Amidst the COVID-19, when the companies have resorted to virtual meetings as a new normal to keep the businesses moving, the schools and colleges have likewise turned to virtual classes, this surge has resulted in 200 Million connections to Zoom every day in the month of March 2020, while in the same month last year, the engagement stood at an average of 10 Million connections per day. This colossal increase of adoptions has made Zoom a sweet spot for the hackers.
Zoom has come under fire in recent days due to security issues with the platform. A zero-day vulnerability has recently been disclosed, and numerous users have noted that Zoom bombers are joining open meetings and sharing undesirable content. Zoom has also been found to overshare data with Facebook via their iOS app, a problem now fixed. Bleeping Computer recently reported about a newly found vulnerability in Zoom that allows an attacker to steal Windows login credentials from other users.
Ministry of Home Affairs, Govt. of India has issued an advisory in this context on 16 April 2020 and we solicit you to have a look into the suggested measures.
However, be informed that most of the weaknesses that a cyber-criminal exploit in Zoom are not software features but bad user practice. Here are the common bad user habits that the meeting host should be aware of. We are providing few summarized tips & tricks. Almost all these are available either under Profile or Settings option on the landing screen once you login to zoom.
Tips & Tricks
- Hosts should not use personal meeting ID as default for scheduled and instant meetings.
- Use personal meeting room selectively.
- Change your personal meeting room ID.
- Enable waiting Room, new Meeting ID and password every time
- Disable join before host
- “Require password when joining by phone” option should be enabled
- May Kick out unwanted users by “Remove” option from Manage Participants options
- Disable “Allow removed participants to re-join”
- Lock the meeting, once all attendees have joined
- Restrict the recording feature other than host
- Mute attendees on joining as host
- Restrict/disable file transfer option, default screen sharing/content sharing, video, Annotations for the participants
- Enable Virtual background from Zoom Preferences Settings
- Do not allow participants to rename themselves once joined a meeting
- If you are the host, end the meeting instead of leaving. Log out from everywhere – the app, the site, wherever you have logged in.
- Do not allow users to see each other and contact each other privately.
- Don’t use Zoom chats for private messages as attendee and Don’t click on links on the chat box
- Attendees should not share personally identifiable information with anyone, whether private or publicly in public forum like Zoom where the same may get recorded
- Attendees should Turn off video and mute themselves unless needed
- Make sure to update the latest security patches for the Zoom that are installed on the host and attendees’ client app devices.
- Don’t share your Zoom meeting link in public places like social media or other public forums.
- To avoid stealing local windows credential may Restrict Outgoing NTLM traffic by disabling in your windows setting
- Follow standard best practices in Work from Home (WFH) Guidelines as drafted recently by our team.
Safety and Security depends not on the software/platforms, rather on best practices. Hence even if you avoid using Zoom and shift to other platforms, the chances of exploitation will not get minimized unless you are aware and proactive on cyber security measures. In case you are falling short of internal expertise, may always consult experts in the domain to adopt best practices.
For any additional queries or cyber-security concerns, you may reach out to Team at email@example.com
Categorised in: Cyber Security
This post was written by Sushobhan Mukherjee