Best Practices to Secure Zoom

Preface

Amidst the COVID-19, when the companies have resorted to virtual meetings as a new normal to keep the businesses moving, the schools and colleges have likewise turned to virtual classes, this surge has resulted in 200 Million connections to Zoom every day in the month of March 2020, while in the same month last year, the engagement stood at an average of 10 Million connections per day. This colossal increase of adoptions has made Zoom a sweet spot for the hackers.

Zoom has come under fire in recent days due to security issues with the platform. A zero-day vulnerability has recently been disclosed, and numerous users have noted that Zoom bombers are joining open meetings and sharing undesirable content. Zoom has also been found to overshare data with Facebook via their iOS app, a problem now fixed. Bleeping Computer recently reported about a newly found vulnerability in Zoom that allows an attacker to steal Windows login credentials from other users.

Ministry of Home Affairs, Govt. of India has issued an advisory in this context on 16 April 2020 and we solicit you to have a look into the suggested measures.

However, be informed that most of the weaknesses that a cyber-criminal exploit in Zoom are not software features but bad user practice. Here are the common bad user habits that the meeting host should be aware of. We are providing few summarized tips & tricks. Almost all these are available either under Profile or Settings option on the landing screen once you login to zoom.

Tips & Tricks

  1. Hosts should not use personal meeting ID as default for scheduled and instant meetings.
  2. Use personal meeting room selectively.
  3. Change your personal meeting room ID.
  4. Enable waiting Room, new Meeting ID and password every time
  5. Disable join before host
  6. “Require password when joining by phone” option should be enabled
  7. May Kick out unwanted users by “Remove” option from Manage Participants options
  8. Disable “Allow removed participants to re-join”
  9. Lock the meeting, once all attendees have joined
  10. Restrict the recording feature other than host
  11. Mute attendees on joining as host
  12. Restrict/disable file transfer option, default screen sharing/content sharing, video, Annotations for the participants
  13. Enable Virtual background from Zoom Preferences Settings
  14. Do not allow participants to rename themselves once joined a meeting
  15. If you are the host, end the meeting instead of leaving. Log out from everywhere – the app, the site, wherever you have logged in.
  16. Do not allow users to see each other and contact each other privately.
  17. Don’t use Zoom chats for private messages as attendee and Don’t click on links on the chat box
  18. Attendees should not share personally identifiable information with anyone, whether private or publicly in public forum like Zoom where the same may get recorded
  19. Attendees should Turn off video and mute themselves unless needed
  20. Make sure to update the latest security patches for the Zoom that are installed on the host and attendees’ client app devices.
  21. Don’t share your Zoom meeting link in public places like social media or other public forums.
  22. To avoid stealing local windows credential may Restrict Outgoing NTLM traffic by disabling in your windows setting
  23. Follow standard best practices in Work from Home (WFH) Guidelines as drafted recently by our team.

Conclusion

Safety and Security depends not on the software/platforms, rather on best practices. Hence even if you avoid using Zoom and shift to other platforms, the chances of exploitation will not get minimized unless you are aware and proactive on cyber security measures. In case you are falling short of internal expertise, may always consult experts in the domain to adopt best practices.

For any additional queries or cyber-security concerns, you may reach out to Team at info@primeinfoserv.com

Tags: