BlogCOVID

Weighing in on ZOOM Security

By April 22, 2020 No Comments

As a trusted advisor to our member community, I’d like to weigh in on the Zoom controversy.  I’m no apologist for security concerns (by a long shot), and would like to provide some perspective on Zoom’s recent security challenges with a level headed approach.

As many of our colleagues moved to remote-work and remote-learning for the first time, Zoom usage rates have grown drastically. Naturally, more activity means more bad actors looking for vulnerabilities and other ways to exploit the app.  One of the first such vulnerabilities was “Zoom Bombing”, where someone would join an open meeting and make obscene gestures or sounds due to weak default security settings.  As quoted in PC Mag “In a few instances of Zoom-bombing, according to a report from Inside Higher Education, students exploited a screen sharing feature that hadn’t been locked by the instructor to put up pornographic and racist content for everyone on the call to see. It wasn’t a technological weakness in Zoom that allowed these events to occur. It was a matter of the host not knowing all the features of the tool and how to use them.”

This brought additional scrutiny to Zoom’s privacy policy, and the sharing of some data with Facebook, which thankfully Zoom has corrected rather quickly and clarified in the time since. You can read Zoom’s response here. (see Zoom response)

Additionally, there were concerns over the way Zoom used the term end-to-end encryption (E2E).  I myself was mislead in thinking that this included all video, and meant that no one at Zoom could access the meetings or see the content. It turns out that end-to-end encryption feature only included chat in all cases, as platforms that allow phones to connect into the virutal meeting wouldn’t be able to encrypt. In cases where only encryption-capable devices are in use, encryption between those devices does take place.

In the meantime, the Department of Health and Human Services has relaxed their requirements for using Zoom (and other video tools) to treat patients and provide care. This response, with the usual sensitivity around HIPPA requirements in mind, presents as further evidence that the benefit far outweighs the risk of using these tools.

I’m glad to see the focus on security and scrutiny in the market causing changes for the better. Hopefully some of the other tools and competing products will make similar improvements in the coming months, following the lessons learned by Zoom and their rapid response.

Below, you’ll find some additional information and best practices for using Zoom effectively and securely.

Zoom Security 101

Quick Tips

Do not make meetings public: In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.

Do not share Zoom conference links on public social media: Provide the link directly to specific invitees.

Manage screen-sharing options: In Zoom, change screen sharing to ‘Host-Only.’

Avoid using your Personal Meeting ID (PMI) to host public events. Your PMI is basically one continuous meeting, and you don’t want individuals crashing your personal virtual space after the meeting is over.

Security Controls for Setting Up Meetings

  • Avoid using your Personal Meeting ID (PMI) to host public events.
    • Your PMI is basically one continuous meeting, and you don’t want individuals crashing your personal virtual space after the party’s over. Learn about meeting IDs and how to generate a random meeting ID (at the 0:27 mark) in this video tutorial.
  • Password Protect Your Meeting (This option can be set at the administrator level)
    • Embed password in the meeting link for one-click join. The meeting password will be encrypted and included in the join meeting link to allow participants to join with just one click without having to enter the password.
    • Require password for participants joining by phone: A numeric password will be required for participants joining by phone if your meeting has a password. For the meeting with an alphanumeric password, a numeric version will be generated.
  • The Waiting Room Feature (This option can be set at the administrator level)
    • The Waiting Room Feature allows the host to control when a participant joins the meeting. As the meeting host, you can admit attendees one by one or hold all attendees in the waiting room and admit them all at once. You can send all participants to the waiting room when joining your meeting or only guests, participants who are not on your Zoom account or are not signed in.
      Participants will see a screen when joining a meeting with Waiting Room (Please Wait, the meeting Host will let you in soon. Your name Personal meeting Room). You can also customize the waiting room screen with Valley Strong logo, title, and description
    • Waiting Room video tutorial 
      • Options for waiting room
        ✔  All participants: All participants joining your meeting will be admitted to the waiting room.
        ✔  Guest participants only: Only participants who are not on your Zoom account or are not logged in will be admitted to the waiting room. If not logged in, they will have an option to log in.
        Note: If Guest participants only is enabled, you can also enable the option to allow internal participants (users on the account), to admit guests from the waiting room if the host is not in the meeting.
  • Disable private chat:
    • Zoom has an in-meeting chat for everyone, or participants can message each other privately. Restrict participants’ ability to chat amongst one another while your event is going on and cuts back on distractions. This is really to prevent anyone from getting unwanted messages during the meeting.
  • Manage your participants: (This option can be set at the administrator level but can be problematic, because your invited guest must have a Zoom account)
    • Allow only signed-in users to join: If someone tries to join your event and isn’t logged into Zoom with the email they were invited through, they will receive this message:
  • Recording your meetings:
    • Be sure to only record and save your meetings to a secure location.  Recently recorded calls have been found online because they were left on open file share platforms.

Post by:

JEREMY LIVINGSTON

Associate Vice President for Security Solutions Development and Chief Information Security Officer