Zoom, depending on what you read, has gone from a reported 10 million users to over 350 million worldwide in a matter of weeks. It’s little surprise that it has had its share of issues and vulnerabilities. This article discussed video conference security and how you can protect yourself and your business.
Some 600,000 downloads and accounts created took place just last weekend.
From public outings in the press around disclosure of personal details to 500,000 zoom accounts being listed for sale on the Dark Web
We have put this short blog together to help businesses make the informed decisions around using Zoom, in general video conference security, and making sure that the meetings you do have are secured to the best ability.
We have seen reports on the dark web, as well as accounts being sold, of just 30 accounts being up for us, all tested and valid, and comments in the threads talking about how the meetings will be trolled and recorded for Dark Web consumption.
Protect Your Video Conference
- Firstly secure your meetings with a password, with no exceptions. Having a password means that it is difficult for someone not supposed to be in your meeting to get access.
- Never use the personal meeting ID to start meetings, always use the random generator. If someone has your personal ID and you actively use it, it means those with the details can jump on the meeting at any time.
- Where you can, never reuse meeting IDs. A lot of recurring meetings take place in Business, where you can, regularly change these meeting IDs out.
- Use the waiting room feature and admit people as you go along, that way you know who is in your room. It allows you to admit those only who are supposed to be there. It gives the meeting host the ability to control who joins your meeting. So even if someone who wasn’t supposed to participate has your meeting password, they cant get access. Also, it allows you to remove an unwanted attendee out of the meeting before it starts. We highly recommend leaving this box ticked.
- Once all participants are in the room, lock the room to prevent any further access to the room. This helps with Security, and prevents anyone dialling in over the phone also to just jump in.
- Utilise Multi-Factor Authentication on your account, and advise others to do the same. Secure your account effectively. It utilises two of the most popular MFA generators out there, Google & Microsoft.
- Always download the apps from the related App stores. Always go to Zoom.US to download your clients, or directly from your phone vendors appropriate application store, There are valid installers out there waiting to be downloaded from third party sites, but have malware loaded ready to go. Zoom will work fine, your machine could be infected.
- Never share links outside of the invitees. Keep meetings as closed as you can and just share with the attendees you are expecting.
- Never share information on public forums such as Social Media. People see a link, its human nature to click it and see what your meeting is all about.
- Never add links to the comments if you are using it inside of the business and sharing local paths such as network drives
- It is perfectly possible to increase elements of security such as preventing screen sharing. Screen sharing restrictions to be in place to prevent others sharing screens that no one wants to see.
- If you are using this with colleagues, and sharing links to a network drive. Keep these out of the chat window. There have been cases where usernames and passwords have been obtained by a third party as when you click access, hashed credentials can be passed in the path which can be harvested
- Where you can, sign up using your business email address. There have been reported cases where domains like gmail.com or hotmail.co.uk have been treated as the same company and information is shared.
- Always use the latest client when it comes to video conference security. At the time of writing Zoom have just patched an issue where, in certain conditions on LinkedIn, it publicly shared information from Sales Navigator with all some attendees, even though they weren’t connected. A privacy issue. Zoom regularly now patch fixes its client as it goes along, and after this privacy issue was publicly outed, they have introduced a 90 day moratorium on new features and releases in the attempt to not introduce any issues.
- Don’t forget about the Web version of Zoom. It is just as functional except doesn’t have the security issues and vulnerabilities that we have talked about above.
- Think about what people in the Zoom, other varieties are available, conference can see or hear.
- Be aware that under certain conditions, the full end to end encryption doesn’t necessarily mean just that. For example using a phone to dial in to a meeting can render the meeting accessible through not being encrypted.