With the transition to remote work in the face of the COVID-19 pandemic, many organizations and schools are transitioning to using Zoom for online collaboration and learning. This has seen the online conferencing service get hit with multiple cyberattacks, and there are now over 500,000 leaked Zoom accounts available for sale on the dark web.
We have received some questions from our clients on these security concerns, and whether Zoom is safe to use. This blog is in response to those concerns and some of the measures that users can take to stay safe, should they choose to use it.
Why Zoom?
Zoom’s focus has been usability and reliability – easy to use and works great on any device with a range of bandwidth. Zoom has had to handle a 20x increase in use over a matter of weeks and have largely been successful in managing the increased usage.
However, as use in organizations has skyrocketed, vulnerabilities and concerns have been identified. With the popularity of Zoom, it has also presented a huge attack opportunity for cybercriminals.
Initial areas of concern
- Zoom-bombing:
Zoom-bombing is when an intruder infiltrates and disrupts a video conference call. Not only could intruders share inappropriate content, they could also simply just quietly listen into or watch what’s happening in the meeting and steal specific data to enhance social engineering and e-impersonation campaigns. Various changes have been made by Zoom to address Zoom-bombing including defaulting to users being put in the waiting room where a host must allow them access. Advice has also been issued on ensuring that a password is used for all meetings and that the meeting URL is only provided to invited users. - General:
Vulnerabilities have been identified, but recently, Zoom has been fairly quick to fix them. If installed, Zoom should be set to auto update, so all new fixes are applied as soon as available. Meeting links are generalized and reused so once someone has the link, they can always access in future. - Encryption:
Currently, Zoom is using their own encryption, which is generally not recommended due to the highly complicated nature of encryption. Zoom does not use end-to-end encryption, so there is a potential that their current communication stream could be compromised. Zoom indicates that they are working on improvements. - Privacy:
Ensure that the Zoom privacy policy is reviewed, understood, and determined acceptable for your organization. For free accounts, personal information will certainly be monetized. For paid accounts, organizations should understand what information is collected and how it is secured.
In Conclusion
If you choose to use Zoom, it is important to keep in mind the security of your data and users. Practice cybersecurity discipline and use the following tips to stay safe:
- Use with caution and an understanding of the risks
- Should not be used for secret or confidential meetings or conversations
- If used;
- Ensure users are aware of, and using, proper security settings and are staying up-to-date on ongoing changes
- Set the application to auto-update so it is always up-to-date with latest fixes
- Ensure meeting recordings are also protected
- Hosts should monitor participants of their meetings and not allow unknown users into meetings
- For tighter control and deeper integration with other organization communication tools, consider a more mature conferencing solution