Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
I am getting a lot of questions from clients right now regarding the secure use of Zoom. It may be hard to filter the signal from the noise…
Update: Lots of changes have been made to Zoom since this article first posted, I will be expanding the security recommendations section below.
I am getting a lot of questions from clients right now regarding the use of Zoom. It may be hard to filter the signal from the noise, so I put this together to help you. I don’t believe in FUD, and I’m concerned about security issues we can fix right now.
With the whole planet shifting towards working from home due to the COVID-19 pandemic, everyone is using a variety of technologies to facilitate. One of the more popular providers is Zoom. It was wildly popular before the pandemic and now has exploded.
With the increased attention comes increased scrutiny. I won’t go into all the details of the Zoom issues, but they fall into two categories:
Some of the issues relating to the data that Zoom gathers from people, integrations with 3rd party software automating the retrieval of data people already submitted, or software functionality that some find a little creepy. There are even issues with social media sharing.
This is the area I want to focus on because, more often than not, this is where real security issues arise from: the misconfigurations of our tools and software. A phenomenon known as Zoombombing, where random people join meetings and share disturbing content, stems from 2 main issues:
Many executives use their personal ID for all meetings out of convenience. Security folks are often complaining or asking users not to use this method and, instead, have a unique meeting ID for each meeting. Combined with allowing Join Before Host, we now have a recipe for disaster, such as Zoombombing.
Oftentimes, a Personal Meeting Id (PMI) is a person’s firstname+lastname. So if a person is named Jane Doe, their personal meeting link would be “https://zoom.us/my/janedoe.” Any program or machine can easily enumerate this:
There is even an underground tracking personal meeting IDs that have been found:
By default, “Join Before Host” is disabled, so you should see this:
Oftentimes, this feature is enabled to allow participants to join the event if the host is running late.
For most people out there, they are not having public Zoom meetings. Most participants in a meeting are going to be co-workers. The threat surface expands when there are larger meetings like All-Hands, Webinars, or Board Meetings.
Some people are looking to change their videoconferencing platform for all of the above. From a security perspective, that would not be my recommendation, as everything needed to secure your Zoom setup is available. If privacy is a concern or you don’t want an app installed on your machine, then maybe Jitsi is what you’re looking for.
Here is what you should do:
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).