Things people haven’t said about Zoom yet... Zoom Security Management Strategy

If you are a CISO or Security resource within your organization, you have likely gotten a few questions about Zoom in the past weeks. Is it being used? How do we use it securely? What happens if it is successfully attacked? Add to that the fact that more users are on Zoom due to the COVID-19 quarantine than were using it before the outbreak. This means that the bulk of the users are employing a product that was rapidly deployed and may have bypassed the typical safeguards for enterprise product deployments.

When it comes to managing this situation as a CISO, there are a set of strategies you can employ to mitigate risk and be able to accurately convey the organization’s security posture. An important side note here is that while we are focused on Zoom, many of the same types of attacks can apply to other conference services, and as organizations look for a Zoom alternative you still need to ask the same questions about those services.

At a fundamental level the facts to review here can apply to any large software suite or service:

What’s probably happening at Zoom right now?

Zoom has brought in an external advisor with direct experience for situations like this, in addition to an advisory board ( https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34). This is a positive sign which will likely lead to the standard response for an event like this, which is bringing in AppSec testing resources to perform a thorough assessment of the product and platform. From a Zoom user perspective, once this process starts you will see an increase in updates, along with new security feature additions. It’s critical that as a security team you ensure that your users are updating their clients when prompted; it’s better to be two minutes late to a meeting than to join it with an insecure client.

Zoom maintains their release notes here:
https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes

Over the next two months it would be advisable for someone on your team to check this page daily for updates to the Zoom components you are using. Reviewing the release notes in addition to making sure the software is up to date will be critical, because Zoom is likely going to be adding new security features to counter various types of attacks, and you will want to be aware of them to take advantage of that functionality. An additional consideration if there is pushback on immediate patching of the Zoom client: As these patches are released, vulnerability researchers will be examining the patches to determine what has been changed. While Zoom itself has not given detailed disclosures of vulnerabilities on their own, issues impacting user-controlled components can be reverse-engineered from the update, and then the potential for in-the-wild exploitation follows. Remember, most of the global security community is stuck at home right now looking for something to poke at while much of current media attention is focused on the Zoom desktop client. The platform also contains a wide range of components like XMPP, SIP, Chatbots and the ZR-CSAPI. From a research perspective that varied attack surface allows a variety of disciplines to dive in.

Situational Awareness

Can someone determine if our organization is using Zoom?
If you have a vanity URL (e.g. company.zoom.us) you can expect that an attacker interested in your organization will check if it exists within the Zoom domain. It’s also safe to assume that someone has performed subdomain enumeration of *.zoom.us with a wordlist that includes large organization names. In terms of mitigations the options are limited: if you are using SSO with Zoom you must have a Vanity URL in place. There is no option to use an SSO solution without it.

Can someone discover our meetings?
While Zoom has implemented throttling of individual IPs scanning the meeting ID space, approaches using IP rotation like zWarDial have shown that it is still possible as long as an attacker routes the request through a sufficient pool of source IPs. This approach isn’t dependent on having access to zWarDial, and you should assume other actors are identifying live meeting IDs. Zoom rooms can also be discovered via other routes, such as searches within Google or Threat Intelligence feeds, for occurrences of Zoom related strings such as “zoom.us/j”.

While discovery is not preventable, you can take steps like employing a meeting password, requiring authenticated users and leveraging waiting rooms.

What should we do with Personal Meeting ID’s?
Personal meeting IDs (PMIs) and personal links are used for static meeting rooms as a way to give them an easy-to-remember identifier. While this functionality gives internal meetings a fixed value, if actual usernames are included as personal links it makes the meeting identifier more trivial to guess. PMIs are global across the entire Zoom user population, so John Doe at company A will not be able to use that PMI name if John Doe at Company B has already taken it. Discovery of those PMI names could also be narrowed down by leveraging employee names associated with a known vanity URL.

In terms of best practices, it is recommended that personal meeting IDs be used for internal meetings only if discovery is a concern. Like any other meeting they should also use a password. Since the focus on meeting discovery is high at the moment, it may be best to avoid using static meeting identifiers and employ randomly generated meeting IDs.

How should our meetings be set up?
The core rules to follow at the moment are using a Zoom generated ID to prevent long-term association of that ID to your meetings, enabling feature control capabilities as the meeting host, and most importantly using passwords and other authentication options to access the meeting itself. While having a password assigned to the meeting does mitigate some of the worries around discovery, we can’t predict vulnerabilities that may appear in the near future and using a random ID will provide some mitigation against targeted attacks. We are also going to disable most of the non-fundamental features that Zoom provides, along the following assumptions:

What setting should we pay attention to in the Admin Portal?
If you are using an enterprise-level Zoom account with access to the Admin Portal you will have some additional options when it comes to configuration. Admins have the ability to enforce most of the user-level settings we would be concerned with in a security context, as well as other components like Zoom Rooms. As with the user-level settings we are assuming that the use case in the current climate will be purely video conferencing and screen sharing, with other subsystems like chat and file transfer disabled. Of these subsystems chat is probably going to be the most heavily utilized in meeting with users outside of your organization. If it’s heavily leveraged enough to need to be enabled, then include some security awareness training along with it. Communication with other internal users should be over the existing enterprise chat solution, and users should follow the same rules with Zoom chats as they would with external emails in terms of acceptable content.

Best Practices

Recommended Settings for User Profile:

Meetings

Settings/Meetings

Zoom Account Admin

Room Management

Account Settings/Meeting

Account Settings

IM Management

Security