As the UK, and numerous other countries around the globe, turn to remote working in response to COVID-19, many businesses have been forced to quickly adjust their daily working practices. In particular, the usage of video conferencing has skyrocketed, with the popular service Zoom seeing more new users in the first two months of 2020 than the entirety of 2019.
However, despite becoming the people's choice for hosting everything from business meetings to dinner parties with friends, Zoom have also made headlines for less celebratory reasons as users have begun questioning the overall security of the service. In this article we will be discussing just how safe the video conferencing service really is, paying particular attention to concerns around zero-day exploits and 'Zoombombing', before sharing some guidance on how to best protect your data as a Zoom user.
The Security of Zoom
Zoom has had it's fair share of zero-day vulnerabilities emerging as of late - but don't be so quick to uninstall the service just yet.
For those unfamiliar with zero-day vulnerabilities here is a quick explanation; a zero-day vulnerability is a software security flaw that the software vendor is made aware of, but has not yet prepared a patch to put in place to prevent attacker intervention. So essentially, when using any software services, zero-day vulnerabilities will always be a risk to you as a customer - especially when the service is experiencing such a rapid growth of customers. The most important thing you can do for the protection of your data and devices is observing how these providers respond to such situations, and so far Zoom has proved to be fast and efficient with its fixes.
Take for example the two vulnerabilities Zoom experienced earlier this month - one of which could allow an attacker to take over an Apple Mac's microphone or camera, and one problem that could allow a hacker to steal Windows user logins - which were both fixed within a day of being reported online by a security researcher.
Zoombombing is a new emerging practice in which an uninvited attendee enters your online meeting, allowing them to access confidential business discussions and data, and in some cases even share inappropriate images and content with other attendees. This practice has been rapidly increasing in the last month, and not only due to the growing platform simply having a larger target on its back - it seems new customers with less experience in safely using the service have been sharing the links to their Zoom meetings across social media sites like Twitter without realising the risk this could introduce.
Mitigating this threat can be easily achieved with some slight adjustments to your settings, as explained in this article posted by Zoom. For convenience we have listed an overview of these key settings below:
- Disable 'Join Before Host'
- Disable 'Allow Removed Participants to Rejoin'
- Require a password that participants must enter before joining the meeting
- Disable 'File Transfer' to avoid viruses
- Change screen sharing to 'Host Only'
Best Practices for Data Protection
In addition to the threat-specific guidance above, we have put together the following best practices that Zoom users should implement in order to take advantage of all the benefits offered by the video conferencing platform without paying the price with their data.
Stay Updated on Vulnerabilities and Patches
As discussed above you can never be sure of when a zero-day vulnerability is going to emerge - hence the 'zero-day' - so it's vital that users stay up-to-date with any news relating to or released by Zoom, as well as ensuring all installed versions of the Zoom app is updated with any newly released patches.
Use Waiting Rooms
As the name suggests, Zoom includes an optional Waiting Room that acts as a virtual staging area where guests can wait for a meeting to commence. For larger public events it can be hard to follow all of the previously discussed guidance on avoiding Zoombombing, so Waiting Rooms can be a great option for screening the users who are trying to enter your event.
Waiting rooms can also be adjusted to display customised messages so that participants instantly know they are in the right place, which also offers hosts a great opportunity to display any necessary rules or guidance.
Store Recordings Locally
Zoom allows hosts to record meeting data, including video, audio and text, which can be an incredibly helpful tool for sharing content with users who could not attend the meeting, or even for internal training purposes, but recording any confidential business data can of course introduce some risks.
To mitigate these risks admins may wish to adjust their settings so that recordings are all stored locally, rather than the default cloud option, as this means Zoom will not hold on to this data for any period of time.
Use a Co-Host
Zoom allows hosts to share the hosting privileges with another user within the meeting for easier management. This can be a great asset to businesses hosting large pubic events as one host can focus on the content of the meeting - such as presenting information through their shared screen or reading from a script - while the other host focuses on managing the other participants, which may include monitoring for uninvited attendees or other suspicious behaviour. Making use of this feature will give businesses a much better chance of catching these threats early, mitigating the risk of leaked data.
Beware of Phishing Scams
As discussed in one of our previous blogs, many cyber criminals are now leveraging COVID-19 messaging in their phishing campaigns to manipulate targets into leaking data or transferring payments - and Zoom is a prime example of the types of businesses being used for these impersonations.
According to security researchers, the number of domains containing the word 'Zoom' increased dramatically throughout March this year, which is likely due to domain spoofing tactics to harvest users' login credentials.
With this in mind it is imperative that users are vigilant in carefully checking the sender details and content of any email messages that appear to be sent from Zoom.