” are used for account passwords and meeting passwords.

Although a password is generated by default when the meeting is created, this does not mean that the participants have to enter the password. Since the link sent to participants by mail already contain the “password” in the form of an ID, this offers the possibility to forward the link and thus invite people who can participate without entering the password. However, this can be remedied.

If you set up a meeting, there are unfortunately some hidden settings to find. Under Schedule a meeting / Show advanced options / Scheduling options / Exclude password. To do this, the password must be explicitly sent to the participant.

Require Attendee Registration

This setting is generally useful, since participants must now be explicitly confirmed by the host before they can join the meeting. The feature is activated with the checkbox at Require attendee registration under Registration.

The meeting overview in the main menu can then be used to confirm the registrations of invited participants under the respective meeting entry.

The registration process is a bit cumbersome. An initial mail for the registration, then another mail for the effective participation in the meeting.

Participant Privileges

Among the participant privileges all rights should be withdrawn that are not explicitly required. These can also be adjusted under the Attende privileges when creating scheduled meetings.

Locking a Meeting

The blocking of meetings, respectively the refusal of access after the start of an online meeting, is set to 10 minutes by default for adhoc meetings and can be viewed under Preferences / My Personal Room / Automatic lock.

Unfortunately, there is no such setting for scheduled meetings when creating the meeting. However, after starting a meeting, the corresponding function can be activated in the menu.

Save as Template

Last but not least, the configured security settings should be saved as a template to be secured for future meetings. Saved templates can be selected right above when creating a meeting.

Conclusion

The free version of WebEx Online Meetings comes across as a bit simple. No password can be set for ad hoc meetings. The default settings for scheduled meetings give the impression that a password is required to join, but this is not true; participants can join without entering a password using the link provided. However, WebEx provides appropriate settings to secure your online meetings. Ideally, these would already be available as standard settings. With the Save As Template function, however, you can do this yourself.

About the Author

Dominik Altermatt is working since 2003 in the IT business and was responsible for Data Leakage Prevention at a Swiss bank for many years. Besides traditional penetration testing he is also focusing on the introduction and improvement of IT security management processes. (ORCID 0000-0003-4575-4597)

Links

• https://meetingsemea11.webex.com/webappng/sites/meetingsemea11/dashboard
• https://www.webex.com
• https://www.webex.com/pricing/index.html