This is the last of a three-part series on an often-unnoticed security flaw: the corporate conference bridge. This essential communications enabler, despite PINs and pass codes, can be easily exploited by former employees, competitors, or other bad actors, who can join your calls with a bit of ingenuity and listen to your confidential conversations with impunity. In Part 1, we discussed the four elements of a conference bridge call and how they can be compromised. In Part 2, we examined two scenarios of how these compromises can actually be executed. So, how do you plug this gap? There are several common-sense steps that every organization can consider. Think ORRAP: Obfuscate, Rotate, Refresh, Automate, Proctor:
- Obfuscate. Some bridge vendors use a standard number for all call-ins, or have a standard number per organization. Others provide for individualized bridge numbers. Standard bridge numbers are public (or semi-public to ex-employees or counterparts). Individual ones aren’t
- Rotate. Participant codes, PIN’s and other entry data should have an expiration date. Think of these just like passwords – every entry data point to your organization should be private, non-guessable and rotated. Require periodic changes – the schedule is up to you. People might complain of the inconvenience, but those complaints are easily mitigated with the next step below
- Refresh. Use the occasion of rotation to republish new bridge information and procedures. This is a good opportunity to build awareness and remind people of secure bridge etiquette: taking attendance, knowing with certainty who is on the wire, how to drop suspected lines, etc. This can also be an excellent forcing function for a larger awareness and refresh of the Business Continuity Plan
- Automate. The bridge function can be re-engineered for automation and therefore security. There are vendors who offer a one-click bridge join function. Many Mass Emergency Notification vendors can send out automated phone calls to team members, “Conference bridge starting, press 1 to join”, and the people are connected straight through. A company called Zipbridge (www.zipbridge.net: full disclosure, ARSC is a partner) has “outbound bridge” as a dedicated offering: the host dials a ‘launch’ number (not the bridge number), and the system reaches out to the participants and pulls them into the bridge. The bridge number and PIN are unknown to participants
- Proctor. Proctored conference calls are another option for confidential meetings. Some conference bridge vendors have a feature where they will have a professional proctor on the call to screen incoming attendees, monitor who is on and perform other functions. They can be used as a line of defense as well