Things people haven’t said about Zoom yet... Zoom Security Management Strategy
Things people haven’t said about Zoom yet... Zoom Security Management Strategy
Things people haven’t said about Zoom yet... Zoom Security Management Strategy
Things people haven’t said about Zoom yet... Zoom Security Management Strategy
If you are a CISO or Security resource within your organization, you have likely gotten a few questions about Zoom in the past weeks. Is it being used? How do we use it securely? What happens if it is successfully attacked? Add to that the fact that more users are on Zoom due to the COVID-19 quarantine than were using it before the outbreak. This means that the bulk of the users are employing a product that was rapidly deployed and may have bypassed the typical safeguards for enterprise product deployments.
When it comes to managing this situation as a CISO, there are a set of strategies you can employ to mitigate risk and be able to accurately convey the organization’s security posture. An important side note here is that while we are focused on Zoom, many of the same types of attacks can apply to other conference services, and as organizations look for a Zoom alternative you still need to ask the same questions about those services.
At a fundamental level the facts to review here can apply to any large software suite or service:
- Who is using it and why?
- What features are we using?
- How do we secure or harden our configuration?
- How are we authenticating?
- What type of data is kept and where is it stored?
- Where are the logs and how are they monitored for security events?
- How do we know when to patch and what the update addressed?
What’s probably happening at Zoom right now?
Zoom has brought in an external advisor with direct experience for situations like this, in addition to an advisory board ( https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34). This is a positive sign which will likely lead to the standard response for an event like this, which is bringing in AppSec testing resources to perform a thorough assessment of the product and platform. From a Zoom user perspective, once this process starts you will see an increase in updates, along with new security feature additions. It’s critical that as a security team you ensure that your users are updating their clients when prompted; it’s better to be two minutes late to a meeting than to join it with an insecure client.
Zoom maintains their release notes here:
https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes
Over the next two months it would be advisable for someone on your team to check this page daily for updates to the Zoom components you are using. Reviewing the release notes in addition to making sure the software is up to date will be critical, because Zoom is likely going to be adding new security features to counter various types of attacks, and you will want to be aware of them to take advantage of that functionality. An additional consideration if there is pushback on immediate patching of the Zoom client: As these patches are released, vulnerability researchers will be examining the patches to determine what has been changed. While Zoom itself has not given detailed disclosures of vulnerabilities on their own, issues impacting user-controlled components can be reverse-engineered from the update, and then the potential for in-the-wild exploitation follows. Remember, most of the global security community is stuck at home right now looking for something to poke at while much of current media attention is focused on the Zoom desktop client. The platform also contains a wide range of components like XMPP, SIP, Chatbots and the ZR-CSAPI. From a research perspective that varied attack surface allows a variety of disciplines to dive in.
Situational Awareness
Can someone determine if our organization is using Zoom?
If you have a vanity URL (e.g. company.zoom.us) you can expect that an attacker interested in your organization will check if it exists within the Zoom domain. It’s also safe to assume that someone has performed subdomain enumeration of *.zoom.us with a wordlist that includes large organization names. In terms of mitigations the options are limited: if you are using SSO with Zoom you must have a Vanity URL in place. There is no option to use an SSO solution without it.
Can someone discover our meetings?
While Zoom has implemented throttling of individual IPs scanning the meeting ID space, approaches using IP rotation like zWarDial have shown that it is still possible as long as an attacker routes the request through a sufficient pool of source IPs. This approach isn’t dependent on having access to zWarDial, and you should assume other actors are identifying live meeting IDs. Zoom rooms can also be discovered via other routes, such as searches within Google or Threat Intelligence feeds, for occurrences of Zoom related strings such as “zoom.us/j”.
While discovery is not preventable, you can take steps like employing a meeting password, requiring authenticated users and leveraging waiting rooms.
What should we do with Personal Meeting ID’s?
Personal meeting IDs (PMIs) and personal links are used for static meeting rooms as a way to give them an easy-to-remember identifier. While this functionality gives internal meetings a fixed value, if actual usernames are included as personal links it makes the meeting identifier more trivial to guess. PMIs are global across the entire Zoom user population, so John Doe at company A will not be able to use that PMI name if John Doe at Company B has already taken it. Discovery of those PMI names could also be narrowed down by leveraging employee names associated with a known vanity URL.
In terms of best practices, it is recommended that personal meeting IDs be used for internal meetings only if discovery is a concern. Like any other meeting they should also use a password. Since the focus on meeting discovery is high at the moment, it may be best to avoid using static meeting identifiers and employ randomly generated meeting IDs.
How should our meetings be set up?
The core rules to follow at the moment are using a Zoom generated ID to prevent long-term association of that ID to your meetings, enabling feature control capabilities as the meeting host, and most importantly using passwords and other authentication options to access the meeting itself. While having a password assigned to the meeting does mitigate some of the worries around discovery, we can’t predict vulnerabilities that may appear in the near future and using a random ID will provide some mitigation against targeted attacks. We are also going to disable most of the non-fundamental features that Zoom provides, along the following assumptions:
- Zoom is being used for video conferencing and screen sharing only
- There are no requirements to retain conference recordings
- Other services exist to replace features like chat
What setting should we pay attention to in the Admin Portal?
If you are using an enterprise-level Zoom account with access to the Admin Portal you will have some additional options when it comes to configuration. Admins have the ability to enforce most of the user-level settings we would be concerned with in a security context, as well as other components like Zoom Rooms. As with the user-level settings we are assuming that the use case in the current climate will be purely video conferencing and screen sharing, with other subsystems like chat and file transfer disabled. Of these subsystems chat is probably going to be the most heavily utilized in meeting with users outside of your organization. If it’s heavily leveraged enough to need to be enabled, then include some security awareness training along with it. Communication with other internal users should be over the existing enterprise chat solution, and users should follow the same rules with Zoom chats as they would with external emails in terms of acceptable content.
Best Practices
- Aggressive Patch Management
- Whatever mechanism you need to utilize to make sure your endpoints have up-to-date Zoom software, execute on it. Users should be trained to accept the Zoom updates when launching, even if it causes a delay in joining a meeting.
- Disable Features Not in Use
- Always a good rule, especially given the high profile Zoom has at the moment. Attack surface management applies to Zoom and any other enterprise product. When functionality is enabled it should be for a required use case, and features enabled by default that are not used should be disabled.
- Manage Meeting Data
- Meeting recordings that aren’t being used should be deleted If you don’t need to use Zoom’s cloud storage for recordings, then a conservative approach would be to migrate that data off of the platform for now.
- Be aware of when 3rd parties are recording your Zoom session
- “Is it OK if we record this meeting?” Train your users that it’s OK to say no to recording a meeting you are participating in. Treat recorded meetings like any third-party holding your data, and you should consider what you say in a meeting to be “On the record.” While participants could still record the meeting via other mechanism, this policy would at least ensure the recording isn’t in the standard storage location, where an attacker would look first if the Zoom account were to be breached
Recommended Settings for User Profile:
Profile https://zoom.us/profile | |
---|---|
Host Key | Change if you haven't recently updated it |
Personal Link | Blank |
Settings https://zoom.us/profile/setting | |
Use Personal Meeting ID (PMI) when scheduling a meeting | Disabled |
Use Personal Meeting ID (PMI) when starting an instant meeting | Disabled |
Require a password for Personal Meeting ID (PMI) | Enabled/All Meetings Using PMI |
Meetings
Meetings/Personal Meeting Room https://zoom.us/meeting | |
---|---|
Enable join before host | Unchecked |
Mute participants upon entry | Checked |
Enable Waiting Room | Checked |
Only authenticated users can join | Checked/Sign in with specified domain for your org |
Record the meeting automatically | Unchecked |
Meetings/Schedule a new meeting https://zoom.us/meeting/schedule | |
Meeting ID | Generate Automatically |
Meeting Password | Require meeting password checked |
Enable join before host | Unchecked |
Mute participants upon entry | Checked |
Enable Waiting Room | Checked |
Only authenticated users can join | Checked |
Record the meeting automatically | Unchecked |
Recordings https://zoom.us/recording | Delete any that aren't required by the organization |
Settings/Meetings
Settings/Meeting https://zoom.us/profile/setting | |
---|---|
Join before host | Disabled |
Only authenticated users can join | Enabled |
Only authenticated users can join meetings from Web client | Enabled |
Require a password when scheduling new meetings | Enabled |
Require a password for instant meetings | Enabled |
Embed password in meeting link for one-click join | Disabled |
Require password for participants joining by phone | Enabled |
Mute participants upon entry | Enabled |
Require Encryption for 3rd Party Endpoints | Enabled |
Chat | Disabled/Prevent participants from saving chat checked |
Private Chat | Disabled |
Auto Saving Chats | Disabled |
Play sound when participants join or leave | Disabled |
File transfer | Disabled |
Feedback to Zoom | Disabled |
Display end-of-meeting survey | Disabled |
Polling | Disabled |
Screen sharing | Host Only |
Annotation | Disabled |
Whiteboard | Disabled |
Nonverbal feedback | Disabled |
Allow removed participants to rejoin | Disabled |
Allow removed participants to rename themselves | Disabled |
Breakout Room | Disabled |
Remote support | Disabled |
Captioning | Disable unless actually needed |
Far end camera control | Disabled |
Save captions | Disabled |
Identify guest participants in the meeting/webinar | Enabled |
Waiting Room | Enabled |
Show a "Join from your browser" link | Enabled |
Blur snapshot on iOS task switcher | Enabled |
Settings/Recording | |
Local Recording | Disabled |
Cloud Recording | Disabled |
Automatic Recording | Disabled |
Only authenticated users can view cloud recordings | Enabled |
Require password to access shared cloud recordings | Enabled |
The host can delete cloud recordings | Enabled |
Recording disclaimer | Enabled, both options checked |
Multiple audio notifications of recorded meeting | Enabled |
Zoom Account Admin
User Management https://zoom.us/account/user#/ | |
---|---|
Join before host | Disabled |
Use Personal Meeting ID (PMI) when scheduling a meeting | Disabled |
Use Personal Meeting ID (PMI) when starting an instant meeting | Disabled |
Only authenticated users can join meetings | Enabled |
Only authenticated users can join meetings from Web client | Enabled |
Require a password when scheduling new meetings | Enabled |
Require a password for instant meetings | Enabled |
Require a password for Personal Meeting ID (PMI) | Enabled |
Embed password in meeting link for one-click join | Disabled |
Require password for participants joining by phone | Enabled |
Mute participants upon entry | Enabled |
Require Encryption for 3rd Party Endpoints (H323/SIP) | Enabled |
Chat | Disabled |
Private Chat | Disabled |
Auto Saving Chats | Disabled |
Play sound when participants join or leave | Disabled |
File Transfer | Disabled |
Feedback to Zoom | Host Only |
Display end-of-meeting experience feedback survey | Disabled |
Polling | Disabled |
Screen Sharing | Disabled |
Annotation | Disabled |
Whiteboard | Disabled |
Remote Control | Disabled |
Allow removed participants to rejoin | Disabled |
Breakout room | Disabled |
Remote Support | Disabled |
Closed captioning | Disabled unless needed |
Far end camera control | Disabled |
Identify guest participants in the meeting/webinar | Enabled |
Auto-answer group in chat | Disabled |
Waiting Room | Enabled/All Participants |
Show a "Join from your browser" link | Enabled |
Blur snapshot on iOS task switcher | Enabled |
Room Management
Room Management https://zoom.us/location | |
---|---|
Room Passcode | Set |
Require Code to Exit | Enabled |
Hide Room in Contacts | Enabled |
Device Operation Time | Set for business hours |
Room Personal Link | Leave blank |
Host Key | Set |
Zoom Room Admins | Verify Emails |
Account Settings/Meeting
Meeting https://zoom.us/account/setting?tab=meeting | |
---|---|
Automatically accept incoming call and far end camera control | Disabled |
Transform all meetings to private | Enabled |
Hide host and meeting ID from private meetings | Enabled |
Always Turn Zoom Rooms Video On for Internal Meetings | Disabled |
Automatic start scheduled meetings | Disabled |
Encrypt direct share content | Enabled |
Show call history in Zoom Rooms | Disabled |
Send Whiteboard to internal contacts only | Enabled |
Use Personal Meeting ID (PMI) when starting an instant meeting | Disabled |
Require a password when scheduling new meetings | Enabled |
Require a password for instant meetings | Enabled |
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) | Enabled |
Chat | Disabled |
Private Chat | Disabled |
Auto saving chats | Disabled |
Enable chat notifications on TV | Disabled |
Allow host to put attendee on hold | Disabled |
Annotation | Disabled |
Polling | Disabled |
Breakout room | Disabled |
File transfer | Disabled |
Far end camera control | Disabled |
Waiting room | Enabled |
Cloud recording | Disabled |
Local recording | Disabled |
Automatic recording | Disabled |
Require password to access shared cloud recordings | Enabled |
Recording disclaimer | Enabled |
Multiple audio notifications of recorded meeting | Enabled |
Cloud recording for instant meetings | Disabled |
Require Encryption for 3rd Party Endpoints (H323/SIP) | Enabled |
Require password for participants joining by phone | Enabled |
Bypass the password when joining meetings from meeting list | Disabled |
Account Settings
Account Settings https://zoom.us/account/setting | |
---|---|
Only authenticated users can join meetings | Enabled |
Only authenticated users can join meetings from Web clients | Enabled |
Require a password when scheduling new meetings | Enabled |
Require a password for instant meetings | Enabled |
Require a password for Personal Meeting ID (PMI) | Enabled |
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) | Enabled |
Embed password in meeting link for one-click join | Enabled |
Require password for participants joining by phone | Enabled |
Meeting password requirement | Check all but "Only allow" 10 characters |
Bypass the password when joining meetings from meeting list | Disabled |
Require Encryption for 3rd Party Endpoints (H323/SIP) | Enabled |
Chat | Disabled |
Private chat | Disabled |
Auto saving chats | Disabled |
File transfer | Disabled |
Feedback to Zoom | Disabled |
Display end-of-meeting experience feedback survey | Disabled |
Polling | Disabled |
Annotation | Disabled |
Whiteboard | Disabled |
Nonverbal feedback | Disabled |
Allow removed participants to rejoin | Disabled |
Allow participants to rename themselves | Disabled |
Breakout room | Disabled |
Closed captioning | Disabled unless needed |
Save Captions | Disabled |
Far end camera control | Disabled |
Identify guest participants in the meeting/webinar | Enabled |
Waiting room | Enabled |
Show a "Join from your browser" link | Enabled |
Blur snapshot on iOS task switcher | Enabled |
Allow users to contact Zoom's Support via Chat | Disabled |
IM Management
IM Management - https://zoom.us/account/imgroup | |
---|---|
File transfer | Disabled |
Code Snippet | Disabled |
Enable advanced chat encryption | Enabled |
Cloud storage | Disabled |
Delete local data | Disabled |
Store edited and deleted message revisions | Disabled |
Security
Advanced/Security https://zoom.us/account/setting/security | |
---|---|
Basic Password Requirement | Aligned to organization standards |
Enhanced Password Rules | Aligned to organization standards |
Enable advanced chat encryption | Enabled |
Users need to sign in again after a period of inactivity | Aligned to usage (e.g. 60 minutes) |
User need to input Host Key to claim host role with the length of | Over 6 currently in beta |
Sign in with Two-Factor Authentication | Enabled |
Single Sign-On | |
Use if available |