Zoom has emerged as a poster child for video conferencing in our new work-from-home economy. As much of a cultural icon Zoom has become during the Covid-19 period, the company has faced some serious security issues.
Cybersecurity firm Cyble released a report in mid-April detailing that a credential stuffing campaign compromised some 500,000 Zoom accounts for sale on the dark web. As security professionals, it’s our job to educate our customers, the industry and the public-at-large on the potential cyber risks, as millions of people use Zoom or one of the other video conferencing platforms.
There will always be risks, but the benefits of video conferencing often outweigh the downside. Consider these best practices when working with Zoom or other tools for remote meetings:
- Create unique identities for each employee. Companies really need to think about deploying an identity access management (IAM) platform with single sign-on (SSO) for their employees and frequent business partners. IAM systems assign one digital identity to every individual so that user access to critical information are easily monitored and controlled. Security teams can track user activity, change privileges and user roles, develop reports for tasks and make sure users are complying with company guidelines. In the case of video conferencing, having an IAM in place will more easily let administrators spot intruders or odd behaviors ideally before they cause much disturbance to daily tasks.
- Make passwords a default requirement for all video conferencing meetings. This means requiring employees to add passwords to existing meetings, as well as making it the default for all future meetings. Additionally, meeting owners should change screenshare settings to “Host Only” to reduce risks that outsiders (or even insiders) take over the call. By setting “Host Only” the person who initiates the call maintains control so nobody can come in and take over the call or “Zoombomb” the whiteboard. And to reduce credential stuffing risks, it’s critical that organizations continue to educate employees on password best practices for user accounts, as well as for meetings.
- Operationalize updates and patches. Zoom has not nearly worked out all its security issues. In early spring, researchers discovered vulnerabilities in Zoom Windows and two flaws in the macOS app that were leaving users open to credential stuffing, eavesdropping and malware threats. The company acted swiftly to release patch updates, but not all organizations have operationalized application level patching. It’s important for organizations to understand that when a company releases these patches, it means there’s a known flaw that can leave their information open to exploitation. The software needs updating today, not six months or even six days from now.
- Take the Zoom 5.0 update seriously. In late April, Zoom stepped up and released new security updates, as well as the availability of Zoom 5.0, showing promising improvements. There are two reasons that this was significant. First, the move to the Galois/Counter Mode (GCM) generation of AES-256 Encryption addresses a significant improvement. From a consumer point of view, think of it as skipping two generations on a smartphone upgrade. The previous Electronic Code Book (ECB) generation of AES Encryption encrypts the same block of data the same way every time it’s encrypted. This effectively arms an attacker with capabilities to break down the encryption barrier. In addition to being semantically secure, GCM operates as a stream cipher, which means it’s well suited for video conferencing applications. Second, the ability to control traffic routing provides organizations with powerful control over their data. For example, an organization may have a blacklist prohibiting certain types of data from existing in certain countries. Now, with Zoom 5.0, they can apply that intent for all of their encrypted video conferencing data.
- Evaluate and update the company’s security for its network footprint. There are many reasons companies need to take a look at their new infrastructure footprint while more people work from home. For starters, with most of the staff working from home, companies no longer have a large and homogeneous “headquarters” network to protect; now they have hundreds or thousands of highly disparate, shared and mixed-use “home networks” to protect. In terms of infrastructure, a security stack that includes behavioral analytics, data loss prevention and IAM represents a strong start to better protect company information across these diverse home networks. Once the endpoint and security stacks are properly deployed, companies also need to focus on the orchestration of the overall InfoSec operations in terms of a SOC function (ideally 24x7), and report out on the InfoSec function to executives.
While credential stuffing, Zoombombing and eavesdropping are all prevalent risks, these risks are generally not unique to Zoom. That’s why relying on a specific platform to deliver security doesn’t make sense. Instead of switching from one video conferencing service to another, companies should educate themselves on the technical features and potential vulnerabilities associated with each system to better accommodate the platforms with which they are already comfortable. Companies must also educate their end users on security best practices when working remotely because these individuals will always be the last line of defense.
Grant McCormick, CIO, Exabeam
