So, you’ve decided to use Zoom for your online conference call…
One of the biggest “winners” of the Covid-19 pandemic is US based company Zoom, which saw a sharp increase in both clients and share price.
However, with these two also came a large public interest and scrutiny, leading to the discovery of serious security and privacy concerns.
First among these was the rise of “Zoom Bombing”, where attackers join random conversations and take them over. As Zoom invite codes are comprised of 10 digits, anyone can run a tool the tries to join random links, until they find a valid one. Once inside, the attacker takes advantage of Zoom’s soft default security settings, and completly take over the conversation, both visually and audibly.
Moreover, Zoom has come under fire from privacy advocates, as it recently turned out that their claims for End-to-End encryption, were in fact a lie. While Zoom does indeed use Transport Layer encryption, it is not in-fact, End-to-End, meaning that Zoom itself is privy to all of your conversations, if they so choose.
And finally, a lawsuit has been filed against the company, claiming that certain pieces of personal information of clients and participants was gathered by Zoom, and then sold to 3rd party companies.
The public backlash on all of these has been so great, that Zoom had to issue emergency fixes and even a public apology.
Even so, its ease of use and aggressive marketing still makes Zoom the popular choice.
Some security vendors and privacy groups are calling to abandon Zoom altogether, but a pragmatic approach has to be taken into consideration.
Companies are still going to use Zoom, and it’s our responsibility as defenders to help them use it in a secure manner as possible.
And with that, here are CyberBlazer’s tips for using Zoom securely:
1. Update, upgrade, patch
This is a general recommendation, which is always true, regardless of the current situation. Update your Zoom client to its latest version and encourage other participants to do so as well. On top of new features and abilities, software updates also include security fixes and upgrades.
During early April, Zoom fixed several issues and have publicly promised to pay special attention to security in future releases.
2. Use password protected meetings
As we said before, a Zoom meeting number is comprised of 10 digits, which make Zoom Bombing easy. However, you can make it harder if you password-protect your meetings.
When creating a Zoom meeting, you have the option of making it password protected
After doing so, your generated invite link will now include the password in it. This action makes your meetings less prone to hijacking, while keeping it simple and easy for invited attendees to join. Of course, this is less effective if you publish the link on social media, so try and avoid that.
3. Change Default Meeting Settings
Zoom’s default settings are optimized for maximum collaboration, which unfortunately translates to minimum security.
As the meeting’s host, it’s your responsibility to calibrate them for a better balance.
- Don’t allow guests to join before the host.
This way you make sure nobody hijacks the session before you have a chance to mute them, or even kick them out.
- Moreover, use a waiting room.
This feature not only allows you to present a nice waiting screen, logo and tagline, it also allows you to screen participants before “officially” starting the meeting.
- Mute participants upon entry.
Make sure nobody can come in blazing, either intentionally or by mistake.
4. Ask yourself – Is this a meeting or a webinar?
In case you’re hosting a meeting, where all participants are expected to be active, then a regular Zoom meeting is a valid choice.
However, if you and only you are supposed to actively present, you’re actually hosting a webinar.
Zoom does indeed has a paid Webinar option, giving you more control, but you absolutely have options with a regular account.
One thing you can do is to set the meeting to mute all participants, and not allow them to unmute themselves. This way, you’re the only one in control.
On top of that, make sure that only the host (i.e. you) are allowed to share their screen.
Et voila, you’re now running a webinar.
To summarize, no solution is perfect, and Zoom has definitely had its share of security failings. That said, Zoom is still a valid and (very) popular web conferencing tool, and if you do decide to use it, please take steps to ensure your (and your guests’) safety.