1. Blog
  2. COVID-19
  3. Let’s examine Cisco Webex – A visionary player

Let’s examine Cisco Webex – A visionary player

This is the third post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Cisco Webex Meetings and Cisco Webex Teams.  Posts still to come over the next few days will dive into Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail for Cisco Webex or Cisco Webex Team, please read on.


Update: 01/06/2020

This post updated with miscellaneous changes, new links and some corrections after feedback from Cisco.


Cisco Webex Meetings

Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.

According to Gartner, Webex is the current the market leader and is considered a visionary player in video communication technologies (along with Zoom and Microsoft).

The solution is available in two forms, Webex Teams for collaborative work (addressed later) and Webex Meetings for audio and video meetings (covered here). Webex also offers a wide range of peripheral such as whiteboards, IP phones, screens and cameras for videoconferencing[1]

Features

The Webex Meetings solution is used via a web browser with a plugin. It is also possible to install and use software available for Windows, Android and iOS, for access to organized meetings. Installation of the client requires administrator rights on the computer.

 

Results table

Encryption
Uses an appropriate encryption algorithm Fully All communications between Cisco Webex applications and Cisco Webex Cloud occur over encrypted channels.

Cisco Webex uses TLS 1.2 protocol and uses high strength ciphers (for example, AES 256).

User Datagram Protocol (UDP) is the preferred protocol for transmitting media. In UDP, media packets are encrypted using AES 128. The initial key exchange happens on a TLS-secured channel. Additionally, each datagram uses Hashed- Based Message Authentication Code (HMAC) for authentication and integrity.

Uses a strong encryption key Fully AES 256 (stored) / AES 128 (streamed). Cisco has advised us that support for AES 256 is currently on their roadmap.
Data is encrypted in transit under normal use Fully https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
Data stays encrypted in transit on provider servers Partially In standard mode media streams flowing from a client to Cisco Webex servers are decrypted after they cross the Cisco Webex firewalls. Full encryption is available however at the cost of some features like cloud recording.

See https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf

Voice, Video and Text are all encrypted Fully https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
File transfers & session recordings are encrypted Fully https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) Partially Cisco Webex offers end-to-end encryption. With this option, Cisco Webex Cloud does not decrypt the media streams. All Cisco Webex clients generate key pairs and send the public key to the host’s client. The host generates a random symmetric key encrypts it using the public key that the client sends, and sends the encrypted symmetric key back to the client. The traffic generated by clients is encrypted using the symmetric session key. In this model traffic cannot be deciphered by the Cisco Webex server.

See https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf

Encryption implementation has withstood scrutiny over time Fully
Authentication
Administrators can define password security policies Fully Additionally, the administrator can manage password criteria using the following options:

  • Mixed case
  • Minimum length
  • Minimum number of numeric, alphabetic, or special characters
  • No character to be repeated three times or more
  • No reuse of a specified number of previous passwords
  • No dynamic text (site name, host’s name, username)
  • No passwords from a configurable list (for example, “password”)
  • Minimum time interval before a password change
Supports MFA as default No No native MFA available, needs third party IdP to provide it.
Can integrate with Active Directory or similar Fully
Can integrate with SSO solutions via SAML or similar Fully
Offers RBAC Fully Cisco Webex application behavior is built from the ground up around five roles, each of which is granted different privileges.
https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
Allows passwords to be set for meetings Fully
Allows meeting password security policies to be set Fully
Jurisdiction
Headquarters address USA Milpitas, California (United States)
The vendor cannot technically access any data without the client’s consent Partially When E2EE is deployed Cisco cannot decrypt the data.

In ‘normal’ mode Cisco says employees do not access customer data unless access is requested by the customer for support reasons.

A full on-prem version is available for users who don’t want to trust the vendor Fully Cisco WebEx Meeting Server

See https://www.cisco.com/c/en/us/products/conferencing/meeting-server/index.html

Moreover, a feature called ‘Hybrid Data Security’ allows organizations to bring encryption key management and other security-related functions into their on-premises data centers

For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Partially During provisioning, the administrator selects a country, which determines which of two GEO regions the organization’s data resides.

See https://help.webex.com/en-us/oybc4fb/Data-Residency-in-Cisco-Webex-Teams#id_102374

Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully In addition to complying with our stringent internal standards, Cisco Webex also continually maintains thirdparty validations to demonstrate our commitment to information security. Cisco Webex is:

  • ISO 27001, 27017, 27018 certified
  • Service Organization Controls (SOC) 2 Type II audited
  • FedRAMP certified (visit cisco.com/go/fedramp)
  • Cloud Computing Compliance Controls Catalogue (C5) attestation
  • Privacy Shield Framework certified

See https://www.cisco.com/c/en/us/about/trust-center/webex.html#~certifications

Complies with appropriate privacy standards (e.g. FERPA or GDPR). Fully https://help.webex.com/en-us/pdz31w/Cisco-Webex-Compliance-and-Certifications
Provides a transparency report that details information related to requests for data, records, or content. Fully https://www.cisco.com/c/en/us/about/trust-center/transparency.html
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Fully https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf
Offers clear central control over all security settings Fully
Allows for monitoring and maintenance of endpoint software versions Unclear Not as far as we can see. Control Hub Analytics and Troubleshooting?
Provides compliance features like eDiscovery & Legal Hold Fully https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/webex-room-series/datasheet-c78-740772.html
Auditing and Reporting Fully https://help.webex.com/en-us/n3b0w6x/Audit-Events-in-Cisco-Webex-Control-Hub
Additional content security controls like DLP, watermarking, etc. Partially Third party DLP solutions can be integrated via the Events API
Vulnerability Management
Percentage of NVD 2019 0.15
Percentage of NVD 2020 0.09
Vendor discloses which vulnerabilities have been addressed Fully Cisco has a clear and comprehensive Security Vulnerability Policy. See https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html and https://help.webex.com/en-us/c3r7uf/Open-and-Resolved-Bugs-for-the-Latest-Webex-Meetings-Updates
Vendor runs a bug bounty Partially Cisco is listed on hackerone but nothing specific for Webex

 

Encryption

Webex Meetings offers two security modes. By default, communications are encrypted between the server and the clients (hop-by-hop). Cleartext data therefore traverses the server. It is also possible to enable end-to-end encryption when using the thick client. In this model, traffic cannot be deciphered by the Cisco Webex server. This restricts certain features, however, such as Network Based Recording and Remote computer sharing[2]. .

Cisco also encrypts stored Network Based Recordings. During the playback and download flow, the encrypted recording file is then decrypted before or during the operation. Cisco maintains these keys for the customer.

A feature called ‘Hybrid Data Security’ allows organizations to bring encryption key management and other security-related functions into their on-premises data centers.

Authentication

Webex Meetings supports SSO with integration into the customer’s identity management technology (for example, Microsoft Active Directory Federation Services, PingFederate, CA Siteminder Single Sign-On, OpenAM, or Oracle Access Manager) using the Security Assertion Markup Language (SAML) 2.0.

We could not find evidence that Webex Meetings offers any form of Multi Factor Authentication (MFA) natively, but many of the SSO solutions supported via SAML (for example Duo or Okta) would provide that capability.

Jurisdiction & Regulation

Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Meetings[3].  Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).

However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries.

Cisco Webex Meetings explicitly advertises ‘data residency’ options, giving customers the choice over where their stored data resides. It seems that during provisioning, the administrator selects a country, which determines which of two GEO regions the organization’s data resides.

Security Features and Management

Webex Meetings allows users to generate a unique password for every meeting. Administrators define the complexity of the password in order to comply with organizational password policies.

Webex supports role-based access, which defines the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing as necessary.

Vulnerability & Exploit History

The NIST National Vulnerability Database records 33 vulnerabilities for Cisco Webex components (excluding Teams) since the beginning of 2019, several of which were categorized as serious:

 

Year Reported NVD Total Percentage
2019 26 17,308 0.15%
2020 7 7,624 0.09%

 

Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].


Sources

[1] https://www.cisco.com/c/en/us/products/collaboration-endpoints/collaboration-room-endpoints/index.html?dtid=osscdc000283#~explore-video-devices

[2] https://help.webex.com/en-us/nwh2wlx/Enable-End-to-End-Encryption-Using-End-to-End-Encryption-Session-Types

[3] https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

[4] https://www.cisco.com/c/dam/en_us/about/security/psirt/Cisco-PSIRT-Infographic.pdf


 

Cisco Webex Teams

https://www.webex.com/team-collaboration.html

Cisco Webex is an American company which develops and sells web conferencing and videoconferencing applications. The Webex solution is available under several licenses including a free version (limited to 100 participants) and is available as SaaS (public cloud), on a private cloud or on-premise on a dedicated server or integrated into a Cisco telephone system.

The solution is available in two forms, Webex Teams for collaborative work (addressed here) and Webex Meetings for audio and video meetings (covered previously).

Features

Webex Teams is an application that allows you to work in a continuous team using video meetings, group messaging, files and whiteboards sharing. Full use of the Webex Teams solution leverages a client-side applications, available for Windows, iOS, Android and MacOS, but use via a browser is also possible.

Like Webex Meetings, it is possible to interconnect the solution with many services (Google Calendar, Zendesk, Trello, Twitter, etc.).

Combined with the other related products and services provided by Cisco, including switches, phones and cameras, we consider this to be one of the most complete solutions currently available.

 

Results table

Encryption
Uses an appropriate encryption algorithm Fully Advanced Encryption Standard (AES) 128, AES 256, Secure Hash Algorithm (SHA) 1, SHA 256 and RSA.
Uses a strong encryption key Fully AES 256 (stored) / AES 128 (streamed)
Data is encrypted in transit under normal use Fully See https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security

And https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/esp/Cisco-Webex-Apps-Security-White-Paper.pdf

Data stays encrypted in transit on provider servers Fully According to Cisco the Webex Teams app encrypts messages, files, and names of spaces on the endpoint before sending them to the cloud. It’s processed and stored until it’s decrypted again on the device. However, the app understandably can’t provide end-to-end encryption for messages and files linked to in-app automation tools like bots.
Voice, Video and Text are all encrypted Fully See https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security

and https://www.ciscospark.com/content/dam/ciscospark/eopi/country/usa/assets/pdf/cisco-spark-security-white-paper.pdf

File transfers & session recordings are encrypted Fully https://help.webex.com/en-us/vf2yaz/Cisco-Webex-Teams-App-Security
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) Partially Cisco Webex Teams makes use of an open architecture for the management of encryption keys, allowing our customers to gain exclusive control over their encryption keys and the confidentiality of their data. This means that content is encrypted on the user’s client and stays encrypted until it reaches the recipient, with no intermediaries having access to decryption keys for content unless the enterprise explicitly chooses to grant such access.

Cisco will provide any enterprise customer, access to the source code for the components contained within the Security Realm in order to allow for inspection, compilation, and binary comparison. See https://www.ciscospark.com/content/dam/ciscospark/eopi/country/usa/assets/pdf/cisco-spark-security-white-paper.pdf

Encryption implementation has withstood scrutiny over time Fully Cisco also promises to provide source code for Security Realm services, such as the KMS, to any enterprise customer that requests it for purposes of verification of their claims.
Authentication
Administrators can define password security policies Partially It appears that Webex pre-configure the password requirements, although can be configured for SSO with Active Directory and other IdP’s.

https://help.webex.com/en-us/nxsab72/Webex-Teams-Change-Your-Password

Supports MFA as default No No native MFA available, needs third party IdP to provide it. Cisco have advised that native support for MFA is on their roadmap
Can integrate with Active Directory or similar Fully
Can integrate with SSO solutions via SAML or similar Fully
Offers RBAC Fully https://help.webex.com/en-us/fs78p5/Assign-Organization-Account-Roles-in-Cisco-Webex-Control-Hub
Allows passwords to be set for meetings Fully https://help.webex.com/en-us/zrupm6/Manage-Security-for-Your-Site-in-Cisco-Webex-Site- Administration
Allows meeting password security policies to be set Fully https://help.webex.com/en-us/zrupm6/Manage-Security-for-Your-Site-in-Cisco-Webex-Site-Administration
Jurisdiction
Headquarters address USA Milpitas, California (United States)
The vendor cannot technically access any data without the client’s consent Partially Cisco claims to have built end-to-end encryption into the fabric of Teams, relying on the separation of the Security Realm from the rest of the Cisco Cloud to make it happen. For customers that want even stronger guarantees that Cisco, as the cloud service provider, has no access to their content, Cisco offers flexibility in the deployment of the services contained in the Security Realm and offers access to source code for verification of their claims.

See https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/esp/cisco-spark-security-white-paper.pdf

A full on-prem version is available for users who don’t want to trust the vendor Partially Any customers who are concerned about Cisco storing their message and file encryption keys and content, can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers.

See https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaboration/spark/esp/Webex-Teams-Security-Frequently-Asked-Questions.pdf and https://help.webex.com/en-us/nm1m8zv/Get-Started-with-Cisco-Webex-Hybrid-Services

For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Partially Data Centers location can be selected during setup.
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully See https://www.cisco.com/c/en/us/about/trust-center/webex.html#~certifications
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Fully https://www.cisco.com/c/en_uk/solutions/collaboration/webex-teams/security-compliance-management.html
Provides a transparency report that details information related to requests for data, records, or content. Fully https://www.cisco.com/c/en/us/about/trust-center/transparency.html
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Partially Requires a Webex Meetings enabled account for some functionality.

https://help.webex.com/en-us/sf4sh1/Webex-Teams-Security-Best-Practices

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully Appears to require Pro Pack for Cisco Webex Control Hub for the functionality.
Offers clear central control over all security settings Fully https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/webex-room-series/datasheet-c78-740770.html
Allows for monitoring and maintenance of endpoint software versions Unclear Not to our knowledge.
Provides compliance features like eDiscovery & Legal Hold Fully Requires Pro Pack for Cisco Webex Control Hub for additional data retention
Auditing and Reporting Fully https://help.webex.com/en-us/n3b0w6x/Audit-Events-in-Cisco-Webex-Control-Hub
Additional content security controls like DLP, watermarking, etc. Fully Comprehensive DLP is available via Cisco ‘Cloudlock’ as part of an Extended Security Pack, which also offer anti-malware capabilities.
Vulnerability Management
Percentage of NVD 2019 0.03
Percentage of NVD 2020 0.02
Vendor discloses which vulnerabilities have been addressed Fully https://www.cisco.com/c/en/us/support/unified-communications/spark/products-security-advisories-list.html
Vendor runs a bug bounty Partially Cisco are listed on hackerone but nothing specific for Teams

 

Encryption

Cisco claims that the solution provides end-to-end encryption of all data, and it seems clear that communications and files are encrypted before transmission and are stored encrypted if required[1].

Cisco asserts that all real-time media in Cisco Webex Teams (voice, video, and desktop share) is transmitted using Secure Real-Time Transport Protocol (SRTP), which provides protection against network sniffing. But Cisco also clarifies that real-time media is not always encrypted end-to-end – some data may have to be decrypted in their cloud for mixing, distribution, and public switched telephone network (PSTN) interoperability purposes.

However, Webex Teams also allows customers to keep their encryption keys themselves and thus avoid having to send them into the cloud. Data stored in the cloud would therefore only be accessible to authorized users. Any customers who are concerned about Cisco storing their message and file encryption keys and content, can choose to deploy an on-premises (encryption) Key Management Server (KMS), which is a component of the Webex Hybrid Data Security platform. The KMS controls and manages the encryption keys for content stored in Webex data centers.

Cisco documentation also suggests that under certain circumstances Cisco may access client data with the consent of the client. Our understanding is that the client holds the keys and would have to provide Webex access to them.[2]

Authentication

The solution, like many on the market, allows integration with the company’s Active Directory to facilitate authentication via a single-sign-on and offers additional features like a form of Data Leakage Protection (DLP). This strengthens the protection of stored data. Data can only be shared in closed meeting spaces, where only authorized people can add collaborators.

Jurisdiction & Regulation

Cisco claims ISO 9001, ISO 27001, and ISO 27018, SOC 2, Privacy Shield Framework and EU model clauses compliance for Webex Teams.  Webex Teams and Webex Meetings have also formally received attestation against the BSI Cloud Computing Compliance Controls Catalogue (BSI C5).

However, Webex is a SaaS solution delivered by Cisco, which falls under the jurisdiction of the United States government. Theoretically this means that the company could be compelled to provide data or access to the government in compliance with US laws, which might be a concern for businesses from other countries. However, Cisco offers flexibility in the deployment of the services contained in the Security Realm and offers access to source code for verification of their claims.

Security Features and Management

As a Cloud based service, Webex enjoys the security of Cisco Datacenters which host the service.

Webex supports role-based access, which limits the privileges of meeting attendees. This configuration also allows hosts to restrict application or desktop sharing if necessary.

Cisco additionally offers the possibility of federating Webex instances, thereby eliminating the risk of confidentiality and data leaks associated with guest accounts. During internal and external collaboration, customer can therefore control the flow of sensitive content and shared confidential data can be removed.

Like other vendors, Cisco allows the administrator to manage the password criteria as required.

Cisco offers Webex Control Hub as a “web-based, intuitive, single-pane-of-glass management portal that enables you to provision, administer, and manage Cisco Webex services and Webex Hybrid Services, such as Hybrid Call Service, Hybrid Calendar Service, Hybrid Directory Service, and Video Mesh”.

Additionally, Pro Pack for Webex Control Hub is a “premium offer for customers that require more advanced capabilities, or even integrations with their existing security, compliance, and analytics software. Access can be provided specifically to those that need these more advanced capabilities – for example, information security professionals, compliance officers, or business analysts”.

Vulnerability & Exploit History

The NIST National Vulnerability Database records six vulnerabilities for Cisco Webex Teams components since the beginning of 2019, several of which were categorized as serious:

 

Year Reported NVD Total Percentage
2019 4 17,308 0.02%
2020 2 7,624 0.03%

 

It’s beyond the scope of this assessment to consider to what extent vulnerabilities in other Cisco Webex components would have an impact on the Teams platform. However, as this would technically be true for other integrated products like Microsoft Teams, Skype for Business and Google Meet, we have excluded those vulnerabilities here.

Cisco has a clear Security Vulnerability Policy that clearly states how Cisco addresses reported security vulnerabilities in Cisco products and services, including the timeline, actions, and responsibilities that apply equally to all customers[3].

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents and adheres to ISO/IEC 29147:2014[4].

 


Sources


1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet

 


Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialized in risk assessment, disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along with his career for his great capacities of knowledge transmission.

Lead Security Researcher (MSIS Labs)

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security-related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.


Share