Antonio Gil Moyano

There is no doubt that instant messaging programmes have become an essential communication tool in our personal and professional lives. There is also no doubt that video calling applications, or the extension of this functionality to existing ones, have been a revolution during the pandemic, where they became the only form of visual communication due to the forced implementation of remote work. There are many options, but in this article we are going to focus on some of the most professional ones, due to their connection with other applications and functionalities, always guaranteeing the security of the information shared and the privacy of communications. Much has been written about this, including several publications that refer to a report last year by the US National Security Agency (NSA), which analysed the strengths and vulnerabilities of working remotely as a national security issue. In our country, studies are also carried out by organisations concerned about national, citizen and business security, such as the National Cybersecurity Institute (INCIBE) or the National Cryptologic Centre (CCN) associated to the National Intelligence Centre (CNI). We are going to focus on the report entitled "Security recommendations for remote working situations and reinforcement in CCN-CERT BP/18 vigilance". In chapter 7 it talks about the security that should be applied to videoconferences and virtual meetings. Let's have a look at some of these recommendations: The App/software must come from verified and authenticated repositories such as the manufacturer's repositories or the application repositories of the platform providers (Microsoft, Google, Apple, Samsung, LG, etc.). User and password identification and authentication must meet minimum strength requirements (e.g., recommended minimum character length, combination of letters, numbers and special characters, maximum number of failed authentication attempts, etc.). Incoming connections must be accepted by the user, there must be no possibility of auto-response. They should offer the possibility to access the session with or without video/audio. The video sessions must comply with at least the following requirements regarding communication security: Use TLS 1.2 secure channels in encrypted calls for signalling and AES-128 or 256 for media traffic. SRTP traffic recommended for audio, video and media with AES-128 encryption. In UDP traffic ensure AES-128 encryption and ensure that the initial key exchange is over a secure TLS channel. Document sharing must ensure the confidentiality of data and repositories, as determined by the National Security Scheme. With these recommendations in mind, let's look at how each of the 3 recommendations we have selected fits in. Microsoft Teams It certainly meets all the requirements you need for a "corporate" video conferencing solution, not only because it comes from a trusted manufacturer, but because all the security and functionality comes condivd in Microsoft 365 and Office365. This makes it robust, stable, but above all reliable, which is what companies and professionals need when using such a solution. In this guide published by Microsoft in October 2020 https://docs.microsoft.com/es-es/microsoftteams/teams-security-guide you can see in more detail all the aspects related to how Teams controls common security threats. Attack using a known key Denial of service network attack Interception Impersonation (IP addresses) Man-in-the-Middle attack RTP replay attack Unwanted instant messages Malware, virus… Zoom Possibly the most widely used video conferencing solution in the professional and personal sphere, it became very popular during the lockdown, it is easy to use, low cost in use and even free of charge. However, there is room for improvement in terms of security. The privacy and security section of their website provides advice on: How to set up Zoom before starting a meeting. Security settings to lock a meeting, expel, mute or report participants, disable file transfer or annotation, control screen sharing, disable private chat or recording control, among others. In relation to protecting the data we share, it talks about AES 256 encryption of video, audio and screen sharing, audio signatures and watermarked screenshots, also local and cloud storage encryption of recordings, and file transfer. It also talks about the different security certifications and concerning the privacy policy they talk about the different methods of authentication using existing applications or by password, also about two-factor authentication, attendee authorisation for recordings, basic technical information of the meeting participants, storage of basic profile information… The last 3 paragraphs are quite striking, where they expressly warn that: They have never had any intention of selling our information to advertisers and have no intention of doing so. They do not monitor our meetings and their content. They comply with all privacy policies, rules and regulations in the jurisdictions in which they operate, including the GDPR and the CCPA. This relates to the CCN report on the use of Zoom and its implications for security and privacy. Recommendations and good practices published in the wake of the cyber-attacks suffered during the lockdown. In its conclusions it states that with proper configuration and safeguards, Zoom offers a safe and secure virtual meeting environment, regardless of the fact that this software is currently being targeted by cyber attackers due to its popularity. Google Meet As well as Microsoft, it is the video conferencing solution integrated into G Suite and connects seamlessly with Gmail, Google Calendar, Docs, Drive, Jamboard, Chromecast and more. Here you can see the security and privacy that applies to users like: Security measures to protect video calls such as anti-hacker controls or preventing anonymous users (without a Google account) from joining the meeting, among others. Encryption of all data by default, between the client and Google from both browsers and Android or iOS Meet applications. Double-factor authentication. On privacy and transparency, they say that we as users have control over our information, and that they apply data protection laws and other industry standards. They also say that they do not use our data for advertising purposes, nor do they sell the data to third parties, just as Zoom it is striking to find these "reassuring" messages for users. Security best practices for a trusted and secure meeting experience. In conclusion, we must choose the solution that best suits our needs as a company or professional, always taking into account the integration with the different tools we use for the development of our work. If we consider this a priority, we should choose between Microsoft and Google. If what we are looking for is an application exclusively for video calls, prioritising simplicity without many requirements, Zoom would be the best candidate. Regarding security, as we know, no solution is 100% secure, although competition has meant that all of them have implemented security measures that they did not have before and, without a doubt, the objective is to generate the trust we need in order to work sharing our information, guaranteeing the confidentiality, integrity and availability of the same.

As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue we are going to deepen in what is really interesting about the regulation: the legal and technical balance between the parties, in this case, employer and employee. Balance Between the Employer's Power of Control and The Worker's Right to Privacy The line drawn by the Courts for the lawful access of the employer to the corporate information of devices begins with the duty of the employer to have policies on the use of its devices, a matter which is regulated in the current Data Protection Act. And the million-dollar question: can the employer access information from corporate devices and emails? "It depends. It depends on the point of view of either the employer or the employee, as the answer can be as varied as the case studies in the business world. The first thing that should be checked is the existence of prior regulation of the use of devices. If the answer is affirmative, the document in question should be analysed and the control measures regulated and the existence or lack of express prohibitions on personal use should be verified. This prohibition may be motivated by reasons of information security. On the other hand, in the absence of such regulation and in the case of access to the employee's corporate information, he or she may claim that his or her right to privacy has been infringed, since the courts understand that, in the lack of regulation, there is a certain tolerance in the workplace of the personal use of company equipment. In both cases, and in order to avoid problems of arbitrariness on the part of the employer, he is required to prove the existence of a prior suspicion of his employee's employment infringement and, on the basis of this evidence, the initiation of the investigation and the gathering of evidence could be justified, in accordance with the principles of necessity, appropriateness and proportionality, so as to enable the employer to prove the infringement while ensuring the utmost diligence of the employee's right to privacy. In order to solve the problem of minimising access to information, technicians often use software that allows heuristic searches based on keyword criteria, date range selection and files based on their hash signature code, so they can separate the wheat from the chaff in a tangle of information and emails. It is a common question among lawyers and computer experts who wonder who is responsible for the legality of the evidence obtained. And the answer from both professionals is that employers usually delegate the responsibility for obtaining digital evidence to computer experts, even, on many occasions, when company lawyers are present, since they are often unaware of the specific regulations on the subject. In this sense, and in order to limit responsibilities regarding the validity of the evidence, it is a recommendation for these professionals, computer experts, that they reflect this circumstance regarding the validity of the evidence and limitation of responsibility in a specific way in the object of the contract for the provision of services. It would be more convenient to incorporate a third party, such as a lawyer specialised in evidence and technological research, to enable the employer to establish a correct digital evidence strategy to prove the fact of the previous suspicion and, consequently, the legitimacy for its subsequent investigation. This professional assists the employer throughout the process that could result, for example, in a disciplinary dismissal, from obtaining the digital evidence to the defence in court. Technical Tools for The Control and Access to Information Of Business Devices Since we have an IT support and cyber security team in our company, we know very well what this sudden change in the way of working without being prepared and without having taken the necessary measures to guarantee the security of information and the continuity of their business has meant for our clients. We have had to condiv their infrastructure to adapt it to the massive use of remote working, as well as the personal equipment of users who, in general, did not meet the minimum-security requirements. This is a complex scenario and requires the use of tools that allow control and secure access to the company's information. Before drawing up an information security policy related to asset management and homeworking, we must ask ourselves these questions: About the assets Is there a policy on the acceptable use of company assets such as the computer or laptop, mobile phone, email, instant messaging, internet, social networks, etc.? Is the use of company assets allowed on a personal basis? If so, has the misuse been properly documented and explained? Has it been accepted and signed by the employee? How is this controlled and managed? Is there any monitoring or traceability? Once the employee/company relationship has ended, how are these assets returned? Is there a procedure and document for this purpose? What happens if they are not returned? About Homeworking Is there a specific homeworking policy for mobile users? Are the controls applied the same way for all users regardless of their location? Is there any type of MDM (Mobile Device Management) tool for mobile devices that allows their control and encryption? Have specific measures been implemented to guarantee use during homeworking? For example: Use of VPN (Virtual Private Network) connection Secure password with double authentication factor (2FA) Backup copies System Updates Specific security solutions (not only antivirus) Security in the cloud (95% of attacks in the cloud will be the responsibility of users) INCIBE has developed a handbook on cyber security for homeworking to guide these good practices. Conclusions It is mandatory to know and apply, in any labour infringement through the new technologies in the labour order, what is known as the Barbulescu II Test, in the name of a famous sentence of the European Court of Human Rights in which criteria are given for the licit access to the information of the corporate devices/mails. The first thing that has to be done is to check the existence of policies on the use of corporate devices and whether they are in line with the reality of the organisation, the work methodology and the existence of express prohibitions on personal use, so that the employee cannot claim what is known as "expectation of privacy" in the personal use of corporate devices and, therefore, the evidence obtained could be declared null and void for violation of Fundamental Rights. And if, finally, the principles of necessity, appropriateness and proportionality were applied to the access to information on the employee's computer equipment. It is understood that, with compliance with the above, both from a legal and technical point of view, the taking of evidence should be considered lawful and, consequently, taken into consideration by the Court, subject to criteria of relevance and free assessment, as well as to the principles of publicity, orality, immediacy, contradiction and concentration in the act of oral proceedings. There is no such thing as 100% cyber security, nor is there full legal certainty. Case study: My Employee Is Fooling Me Our company has a registration application for employees, where each day they must identify themselves at the beginning of the day, so that the time of arrival and departure is recorded. Our employee works with an application that also records the whole process/activity of the employee. This function has been developed for 10 years, although lately we have noticed some strange behaviour and some unjustified leaves. In addition, some of her colleagues complain about harassment and management has told her off on several occasions. The company and the employee keep track of absences from work, and a discrepancy is detected on a particular day when the employee claims to have been at work. Our forensic analysis work begins by analysing the access logging application and also the one for your work. We detect that on that particular day two accesses are recorded with that user: one at 8:00, which barely lasts 2 seconds; and another at 8:05, which lasts until 14:00, the time of departure. When designing the application, not only the user's registration was taken into account, but also the IP from which the user connects. This IP is always the same, the one of the company, since all users work from within the network and homeworking is not contemplated. It is detected that the registered IP is external and therefore that the connection has been made from outside the company. The log of the management application is also analysed, and it is verified that there was no activity during that day for that user. We then proceed with the complaint and request to the court so that the communications operator identifies and geolocates the registered IP. The operator's report certifies that the IP corresponds to an ADSL that is in the employee's name and geolocated in his or her usual home Resolution of the Case All the evidence found (IP of the external connection, activity of the management application and its geolocalisation with a technical report from the operator) pointed to the fact that it was the employee, from his/her home, who made the connection to show the company that he was working in the office that day. Finally, the resolution was favourable to the company. First part of this article available here: CYBER SECURITY Homeworking: Balancing Corporate Control and Employee Privacy (I) January 14, 2021