Best practices for security and privacy enhancement in Zoom
Many organizations are currently using video conferencing software from Zoom, but not without problems. Since the COVID-19 outbreak, Zoom has seen the number of users increase enormously: from 10 million users to 200 million in March of this year alone. This enormous increase raised extra attention among security researchers, who found many security and privacy issues in Zoom. This was a reason for the FBI to give several tips for working from home securely.
According to the FBI, the Corona-crisis is engaging attackers to abuse virtual environments in which many organizations now operate. Space agency NASA have banned personnel from using Zoom, the city of New York has banned the use of Zoom for all schools and the Taiwanese government just recently banned the use of Zoom by government agencies. All for the same reason: concerns about the security and privacy of the software.
Among the security and privacy flaws reported, some are highlighted below:
This is the unwanted intrusion in a Zoom conference, to cause disturbance. A Zoom meeting can be intruded when the meeting ID or number is known or guessed.
Sharing of personal data
Not only is personal data available to company administrators, the Zoom company itself also collects all kinds of information about users. This concerns names, address details, e-mail address, telephone number, professional description and employer. When users do not create an account with Zoom, the company collects information about the users’ device, the IP address and information about the Facebook account when logged in.
Windows password stealing and malware injection
Zoom bombers sending links in the Zoom chat functionality were able to steal Windows passwords or inject malware, when the links were clicked on. Zoom claims this issue has been resolved by the end of March.
Incorrect encryption claims
A Zoom representative recently stated in a blog post that “we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” It turned out that Zoom’s definitions of “end-to-end” and “endpoint” are not the same as everyone else’s.
6 recommended practices and settings for Zoom
The question is whether all reported security and privacy flaws actually mean that Zoom is not safe to use? The answer is ‘no’ in most cases. However, Zoom administrators and users need to be aware of possible security and privacy flaws and may need to go through their Zoom configuration settings.
Below we provide 6 recommended practices and settings for Zoom to enhance security and privacy:
- Do not accept Zoom meeting invites from people you don’t know or meetings you do not expect. When in doubt, contact the sender of the invite to confirm authenticity of the request.
- Keep Meeting IDs private, do not share them on e.g. Social Media or company websites.
- Make sure that the setting “Require a password when scheduling a meeting” is switched on. This helps you protect from Zoom bombing.
- Make sure that screen sharing can only be managed by the meeting host.
- Use the “lock meeting” functionality to actually lock the meeting once all participants are present, to prevent others from joining the meeting.
- Make sure to enable the “Waiting Room” functionality to only allow the meeting host to let participants enter the meeting, to help prevent unexpected or uninvited meeting participants.
If you have any questions about using Zoom or protecting your privacy, feel free to contact the IT-security experts at Crowe Peak.