Both companies and consumers are heavily relying on different communication platforms to continue to interact and move forward during COVID-19. In particular, the California-based Zoom videoconferencing platform has exploded since the beginning of the pandemic. In light of this increased usage, the Zoom platform has received a tremendous amount of media coverage for several security and privacy related issues.
The Problem
During the initial days of the pandemic, Zoom’s usage ballooned from a maximum of 10 million to 200 million users. This increase naturally made Zoom a much larger target for attack and scrutiny. Several issues were quickly identified, including the fact that meeting passwords were not required by default and that meeting IDs could be easily guessed resulting in an attack called “Zoom bombing” that allowed attackers to join and disrupt meetings. Security flaws related to gaining elevated access to an already compromised machine and the execution of remote files through the application were also discovered.
Zoom’s Response
Once publicly available exploits appeared and the story started gaining traction in the media, Zoom moved to address several aspects of its platform. Specifically, Zoom created communication and training for consumers and educators to secure meetings as well as clarified platform encryption and its privacy policy. Secondly, they removed third-party integrations including Facebook’s software development kit (SDK), LinkedIn integration and the attendee attention tracker feature. Thirdly, Zoom patched its software related to underlying Mac / PC security issues and enabled meeting passwords. Finally, Zoom changed several default settings for educators, including waiting rooms enabled by default and allowing only teachers to share content.
In addition to improving the present platform, Zoom has implemented measures moving forward to ensure security is of utmost importance for the organization. A full listing of actions can be found in Zoom’s response here.
Since the initial response and at the time of writing, several additional security concerns have been raised including data routing through mainland China and other insecure application functionalities. Zoom continues to work to address identified issues.
Making Sense of it All
The main question on people’s minds is “Is Zoom secure?” No technology can be considered 100% secure, but Zoom can be used securely. As with any software or piece of technology, it must be configured to be used in the most secure way possible. When any vulnerability or issue is identified, organizations should move to understand what the impact to their environment is, the avenues or attack vectors where it could be leveraged to cause impact, and observe the response from the product owner (in this case Zoom) to apply patches and mitigations as soon as possible.
Attackers and security researchers will continue to identify gaps in software, especially those that receive a lot of attention quickly. To that end, it is important to identify the positives in the situation and Zoom has been transparent about communicating what went wrong as well as what they are doing to fix it. This type communication is commendable and something organizations should evaluate for their potential next incident.
What Companies Need To Do Now
First and foremost, Zoom clients should keep up to date with the latest security patches. After upgrading the application to the latest version, Zoom should be configured to prevent identified concerns such as “Zoom bombing,” which are:
- Require a password, both for scheduling new meetings and created instant meetings. This setting can be locked by a Zoom administrator to enforce the requirement.
- Use the waiting room feature. All participants can be sent to the waiting room until the host admits them.
- Disable video by default and mute participants upon entry. This does not prevent people from using video during meetings; rather, they have to turn it on once in the meeting. These features protect user privacy as well as prevent Zoom bombers from being able to display any content or audio output.
- Set meeting IDs to be generated automatically, rather than a static value for the user.
Additional settings to consider, if possible, for the environment and functionality required, include not allowing the co-host functionality, so that someone cannot take over a meeting and limiting screen sharing to “host only.” This way, a potential Zoom bomber cannot share content from their screen.
Finally, educate users on the importance of using any software securely. Social engineering attacks are on the rise due to the fear, uncertainty and doubt (FUD) produced by COVID-19. Any technology that involves user interaction is at risk of social engineering attacks. Users should be educated and made aware that they should always be careful about what links they are clicking, not just in email.
How We Can Help
Protiviti assists organizations in identifying and remediating issues outlined in the Zoom story using a time/risk-based approach:
Immediate Term: Protiviti provides external exposure assessments to simulate real-world tactics in order to quickly identify information that may have been made publicly available and to assess the resiliency of networks, systems and applications to the types of attacks occurring during this pandemic. These rapid assessments identify significant gaps for closure.
Short Term: Protiviti assists clients in performing threat based modeling and simulated attacks against entire or particular parts of an environment (web applications, infrastructure, databases, etc.). These simulations, coupled with proactive dynamic and static application penetration tests, uncover technical risks with the deployment and installation of software.
Medium Term: Protiviti provides a variety of holistic strategic risk assessments (security and otherwise) that help both organizations producing software and those using third party software understand these risks and safeguard against them.
To learn more about Protiviti’s risk mitigation capabilities, contact us.
