Skip to main content

Things people haven’t said about Zoom yet... Zoom Security Management Strategy

April 23, 2020

If you are a CISO or Security resource within your organization, you have likely gotten a few questions about Zoom in the past weeks. Is it being used? How do we use it securely? What happens if it is successfully attacked? Add to that the fact that more users are on Zoom due to the COVID-19 quarantine than were using it before the outbreak. This means that the bulk of the users are employing a product that was rapidly deployed and may have bypassed the typical safeguards for enterprise product deployments.

When it comes to managing this situation as a CISO, there are a set of strategies you can employ to mitigate risk and be able to accurately convey the organization’s security posture. An important side note here is that while we are focused on Zoom, many of the same types of attacks can apply to other conference services, and as organizations look for a Zoom alternative you still need to ask the same questions about those services.

At a fundamental level the facts to review here can apply to any large software suite or service:

  • Who is using it and why?
  • What features are we using?
  • How do we secure or harden our configuration?
  • How are we authenticating?
  • What type of data is kept and where is it stored?
  • Where are the logs and how are they monitored for security events?
  • How do we know when to patch and what the update addressed?

What’s probably happening at Zoom right now?

Zoom has brought in an external advisor with direct experience for situations like this, in addition to an advisory board ( https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34). This is a positive sign which will likely lead to the standard response for an event like this, which is bringing in AppSec testing resources to perform a thorough assessment of the product and platform. From a Zoom user perspective, once this process starts you will see an increase in updates, along with new security feature additions. It’s critical that as a security team you ensure that your users are updating their clients when prompted; it’s better to be two minutes late to a meeting than to join it with an insecure client.

Zoom maintains their release notes here:
https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes

Over the next two months it would be advisable for someone on your team to check this page daily for updates to the Zoom components you are using. Reviewing the release notes in addition to making sure the software is up to date will be critical, because Zoom is likely going to be adding new security features to counter various types of attacks, and you will want to be aware of them to take advantage of that functionality. An additional consideration if there is pushback on immediate patching of the Zoom client: As these patches are released, vulnerability researchers will be examining the patches to determine what has been changed. While Zoom itself has not given detailed disclosures of vulnerabilities on their own, issues impacting user-controlled components can be reverse-engineered from the update, and then the potential for in-the-wild exploitation follows. Remember, most of the global security community is stuck at home right now looking for something to poke at while much of current media attention is focused on the Zoom desktop client. The platform also contains a wide range of components like XMPP, SIP, Chatbots and the ZR-CSAPI. From a research perspective that varied attack surface allows a variety of disciplines to dive in.

Situational Awareness

Can someone determine if our organization is using Zoom?
If you have a vanity URL (e.g. company.zoom.us) you can expect that an attacker interested in your organization will check if it exists within the Zoom domain. It’s also safe to assume that someone has performed subdomain enumeration of *.zoom.us with a wordlist that includes large organization names. In terms of mitigations the options are limited: if you are using SSO with Zoom you must have a Vanity URL in place. There is no option to use an SSO solution without it.

Can someone discover our meetings?
While Zoom has implemented throttling of individual IPs scanning the meeting ID space, approaches using IP rotation like zWarDial have shown that it is still possible as long as an attacker routes the request through a sufficient pool of source IPs. This approach isn’t dependent on having access to zWarDial, and you should assume other actors are identifying live meeting IDs. Zoom rooms can also be discovered via other routes, such as searches within Google or Threat Intelligence feeds, for occurrences of Zoom related strings such as “zoom.us/j”.

While discovery is not preventable, you can take steps like employing a meeting password, requiring authenticated users and leveraging waiting rooms.

What should we do with Personal Meeting ID’s?
Personal meeting IDs (PMIs) and personal links are used for static meeting rooms as a way to give them an easy-to-remember identifier. While this functionality gives internal meetings a fixed value, if actual usernames are included as personal links it makes the meeting identifier more trivial to guess. PMIs are global across the entire Zoom user population, so John Doe at company A will not be able to use that PMI name if John Doe at Company B has already taken it. Discovery of those PMI names could also be narrowed down by leveraging employee names associated with a known vanity URL.

In terms of best practices, it is recommended that personal meeting IDs be used for internal meetings only if discovery is a concern. Like any other meeting they should also use a password. Since the focus on meeting discovery is high at the moment, it may be best to avoid using static meeting identifiers and employ randomly generated meeting IDs.

How should our meetings be set up?
The core rules to follow at the moment are using a Zoom generated ID to prevent long-term association of that ID to your meetings, enabling feature control capabilities as the meeting host, and most importantly using passwords and other authentication options to access the meeting itself. While having a password assigned to the meeting does mitigate some of the worries around discovery, we can’t predict vulnerabilities that may appear in the near future and using a random ID will provide some mitigation against targeted attacks. We are also going to disable most of the non-fundamental features that Zoom provides, along the following assumptions:

  • Zoom is being used for video conferencing and screen sharing only
  • There are no requirements to retain conference recordings
  • Other services exist to replace features like chat

What setting should we pay attention to in the Admin Portal?
If you are using an enterprise-level Zoom account with access to the Admin Portal you will have some additional options when it comes to configuration. Admins have the ability to enforce most of the user-level settings we would be concerned with in a security context, as well as other components like Zoom Rooms. As with the user-level settings we are assuming that the use case in the current climate will be purely video conferencing and screen sharing, with other subsystems like chat and file transfer disabled. Of these subsystems chat is probably going to be the most heavily utilized in meeting with users outside of your organization. If it’s heavily leveraged enough to need to be enabled, then include some security awareness training along with it. Communication with other internal users should be over the existing enterprise chat solution, and users should follow the same rules with Zoom chats as they would with external emails in terms of acceptable content.

Best Practices

  • Aggressive Patch Management
    • Whatever mechanism you need to utilize to make sure your endpoints have up-to-date Zoom software, execute on it. Users should be trained to accept the Zoom updates when launching, even if it causes a delay in joining a meeting.
  • Disable Features Not in Use
    • Always a good rule, especially given the high profile Zoom has at the moment. Attack surface management applies to Zoom and any other enterprise product. When functionality is enabled it should be for a required use case, and features enabled by default that are not used should be disabled.
  • Manage Meeting Data
    • Meeting recordings that aren’t being used should be deleted If you don’t need to use Zoom’s cloud storage for recordings, then a conservative approach would be to migrate that data off of the platform for now.
  • Be aware of when 3rd parties are recording your Zoom session
    • “Is it OK if we record this meeting?” Train your users that it’s OK to say no to recording a meeting you are participating in. Treat recorded meetings like any third-party holding your data, and you should consider what you say in a meeting to be “On the record.” While participants could still record the meeting via other mechanism, this policy would at least ensure the recording isn’t in the standard storage location, where an attacker would look first if the Zoom account were to be breached

Recommended Settings for User Profile:

Profile https://zoom.us/profile  
Host Key Change if you haven't recently updated it
Personal Link Blank
Settings https://zoom.us/profile/setting  
Use Personal Meeting ID (PMI) when scheduling a meeting Disabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Require a password for Personal Meeting ID (PMI) Enabled/All Meetings Using PMI

Meetings

Meetings/Personal Meeting Room https://zoom.us/meeting  
Enable join before host Unchecked
Mute participants upon entry Checked
Enable Waiting Room Checked
Only authenticated users can join Checked/Sign in with specified domain for your org
Record the meeting automatically Unchecked
Meetings/Schedule a new meeting https://zoom.us/meeting/schedule  
Meeting ID Generate Automatically
Meeting Password Require meeting password checked
Enable join before host Unchecked
Mute participants upon entry Checked
Enable Waiting Room Checked
Only authenticated users can join Checked
Record the meeting automatically Unchecked
Recordings https://zoom.us/recording Delete any that aren't required by the organization

Settings/Meetings

Settings/Meeting https://zoom.us/profile/setting  
Join before host Disabled
Only authenticated users can join Enabled
Only authenticated users can join meetings from Web client Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Embed password in meeting link for one-click join Disabled
Require password for participants joining by phone Enabled
Mute participants upon entry Enabled
Require Encryption for 3rd Party Endpoints Enabled
Chat Disabled/Prevent participants from saving chat checked
Private Chat Disabled
Auto Saving Chats Disabled
Play sound when participants join or leave Disabled
File transfer Disabled
Feedback to Zoom Disabled
Display end-of-meeting survey Disabled
Polling Disabled
Screen sharing Host Only
Annotation Disabled
Whiteboard Disabled
Nonverbal feedback Disabled
Allow removed participants to rejoin Disabled
Allow removed participants to rename themselves Disabled
Breakout Room Disabled
Remote support Disabled
Captioning Disable unless actually needed
Far end camera control Disabled
Save captions Disabled
Identify guest participants in the meeting/webinar Enabled
Waiting Room Enabled
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled
Settings/Recording  
Local Recording Disabled
Cloud Recording Disabled
Automatic Recording Disabled
Only authenticated users can view cloud recordings Enabled
Require password to access shared cloud recordings Enabled
The host can delete cloud recordings Enabled
Recording disclaimer Enabled, both options checked
Multiple audio notifications of recorded meeting Enabled

Zoom Account Admin

User Management https://zoom.us/account/user#/  
Join before host Disabled
Use Personal Meeting ID (PMI) when scheduling a meeting Disabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Only authenticated users can join meetings Enabled
Only authenticated users can join meetings from Web client Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Personal Meeting ID (PMI) Enabled
Embed password in meeting link for one-click join Disabled
Require password for participants joining by phone Enabled
Mute participants upon entry Enabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Chat Disabled
Private Chat Disabled
Auto Saving Chats Disabled
Play sound when participants join or leave Disabled
File Transfer Disabled
Feedback to Zoom Host Only
Display end-of-meeting experience feedback survey Disabled
Polling Disabled
Screen Sharing Disabled
Annotation Disabled
Whiteboard Disabled
Remote Control Disabled
Allow removed participants to rejoin Disabled
Breakout room Disabled
Remote Support Disabled
Closed captioning Disabled unless needed
Far end camera control Disabled
Identify guest participants in the meeting/webinar Enabled
Auto-answer group in chat Disabled
Waiting Room Enabled/All Participants
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled

Room Management

Room Management https://zoom.us/location  
Room Passcode Set
Require Code to Exit Enabled
Hide Room in Contacts Enabled
Device Operation Time Set for business hours
Room Personal Link Leave blank
Host Key Set
Zoom Room Admins Verify Emails

Account Settings/Meeting

Meeting https://zoom.us/account/setting?tab=meeting  
Automatically accept incoming call and far end camera control Disabled
Transform all meetings to private Enabled
Hide host and meeting ID from private meetings Enabled
Always Turn Zoom Rooms Video On for Internal Meetings Disabled
Automatic start scheduled meetings Disabled
Encrypt direct share content Enabled
Show call history in Zoom Rooms Disabled
Send Whiteboard to internal contacts only Enabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled
Chat Disabled
Private Chat Disabled
Auto saving chats Disabled
Enable chat notifications on TV Disabled
Allow host to put attendee on hold Disabled
Annotation Disabled
Polling Disabled
Breakout room Disabled
File transfer Disabled
Far end camera control Disabled
Waiting room Enabled
Cloud recording Disabled
Local recording Disabled
Automatic recording Disabled
Require password to access shared cloud recordings Enabled
Recording disclaimer Enabled
Multiple audio notifications of recorded meeting Enabled
Cloud recording for instant meetings Disabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Require password for participants joining by phone Enabled
Bypass the password when joining meetings from meeting list Disabled

Account Settings

Account Settings https://zoom.us/account/setting  
Only authenticated users can join meetings Enabled
Only authenticated users can join meetings from Web clients Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Personal Meeting ID (PMI) Enabled
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled
Embed password in meeting link for one-click join Enabled
Require password for participants joining by phone Enabled
Meeting password requirement Check all but "Only allow" 10 characters
Bypass the password when joining meetings from meeting list Disabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Chat Disabled
Private chat Disabled
Auto saving chats Disabled
File transfer Disabled
Feedback to Zoom Disabled
Display end-of-meeting experience feedback survey Disabled
Polling Disabled
Annotation Disabled
Whiteboard Disabled
Nonverbal feedback Disabled
Allow removed participants to rejoin Disabled
Allow participants to rename themselves Disabled
Breakout room Disabled
Closed captioning Disabled unless needed
Save Captions Disabled
Far end camera control Disabled
Identify guest participants in the meeting/webinar Enabled
Waiting room Enabled
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled
Allow users to contact Zoom's Support via Chat Disabled

IM Management

IM Management - https://zoom.us/account/imgroup  
File transfer Disabled
Code Snippet Disabled
Enable advanced chat encryption Enabled
Cloud storage Disabled
Delete local data Disabled
Store edited and deleted message revisions Disabled

Security

Advanced/Security https://zoom.us/account/setting/security  
Basic Password Requirement Aligned to organization standards
Enhanced Password Rules Aligned to organization standards
Enable advanced chat encryption Enabled
Users need to sign in again after a period of inactivity Aligned to usage (e.g. 60 minutes)
User need to input Host Key to claim host role with the length of Over 6 currently in beta
Sign in with Two-Factor Authentication Enabled
Single Sign-On  
Use if available  

    Woodrow Brown

By: Woodrow Brown

Director, Partner Research and Strategy

See More

    John Bock

By: John Bock

Senior Research Scientist | Optiv

See More

Related Blogs

April 22, 2020

Remote Work: Making the Culture Shift

Here are several tips that will help ease the transition to working at home.

See Details

March 30, 2020

Navigating Your "New Normal": Help from a WFH Veteran

A WFH veteran offers tips on maximizing productivity while promoting physical and emotional well-being.

See Details

March 25, 2020

COVID-19: Charting the Cybersecurity Implications of a Pandemic

This series will deliver COVID crisis cybersecurity strategies, best practices and advice.

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

April 02, 2020

How to Reduce Your Attack Surface

The key to WFH is to understand and proactively address the inherent attack surface risk.

See Details

March 26, 2020

COVID-19: Securing Work From Home

CISOs must consider COVID ramifications on a larger scale and not lose sight of their organizational roadmap.

See Details

March 26, 2020

COVID-19: Securing Work From Home Checklist

The actionable steps outlined here provide the foundational support to enable and secure a WFH model.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.