Pratum Blog

Zoom Security

Zoom is one of the largest, and currently most popular, video meeting apps for business and personal use. However, popularity is drawing more attention to what some consider security flaws and privacy concerns in the system.

Zoom’s Rapid Growth and Security Shortfalls

Eric Yuan, Zoom founder and CEO, recently stated the company was not expecting the mass expansion that came after the Coronavirus hit. According to Yuan, at the end of 2019 there were about 20 million users on Zoom. In March of 2020, they reached 200 million.

There have been several features of the Zoom software raising concerns for employees, business owners, and government officials. These concerns are causing Yuan to now issue an apology, saying Zoom had:

“…fallen short of the community’s – and our own- privacy and security expectations. For that, I am deeply sorry.”

Now, Yuan says they are working “around the clock” to address these concerns.

What to be aware of in the meantime?

1. Zoombombing

One popular Zoom act right now is called “Zoom-bombing”. While it may be innocent pranking for some, it raises privacy concerns for others. This act of bombing someone’s Zoom is where uninvited attendees break into and disrupt meetings around the world. This is causing some concerns for businesses trying to hold conference calls over confidential information.

Zoom-bombing is made possible because all meetings started by the same host automatically share the same, default meeting ID. Another default feature is that all meetings can be joined without the need for a password. While hosts have the ability to use new meeting IDs and set passwords for each new call, these settings are not enabled by default.

Security researchers have also developed a new, automated tool, which is capable of finding ~100 Zoom meeting IDs within an hour. This tool specifically looks for meeting IDs that are not password protected, meaning that anyone with this 9 or 11-digit code could listen in on sensitive or private calls. While malicious individuals would likely be caught on small group discussions, they could easily listen in on calls involving 20+ people without being detected.

2. Cloud Recording

Another serious concern is something called “cloud recording” for paid subscribers. This feature in Zoom allows a host to record a meeting, along with a text transcript or a text file of any active chats in the meeting. This is then saved to the cloud, where it can be accessed by other users within your company. Even people who never attended that meeting. Zoom does allow users to narrow the audience to only pre-approved IP addresses.

3. Data Sharing

Being able to setup an account using your Facebook account is a common practice for many online systems. However, this is typically laid out in fine print, readily available when you agree to the terms of the service. Zoom is being accused of not being transparent about the fact they may share your data with Facebook, even if you don’t have a Facebook account.

4. Webcam Control

One of the most recent concerns brought up was discovered by a former NSA (National Security Agency) hacker. He discovered bugs that would allow hackers to take control of webcams and microphones on Mac computers using Zoom. He also found a vulnerability that enabled an attacker to gain root access to the host computer. This brings up several concerns for people’s personal privacy and safety. Patches for these vulnerabilities are now available and it’s recommended to patch immediately.

5. Attention-Tracking

Another issue people have the with app is something called “attention-tracking”. This feature is built into Zoom and allows the host of the Zoom call to see whether attendees are using the app or window in the foreground. That means if students or employees don’t have the video chat front and center, their professor or manager will be able to tell. While this may seem appealing to some meeting hosts, it does cause distrust for many users who feel they are being monitored unnecessarily.

Demands for Change

On Monday March 30th, New York’s Attorney General Letitia James sent Zoom a letter outlining privacy vulnerability concerns and asking what steps the company had in place to keep users safe.

In the United Kingdom, government officials have been using Zoom for cabinet meetings. That is now being debated after these concerns were brought up.

Reportedly, Elon Musk is banning the use of Zoom for any work being done on Space-X projects. One of Space X’s biggest customers is NASA, who also prevents their employees from using it.

How You Can Stay Safe

There are a few ways to lessen the risk of using Zoom. · Review your Zoom security settings.

  • Configure Zoom to:

    - Generate new meeting IDs for each call.

    - Don’t make your meetings or classrooms public – make the meetings private by requiring a password for entry or use the waiting room feature to control who joins. Use secure, alternate forms of communication to distribute passwords as necessary.

    - Disable cloud-recording features or restrict that capability to only the meeting host.

    - Restrict screensharing to only the meeting host.

  • Minimize Zoom permissions to only what you find necessary.
  • Update anti-tracking software on your Zoom account. If you do not want Zoom, or other sites, sending your data to third-parties you can look into anti-tracking software to mitigate this potential.
  • Make sure your WIFI network is secure and restricted to authorized users.
  • Don’t share a link to your meeting in social media posts or otherwise publicly available mediums – send meeting invites directly to participants only.
  • Zoom made a security change back in January to turn on password requirements by default so users should make sure they are using latest versions of Zoom software.
  • Ensure your remote work policies/IT policies outline how to configure/use Zoom if your organization allows the use of it.
  • Zoom also has a number of other suggestions on a blog post: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/

While all of these steps can help, many cybersecurity experts are advising anyone with especially sensitive data or conversations to find a more secure alternative.

Zoom Alternatives:

Microsoft Teams: This service is included in all Office 365 subscriptions. If you haven’t taken advantage of this new chat and video conferencing software from Microsoft, it may already be included in the licenses you already pay for.

Apple FaceTime: If security is paramount for your discussion, Apple’s FaceTime service offers video conferencing for up to 32 individuals, with all communication feat. end-to-end encryption. Not even Apple has access to the data communicated through its service. However, all employees must have an Apple device (Mac, iPad, or iPhone).

Google Duo or Google Hangouts: This service is included with all G-Suite business licenses. While it may not feature end-to-end encryption, it offers (via a transparent user interface) many of the privacy features users are looking for Zoom currently lacks.

Cisco Webex and GoToMeeting: These video chat applications have been around for many years and each offer a different set of robust features similar to those offered by Zoom.

(Sources: https://www.bbc.com/news/technology-52133349

https://www.cnet.com/news/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for/

https://objective-see.com/blog/blog_0x56.html}

https://www.theverge.com/2020/4/2/21206061/zoom-meeting-id-zwardial-automated-tool })

Cybersecurity Education

Do your employees know what a phishing email is? Would they know what to do if malware took over their computers? While certain cybersecurity measures seem common sense to many IT professionals, not everyone is educated on the best practices to keep themselves, and your company, safe from cyber risks. The only way to truly fix that is through awareness training.

Before you start emailing out a long list of online threats for your employees to avoid, first decide what are the biggest threats in your business? Then, come up with an action plan to educate and inspire your staff to be more diligent. Here are a few key messages every business should communicate!

1. This matters to everyone.

This may sound simple, but mindset is key when implementing a security plan. Not only should you explain to your employees how a security breach could impact the entire organization, you should also emphasize what that might mean for them individually. Not only could they lose personal data, but a significant cyber-attack can take down an entire company.

It may help to explain it to them like this; if someone at a healthcare organization or financial institution had access to their private information, wouldn’t they want that person to protect their data from hackers? The same professionalism and awareness expected from others is the level everyone should be giving to their clients. It’s also good job security to be cybersecurity aware. Many businesses cannot recover after an incident, and eventually must lay off employees after a breach.

2. Management is excited!

Similar to number 1, getting people on-board with a plan of action means they have to be motivated to make changes. Change is not always easy for people. That’s why having enthusiastic support from executives in the company will help encourage the rest of the staff to get pumped up about the new initiatives! Cybersecurity is a serious topic, but you can make the learning process enjoyable with a positive outlook. That motivation should start from the top!

3. Always be on guard.

While this may come across as paranoia, it’s a good frame of mind when dealing with any emails, or even people, that come from outside the company. Teach your employees the common cyber threats and how to avoid them. Here are a few:

  • Phishing Emails – This is an email that looks legitimate, asking for the recipient’s private information. That could be usernames and passwords, or even credit card or social security numbers. A common threat within businesses is an email that appears to be from a manager, asking an employee to buy gift cards or send financial information. Always reach out to who the email is claiming to be from through another form of communication before giving out any information.
  • Malware – Malware is any software designed to cause damage. This can come from a variety of sources, including emails or website links. Criminals will offer something alluring to the person viewing their content to click on. That link will then download the harmful software to computers, servers, or computer networks. The best way to combat this is to avoid clicking on anything until you verify the sender is trustworthy. Also, try hovering your mouse over the link to see where it will actually be taking you.
  • Social Engineering – This is one of the most effective ways cybercriminals obtain private information from businesses. It’s often done in person, which makes confronting or stopping the attack intimidating to employees. Social Engineering is the use of deception to manipulate people into giving out confidential information. This can cover a wide range of attacks, but one you should emphasize with employees is facility access. If a cybercriminal has unauthorized access to your building, they can access private information. Humans are naturally helpful, which makes entering a building or private area of a business easy for some criminals. If your employees see someone who doesn’t belong in an area of the company, encourage them to ask that person questions. Even a friendly inquiry can scare off some intruders. If they don’t feel comfortable approaching the situation, give your staff a report chain to inform security or management of their suspicions quickly.
  • These are just a few of the ways you can educate and protect your employees. Starting with these can make a big impact on the cybersecurity of your staff.

4. Report everything you see.

This might be one of the most important messages you convey during awareness training. Every bit of information can help in the event of a cyber-attack. If security measures fail, having all possible knowledge of what led up for the incident can help digital forensics experts discover what happened and how to prevent it in the future. It’s also important to emphasize with staff that reporting something suspicious will not get them in trouble. Information is power.

Taking the time and using resources to provide your staff with cybersecurity knowledge could save your business. According to the FBI Internet Crime Report, more than $1.7 Billion was lost in 2019 from business email compromise. There were more than 114,000 phishing email complaints. Being proactive with awareness training and support for employees will not only protect them from detrimental attacks, your staff is also your first line of defense in protecting your company.

(References: https://pdf.ic3.gov/2019_IC3Report.pdf
magnifying glass

Imagine you receive a call from your neighbor, a door to your house appears kicked in. You arrive home to find that certain items are out of place, things aren’t in disarray, however, someone unauthorized has broken in and you are unsure what damage has been performed. What or who were they after, what did they do, and when did this occur?

Perhaps your home has a security camera that records data, knowing what security controls exist, what information they contain on them, as well as the retention of that data can be crucial. What if you were on vacation, and the cameras overwrite data after 24 hours it, would be necessary to save or preserve this information before it is lost.

This is the same issue many businesses face after a cybersecurity incident.

Much like a business that identifies indicators of compromise, there are many lingering questions and a flurry of time sensitive activity that needs to follow in order to ensure the appropriate incident response actions are taken. Ultimately, answers to all these questions are typically entirely dependent upon how much historical information exists. An incident responder needs to quickly identify systems that may contain relevant information and preserve it before it is lost forever.

Without an understanding of your business, you may not have the crucial information to respond to an incident properly. It’s crucial to know what security controls exist, what type of evidence is generated within these, and how long this information is available for. The ability to identify incidents and review activity is reliant upon having the applicable data. You typically will need to have the information around what happened in order to protect your business from being attacked again as well as to understand what occurred. A lack of knowledge also makes it hard to recover what was lost.

Visibility

In order to have the best success in protecting your data, and responding during an incident, you need to proactively make sure the necessary data is being captured and ideally monitored. Typical systems that contain crucial information include network devices such as firewalls, core switches, Authentication Servers/Domain Controllers, security tools, as well as key systems that contain business sensitive data.

Examples of sensitive systems/data: ACH transactions in a bank, code base for a tech company, or intellectual property for a manufacturing plant.

Knowing how to access this information is key when addressing security threats. Without a full understanding of the key systems and infrastructure of your company, you’ll have a hard time efficiently responding to incidents or may even make things worse when an incident occurs.

Here are a few things to ask yourself to make sure you understand your visibility if an incident were to occur:

  • Who has access to our critical systems and data?
  • Where are the audit logs for the above systems stored and for how long?
  • What security layers protect these systems and is it being monitored appropriately?

Your staff should be able to answer these questions regarding your critical systems and data. The answers will help determine your risk level, and therefore determine many of your security protocol needs. If they can’t answer these questions, it’s time to reevaluate your incident response plan.

Preparedness

The best thing a business can do to prepare for a disaster is identify key systems and infrastructure within their enterprise. So, what does that look like? There are 3 major components every business should take into consideration:

1. Auditing Information -
Ensure you have the correct types of information being logged. This needs to be done in two ways.

- Log data from the correct devices. A lack of logging from crucial systems will leave gaps in visibility that can be detrimental during incident response efforts as well as active security monitoring.

- Ensure you have logging enabled for the necessary data. As an example, ensure your logging critical information such as successful and failed events as well as activity such as changes. Logs from a firewall aren’t helpful if you are only auditing denied traffic.

2. Monitor Data -
Look out for intrusions or security events, it’s necessary to take a pro-active approach and actively perform threat hunting exercises and security monitoring. Be aware of alerts that may be going off when a security breach occurs. You may also choose to hire an outside firm, like Pratum, to monitor your systems in real-time with SIEM services.

3. Retention Settings –
Make sure your data is being stored for an adequate amount of time. If an incident happens, but the retention settings don’t go back far enough, you won’t have access to the data you need. This length of retention depends on the level of your company’s security risk. The higher the risk, the longer you should be storing data.

Monitoring

How is your monitoring posture? If you need to go back and review data, or the events surrounding an incident, will you have that information readily available? If your system is designed to only hold data for a short amount of time, you may not be able to get the information you need if a security threat is found.

Going back to the burglary analogy; if you have security cameras that stores footage for 24 hours you will need to immediately seek to preserve that evidence before it is overwritten. The risk if this data not being available significantly increases if you go on vacation frequently. Businesses that take the time to evaluate the effectiveness of their security controls, appropriately measure their risk, and perform incident response preparedness exercises will be better equipped to respond quickly and efficiently during an incident.

How often you monitor your data should match the risk level. When a company has valuable information, like belongings in the home, it needs to be protected and monitored. The level of security should equal the value of the assets. If your data is highly important or sensitive, the level of risk is higher. That information needs more layers of protection.

Review

Evaluating what went wrong during a security incident can be much more difficult if you don’t have all the necessary information. Without any evidence, timeline, or a suspect, it’s hard to solve a theft case. It’s equally hard to solve a cyber-attack.

That’s why it’s so important to prepare ahead of time by understanding your business. Knowing what security measures are in place, how often they’re monitored, and who’s in charge if something goes wrong, can all make a world of difference when it comes to recuperating and responding to an attack.

If you need help evaluating your security posture and coming up with an incident response plan, Pratum offers services to fit your needs and budget.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.