Zoom jumped from 10 million meeting participants per day (December 2019) to over 200 million daily meeting participants (March 2020). This has led to an unprecedented amount of attention being pointed at Zoom, be it from general public use or from those looking to exploit potential chinks in Zoom’s platform. That attention quickly evolved into a couple of security-based exploits. Instances of “Zoom bombing”, where a private link and/or password is shared and mass joined by people not intended to be in the zoom meeting. Those joining would post obscene content intending the shutdown of the meeting. Another situation with privacy arose when it was found that cloud-based recordings of meetings were accessible, even hours after a user had deleted them, and in some cases unencrypted.
In response to these concerns, Zoom has been taking security improvement measures, including releasing updates to automatically enable security features by default (That were once needed to be turned on, like a default password) and offering training to use the platform safely. Other issues addressed were encryption types and routing server paths.
Also, there’s been some criticism based on the idea that Zoom isn’t truly “End to End” encryption, which is technically correct. Zoom has the “keys” to decrypt a meetings transmission, however Zoom has stated:
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
What Zoom is doing:
For bigger clients, Zoom is working on a way to install in-house servers running Zooms software, so that it can truly be “End to End Encryption”. At this point, for the most common usage of Zoom, the security measures are currently adequate. It’s also a notable point that Zoom has been under-fire for these issues. Other platforms won’t have gone through such stress-testing and the constant attacks that Zooms services have, making them stronger in security in the long run. Just remember to practice common security practices, making sure everything is up to date.
Zoom has compiled some “Best Practices for Securing your Zoom Meetings”
Below is some of that information compiled and with some additional tips and reccomended settings.
- Turn on a waiting room, so you can filter out/admit individuals at your discretion.
- Don’t use your Personal Meeting ID when setting up a public meeting. Make sure to generate a public meeting ID. Your PMID is a way to enable personal contact or meetings with trusted individuals.
- Before a meeting, you should make sure a password is enabled. (Passwords are enabled by default now, but always double check)
- Try setting up a registered user list. This can be through an email domain, or a collection of pre-approved email addresses.
- In meeting you can control screen sharing, annotations, and private chats. Consider looking over the list of settings on your zoom profile and configure as you see fit.
- Consider adding a co-host, and auto-muting participants to ensure both security and privacy.
Depending on your intended use of Zoom you’ll want to review your “Advanced” settings for a few key toggleable features. This includes features such as: Annotations, Screen sharing, file sharing, and more. Similar to the Principle of Least Privilege, consider the Principle of Least Features. This is where you only enable tools/feature that you know you’d absolutely need, mitigating risk before it becomes a problem. You can enable these settings as needed.
Below is a couple images of my recommended settings to review before a meeting. While it seems extensive, double checking these settings can tailor your remote meeting experience into a positive and safe one. You can also disable most of non-essential features by default, allowing only what you’ll need and change as needed.
Check out more Cybersecurity News and Tips Here