Recommended Zoom Security Controls
17 April 2020
The popular videoconferencing service Zoom has recently come under scrutiny for security vulnerabilities being identified within their software such as ‘Zoombombing’ and dreaded ‘0-day’ vulnerabilities. For organisations who are looking to or have integrated Zoom into their routine activities, below are several key points worth keeping in mind to enable a safer and more secure experience.
Prevent against ‘Zoombombing’ and other malicious activities
Password protect a meeting to ensure only intended participants can join. Remember, meeting IDs are easy to guess so a password should be considered for sensitive meetings.
Zoom by default “embeds” the passwords into a meeting URL when generated for convenience purposes. If an outsider gained access to your Zoom meeting URL, they may potentially bypass the password feature. For outsiders randomly guessing your Zoom Meeting ID, they would be required to enter in a password. The compensating controls are the security features outlined below (e.g. waiting rooms and meeting lock).
Enforce passwords for participant’s dialling-in by phone. These users are often hard to verify as their usernames are not shown when they join, only their phone number.
Disable ‘join before host’ setting.
Create waiting rooms for participants to control when they join the meeting. Consider implementing this for ‘All participants’.
‘Lock’ the meeting once all participants have joined and the meeting is ready to go.
Consider restricting screen-sharing to the host only to prevent unwanted information being shared from participants.
If meeting recordings are used, password protect your Zoom Cloud Recordings (a paid feature) in order to make available only to authorised people.
Enable the ability to remove participants. Someone may accidentally or intentionally join your meeting who you haven’t allowed. Ensure you have the ability to remove them immediately.
Educate users on ‘Screen-sharing a single application’ – this restricts sharing to the intended application only (e.g. a single PowerPoint document). This is to prevent any unintentional sensitive information being shown.
Zoom user management
Responsibilities of Zoom admin users
Follow the correct user access controls for Zoom, just like any other IT system. Maintain the correct user provisioning and de-provisioning, periodically reviewing user accounts and ensuring the level of access is still required.
Do not allow sign-ins using Facebook or Google. This would prevent a user’s breached Facebook or Google account from potentially breaching the user’s organisational Zoom account as well.
Storing and sharing documents
When meeting minutes are stored and shared
Consider using Microsoft SharePoint to store and share documents. You have the ability to add external organisations/users to the SharePoint site so they may have access to stored meeting minutes. Microsoft’s standard security settings would also apply to the SharePoint site.
Similar to user management, you will need to make sure standard IT access controls apply to the SharePoint site.
Also consider implementing MFA for users being granted access to the SharePoint site.
Managing against Zoom vulnerabilities
Regularly update Zoom
Encourage all participants to update their latest version of Zoom. Consistently installing latest releases will help protect users from vulnerabilities. This is especially important now while hackers are targeting Zoom and exposing more vulnerabilities.
Assign a responsible stakeholder (e.g. IT admin) for communicating security update
To help users know when to update Zoom, a stakeholder should be designated to communicate to users when urgent critical patches are made available.
Be aware of phishing Zoom links
Only download Zoom client directly from the legitimate Zoom.us site. Educate users to be wary of links which look suspicious or purporting to be from the ‘legitimate’ Zoom company.
Implement MFA (e.g. with Google Authenticator)
2FA can be enabled on Zoom Web Portal that requires a generated code from a MFA mobile app. Note that 2FA does not apply for Zoom Desktop Client or Mobile App.
Consider and prepare an alternative solution to Zoom when risk becomes too high
In the course of using Zoom, should your organisations deem the security risk of using Zoom too great based on current news, then consider what alternative you may use in place of Zoom (e.g. Microsoft Teams).
If your organisation is considering implementing Zoom and would like a security risk assessment conducted, please get in touch with McGrathNicol Advisory’s Technology Experts.
Full list of security features: https://zoom.us/security
Instructions and recommendations for zoom security settings: https://itconnect.uw.edu/connect/phones/