As the COVID-19 pandemic continues to compel people to work from home, countless companies are now holding daily meetings using web, audio, and video conferencing services from a variety of well-known providers. Though not the sole focus of our attention here, one that has received a significant amount of press is Zoom.
Zoom’s meteoric rise in just five weeks from a 10-million-a-day average user base in December 2019 to more than 200 million daily users during the first week of April 2020, has been met with countless reports of meetings being “Zoom-bombed” — attended or disrupted by someone who doesn’t belong. Honestly, uninvited attendees have been a web conference problem since their inception. According to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a large number of meetings at major corporations are not being protected by a password. More on that issue later. Now, these terms are applied to just one platform, but conceptually apply to all conference tools, so Zoom is not alone.
In an April 8, 2020, article from Bleeping Computer, Sergiu Gatlan wrote, “Zoom's CEO Eric S. Yuan announced today that the company has formed a CISO Council and an Advisory Board to collaborate and share ideas on how to address the videoconferencing platform's current security and privacy issues.”
Alex Stamos, former Chief Security Officer of Facebook and Adjunct Professor at Stanford’s Freeman-Spogli Institute, has also joined Zoom as an outside advisor starting this month “to assist with the comprehensive security review of [its] platform.”
Beyond the scrutiny, Zoom should be applauded for their transparency about their platform’s issues. They are large enough now to be a target, and they know it. Some of Zoom’s issues have been misunderstood or misinterpreted. However, they are not alone, as other web collaboration platforms such as Cisco Webex and Microsoft Skype for Business (in transition to Microsoft Teams) have been targets for espionage and business interruption attacks for years.
Zoom’s reaction to the marketplace is a good example to others on how to handle a business crisis in the public domain. In that light, we’ve decided to put together our CISO’s perspective of ten steps we recommend to the executive leadership teams or Board of Directors of conferencing companies to take up as their mantle for instilling confidence and appropriate protection to the tools they purvey to the marketplace.
Here we go:
Step 1: Commit that you will not sell session data in individual or aggregate form to data brokers like Facebook ever. The “court of public opinion” is often far more unrelenting than a court of law, so do not leave this unaddressed and open to conjecture. Make sure customers know they are the most valued entity to your business, not part of its product.
Step 2: Ensure your Terms of Service (TOS) and Privacy Policy are written from the perspective of the most vulnerable user with the greatest amount of data at-risk. This will avoid many of the lapses we’ve seen conferencing providers fall prey to by establishing security and privacy principles in their handling of customer information.
Step 3: Make every questionable “feature” be Opt-In only (turned off by default). Follow a concept of “deny all except that expressly permitted.” It will keep your users in good stead.
Step 4: If you are a US-based company, vow that you will save zero data on servers in foreign countries, such as China. There is no excuse for doing so, except for financial reasons, and those reasons resonate poorly in today’s security and privacy intensive climate, exacerbated by the global health crisis.
Step 5: Encryption will be always on, and impossible to turn off. It will be end-to-end and the strongest encryption available (AES-256). Then ensure that no part of a meeting can ever be snooped upon by your own employees, or anyone else.
Step 6: Modify meeting IDs to 14 digits making them almost impossible to algorithmically “guess” prior to a meeting, short of having a quantum computer.
Step 7: Give the host “all control” by default. They need to conspicuously give control to others (and only those already on the call), if they want to relinquish any meeting capabilities.
Step 8: Temporarily, give the host or scheduler the ability to set the conference phone access to dial-in, not IP. Most hackers do not like making phone calls, or even have anything more than a cell phone. They may choose to leave when they see that requirement. In this case, that is a desirable action.
Step 9: Evidence situational awareness and that you have a negotiable feel for real people by never doing something like allowing anyone to see private chats of call participants or placing meeting IDs in the toolbar of the meeting for all to see. Make those chats secure from view and evanescent, so they disappear as soon as the meeting concludes.
Step 10: Ensure your development team is trained in secure coding techniques and undertake a comprehensive review of your technical change control process, ensuring a senior cybersecurity professional reviews every change before promotion. It will slow changes down a little, and frankly, that can be a good thing.
Let’s remember, any tool can have vulnerabilities and exposures, and though we have mentioned Zoom in this blog, we did so because it has become extremely popular during the pandemic. Use these tools wisely, with security and privacy functions set properly before you use them, and base those options on your tolerance of risk, not just convenience. We sincerely hope that any provider of such tools—Zoom included—listens intently to its own Chief Information Security Officers, Chief Risk Officers, Data Protection Officers, or Advisory committees.
So the next question is: Now that we’ve laid out what web conferencing companies can provide in regards to duty of care, how can you make sure your environment is safe? That is something that is truly within the control of the users of any web conferencing service.
The following are a few considerations when engaging in online web, audio, and video conferencing sessions:
- Meeting Passwords are very important. Many times, meeting invites are sent out with no password required, and the uninvited can intrude into your meeting, with or without your knowledge. Use passwords on every meeting you initiate, and ask others to do the same.
- As more vulnerabilities become evident on software, ensure that your web/audio/video conferencing software is up to date. Many providers are good at sending out updates frequently, often with security improvements in them.
- Ensure your received meeting invites are from a trusted source. Many compromises occur when a link has an embedded malware in the URL. Ensure the meeting requests are for legitimate sessions and not specious in nature.
- Ensure you leverage the capabilities the vendor provides you, configuring security settings to be as stringent as possible. Only use settings and features that are needed for that meeting, and turn off unnecessary services.
- Verify your attendees. Many times, a number or multiple numbers will pop up without a name or description. Ensure all participants are invited and dismiss those that are unknown to your client, partner, or yourself.
We hope all providers consider our recommendations, which have been created from the perspective of those with significant security and privacy expertise.
We wish you all good collaboration, safety, and wellness during and after the pandemic.
ConvergeOne’s National Cybersecurity Practice is here to help. If you have questions, please reach out to security@convergeone.com. We will respond to you privately.
WITH CONVERGEONE, NOW YOU CAN EMBRACE SECURE COLLABORATION
Special offers are now available to help you develop your remote worker and mobility strategy!
At ConvergeOne, we don’t shy away from tough challenges. We are prepared to serve as your trusted advisor in ways we may not have before. This includes free solutions that quickly enable you and your teams to stay connected from wherever you are.
Topics: Unified Communications, Cyber Security, Video, COVID-19
