Zoom Isn’t Secure, but Here’s How to Fix It
Category
News, Awareness
Risk Level
Online meeting company Zoom has been in the news a lot this past week. A company who previously only had about 10 million daily users suddenly has about 200 million daily users and is helping to connect families, coworkers, workout classes, and even high school proms. But with more attention from everyone, Zoom has also found themselves the target of a number of high profile cybersecurity and privacy related issues.
IT and cybersecurity
Let’s back up first. We’ve talked about the difference between IT and cybersecurity before. The big takeaway: while IT is about making an IT system work, cybersecurity is about making an IT system work securely. And while the two industries must partner together to make this happen, more often than not, cybersecurity is left on the back burner until it’s too late. This appears to be the case with Zoom where their focus was on developing a product that focused on functionality and ease of use for its consumers. Unfortunately, this has left two major areas where cybersecurity has fallen short.
Area 1: What you can control
Most applications, websites, software, operating systems, and electronic devices have a settings menu. If you don’t dive into this right away when you sign up for a new website or purchase a new phone, you need to start making this a priority. Look for settings that can make your device more secure, like encryption, or adding extra layers of protection, like multi-factor authentication.
This is important because most IT companies want their products to just work out of the box. This is great for ease of use, but leads to poor cybersecurity. In Zoom’s case, their goal is to make meetings easier to set up and get going. However this has led to meeting codes being exposed and “zoombombing” - where outsiders drop into meetings and cause problems to put it lightly. However Zoom has a settings menu where you can add extra protections to meetings, but they are not enabled by default. We’ll discuss some of those options later on in this post.
Area 2: What you can’t control
In addition to the settings you can change, there are a number of things you may not be able to control that can lead to similar cybersecurity issues. These may include the underlying configuration of hardware in the cloud, the way the code that runs the application is written, or even a website’s reliance on a third-party.
In Zoom’s case, cybersecurity researchers have noted a number of issues in Zoom’s code. These issues have been present for some time, but due to Zoom’s increased public use, cybersecurity researchers wanted to make sure that the public was safe.
Zoom has stated that their meetings are all encrypted with bank-level encryption and advertised as such. As a consumer, you’d likely feel confident in this information and trust Zoom with handling your sensitive information. However cybersecurity researchers found that Zoom’s meeting encryption is not only not bank-level, but is configured incorrectly and not aligned with cybersecurity industry best practices. You may have been relying on a Zoom conference call to discuss highly proprietary information for your organization, but it turns out that a hacker may have been able to steal that information.
“So what can I do about Zoom?”
Zoom can be a great solution for many people. If you’re using Zoom in any capacity though, you should decrease your risk by doing a few things. The FBI has released a great list of recommendations that include:
Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
Manage screen sharing options. In Zoom, change screen sharing to “Host Only.”
Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
And while Zoom has announced that they will make passwords and waiting rooms enabled by default for all Free Basic and Single Pro users, many other users may still be at risk.
In addition, the underlying encryption issue remains and we would recommend evaluating your risk. If you’re working with sensitive information, you may want to consider moving to another video conferencing tool until Zoom corrects this and other issues as outlined in their recently released 90 day security plan.
“Is there anything else I should do?”
Think about this: if you were to hire an IT person to install your new internet router, they would come in, set it up, make sure you could access the internet, and then leave as they would have fulfilled their obligations. In cybersecurity, we would want to check to make sure the internet router is securely installed, has a strong password and encryption, is updated, and is configured correctly so that no one else can change anything except for you. We call these items we check “vulnerabilities” and they could put you or your organization at risk for a cybersecurity incident, like ransomware. Vulnerabilities can be present on your operating system, like Windows 10, a server, your phone, a website, a third party, or an application, like Zoom. The hard part is that you may not even know you’re vulnerable until it’s too late.
So if you or your organization are worried that you might be vulnerable, let’s talk about our Vulnerability Assessment. We’ll help you understand your risks, and show you where you need to improve so you can keep doing what you do best.