This is definitely the question of the month! Concerns about Zoom’s security have been all over the headlines for the past few weeks. We want to take a minute to dispel some myths, clarify what real issues exist and provide you with data to make the right decision for your organization.
The COVID-19 pandemic has driven organizations to leverage video-conferencing platforms in order to continue their operations. Schools are using Zoom to conduct classes; companies are using it to conduct meetings and work sessions and families are using it to stay in contact under the social distancing restrictions. A study by Wandera, indicated that March saw a 225% increase in Zoom connections compared to the previous month and data usage rose by a whopping 877% on the platform.
There have been several security issues identified as a result of the increase in Zoom usage.
1. Calls without passwords are being joined by uninvited attendees
2. Uninvited attendees are sending inappropriate content to other attendees (Zoom-bombing)
3. Users are being targeted by Zoom based phishing attacks in order to distribute malware and hijack computers
4. 500k Zoom accounts were discovered for sale on the dark web by analysts
5. Zoom does not provide E2EE (end to end encryption) as the have advertised
6. Videos recorded on the Zoom platform are not encrypted
7. Zoom uses encryption certificates from China, which could potentially be compromised by the Chinese government.
Some of these affect the free and basic Zoom accounts and are simple configuration and policy issues. Others are legitimate security concerns and need to be assessed to determine the risk to your information.
One point that needs to be made, is that all video conferencing platforms have security issues (some known, some not). While Zoom is in the press due to their issues currently, it does not mean that they are an inherently unsecure platform.
This article will look at each of these issues and discuss the risk and potential mitigation strategies.
1) Calls without passwords are being joined by uninvited attendees
Cyber actors developed and distributed an automated tool that searches the web for unsecured meeting ID’s. This issue can be resolved with simple configuration changes. Administrators need to modify the global configuration settings to enforce the password requirement and require users to enter a waiting room until they are allowed into the meeting.
2) Uninvited attendees are sending inappropriate content to other attendees (Zoom-bombing)
Once passwords have been setup for all meetings, the hosts of the meetings should be trained on how to review participants and remove anyone who should not be in the meeting. They should also learn how to lock the meeting. In addition to controlling access to the meeting, the Administrator can control what activities participants are allowed to perform during a meeting. The Administrator can limit the ability of the participants to Share their desktop, Chat, Private chat, Send content in a chat, transfer files, Annotate and Use the Whiteboard. Limiting these services will reduce the risk that a participant can Zoom-bomb another participant with inappropriate content.
3) Users are being targeted by Zoom based phishing attacks in order to distribute malware and hijack computers.
Security awareness training is more important than ever. Educating your users on what to look for in a phish email and how to avoid falling victim to an attack is extremely important right now. This needs to be combined with proper patch management and effective end-point protection to reduce the impacts should a user click on a bad link.
4) 500k Zoom accounts were discovered for sale on the dark web by analysts.
Users should be advised to reset passwords on their zoom account and use longer pass-phrases in place of their traditional password. Phrases such as “D1ve D33p Und3r 7he L&rge Br1dge” utilize a memorable phrase combined with complexity in the construction of the words. This will decrease the likelihood of an attacker using a brute force attack. Where possible Multi-factor Authentication (MFA) should also be enabled for the Zoom Account. Zoom has conducted an investigation into this issue, and they believe that the accounts in questions were stolen using re-used passwords from other sites.
5) Zoom does not provide E2EE (End to end encryption) as they have advertised.
Zoom communications are established using 256-bit TLS encryption and all shared content can be encrypted using AES-256 encryption. If you are not recording meetings on the Zoom infrastructure, and your users are all using Zoom clients, then the session is encrypted from end to end. Some types of services (such as Recording of sessions in the Zoom Cloud) require connectors which cause the encrypted session to terminate on the Zoom Video servers. This leaves a window of time where the session is not encrypted and could be compromised by Zoom personnel. Once the connector handoff is complete the recorded session is stored encrypted and may be password protected. Administrators can turn off the ability to record and store sessions in the cloud. Hosts can still record their session on their local machine encrypted. Since Zoom manages the Key Management systems, it is theoretically possible that an employee could use the decrypt key to view the meeting, but Zoom has significant controls and has not built any mechanism to accomplish this.
6) Zoom uses encryption certificates from China, which could potentially be compromised by the Chinese government.
This risk is only partially true. Zoom has a complex key management system that issues and revokes keys for each call. Some of the Key Management Infrastructure, as well as many of Zoom’s developers are located in China. This does not mean that these are Chinese keys, but they could be issued in China. Zoom has now added a configuration setting that lets an Administrator select which data center regions are allowed, (Europe, Hong Kong, Australia, India, Latin America, Japan, China, United States, or Canada).
In closing, and to answer the original question, “To Zoom or not to Zoom”, it depends. While each organization needs to assess the risks of each platform against their individual security needs, the Zoom platform is a cost effective and relatively secure platform if the proper configurations are made. Below is a quick summary of the recommended changes to improve the overall security of your Zoom sessions.
· Educate users on proper usage and security best practices
· Require passwords
· Reset account passwords and use passphrases
· Turn on MFA for all Zoom accounts
· Turn on waiting room
· Limit use of personal ID’s for call
· Verify and remove uninvited participants
· Lock meetings once all participants are present
· Limit in-session services
· Disable Cloud Video Storage
· Disable data center regions based on risk
· Determine if Zoom is appropriate for the content being shared
To take advantage of Office Hours with the CISO (at no charge), click here.
To see the latests Cyber Coalition Intelligence Briefing, click here.