Things people haven’t said about Zoom yet... Zoom Security Management Strategy

Things people haven’t said about Zoom yet... Zoom Security Management Strategy

If you are a CISO or Security resource within your organization, you have likely gotten a few questions about Zoom in the past weeks. Is it being used? How do we use it securely? What happens if it is successfully attacked? Add to that the fact that more users are on Zoom due to the COVID-19 quarantine than were using it before the outbreak. This means that the bulk of the users are employing a product that was rapidly deployed and may have bypassed the typical safeguards for enterprise product deployments.

 

When it comes to managing this situation as a CISO, there are a set of strategies you can employ to mitigate risk and be able to accurately convey the organization’s security posture. An important side note here is that while we are focused on Zoom, many of the same types of attacks can apply to other conference services, and as organizations look for a Zoom alternative you still need to ask the same questions about those services.

 

At a fundamental level the facts to review here can apply to any large software suite or service:

 

  • Who is using it and why?
  • What features are we using?
  • How do we secure or harden our configuration?
  • How are we authenticating?
  • What type of data is kept and where is it stored?
  • Where are the logs and how are they monitored for security events?
  • How do we know when to patch and what the update addressed?

 

What’s probably happening at Zoom right now?

 

Zoom has brought in an external advisor with direct experience for situations like this, in addition to an advisory board ( https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34). This is a positive sign which will likely lead to the standard response for an event like this, which is bringing in AppSec testing resources to perform a thorough assessment of the product and platform. From a Zoom user perspective, once this process starts you will see an increase in updates, along with new security feature additions. It’s critical that as a security team you ensure that your users are updating their clients when prompted; it’s better to be two minutes late to a meeting than to join it with an insecure client.

 

Zoom maintains their release notes here:
https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes

 

Over the next two months it would be advisable for someone on your team to check this page daily for updates to the Zoom components you are using. Reviewing the release notes in addition to making sure the software is up to date will be critical, because Zoom is likely going to be adding new security features to counter various types of attacks, and you will want to be aware of them to take advantage of that functionality. An additional consideration if there is pushback on immediate patching of the Zoom client: As these patches are released, vulnerability researchers will be examining the patches to determine what has been changed. While Zoom itself has not given detailed disclosures of vulnerabilities on their own, issues impacting user-controlled components can be reverse-engineered from the update, and then the potential for in-the-wild exploitation follows. Remember, most of the global security community is stuck at home right now looking for something to poke at while much of current media attention is focused on the Zoom desktop client. The platform also contains a wide range of components like XMPP, SIP, Chatbots and the ZR-CSAPI. From a research perspective that varied attack surface allows a variety of disciplines to dive in.

 

Situational Awareness

 

Can someone determine if our organization is using Zoom?
If you have a vanity URL (e.g. company.zoom.us) you can expect that an attacker interested in your organization will check if it exists within the Zoom domain. It’s also safe to assume that someone has performed subdomain enumeration of *.zoom.us with a wordlist that includes large organization names. In terms of mitigations the options are limited: if you are using SSO with Zoom you must have a Vanity URL in place. There is no option to use an SSO solution without it.

 

Can someone discover our meetings?
While Zoom has implemented throttling of individual IPs scanning the meeting ID space, approaches using IP rotation like zWarDial have shown that it is still possible as long as an attacker routes the request through a sufficient pool of source IPs. This approach isn’t dependent on having access to zWarDial, and you should assume other actors are identifying live meeting IDs. Zoom rooms can also be discovered via other routes, such as searches within Google or Threat Intelligence feeds, for occurrences of Zoom related strings such as “zoom.us/j”.

 

While discovery is not preventable, you can take steps like employing a meeting password, requiring authenticated users and leveraging waiting rooms.

 

What should we do with Personal Meeting ID’s?
Personal meeting IDs (PMIs) and personal links are used for static meeting rooms as a way to give them an easy-to-remember identifier. While this functionality gives internal meetings a fixed value, if actual usernames are included as personal links it makes the meeting identifier more trivial to guess. PMIs are global across the entire Zoom user population, so John Doe at company A will not be able to use that PMI name if John Doe at Company B has already taken it. Discovery of those PMI names could also be narrowed down by leveraging employee names associated with a known vanity URL.

 

In terms of best practices, it is recommended that personal meeting IDs be used for internal meetings only if discovery is a concern. Like any other meeting they should also use a password. Since the focus on meeting discovery is high at the moment, it may be best to avoid using static meeting identifiers and employ randomly generated meeting IDs.

 

How should our meetings be set up?
The core rules to follow at the moment are using a Zoom generated ID to prevent long-term association of that ID to your meetings, enabling feature control capabilities as the meeting host, and most importantly using passwords and other authentication options to access the meeting itself. While having a password assigned to the meeting does mitigate some of the worries around discovery, we can’t predict vulnerabilities that may appear in the near future and using a random ID will provide some mitigation against targeted attacks. We are also going to disable most of the non-fundamental features that Zoom provides, along the following assumptions:

 

  • Zoom is being used for video conferencing and screen sharing only
  • There are no requirements to retain conference recordings
  • Other services exist to replace features like chat

 

What setting should we pay attention to in the Admin Portal?
If you are using an enterprise-level Zoom account with access to the Admin Portal you will have some additional options when it comes to configuration. Admins have the ability to enforce most of the user-level settings we would be concerned with in a security context, as well as other components like Zoom Rooms. As with the user-level settings we are assuming that the use case in the current climate will be purely video conferencing and screen sharing, with other subsystems like chat and file transfer disabled. Of these subsystems chat is probably going to be the most heavily utilized in meeting with users outside of your organization. If it’s heavily leveraged enough to need to be enabled, then include some security awareness training along with it. Communication with other internal users should be over the existing enterprise chat solution, and users should follow the same rules with Zoom chats as they would with external emails in terms of acceptable content.

 

Best Practices

 

  • Aggressive Patch Management
    • Whatever mechanism you need to utilize to make sure your endpoints have up-to-date Zoom software, execute on it. Users should be trained to accept the Zoom updates when launching, even if it causes a delay in joining a meeting.
  • Disable Features Not in Use
    • Always a good rule, especially given the high profile Zoom has at the moment. Attack surface management applies to Zoom and any other enterprise product. When functionality is enabled it should be for a required use case, and features enabled by default that are not used should be disabled.
  • Manage Meeting Data
    • Meeting recordings that aren’t being used should be deleted If you don’t need to use Zoom’s cloud storage for recordings, then a conservative approach would be to migrate that data off of the platform for now.
  • Be aware of when 3rd parties are recording your Zoom session
    • “Is it OK if we record this meeting?” Train your users that it’s OK to say no to recording a meeting you are participating in. Treat recorded meetings like any third-party holding your data, and you should consider what you say in a meeting to be “On the record.” While participants could still record the meeting via other mechanism, this policy would at least ensure the recording isn’t in the standard storage location, where an attacker would look first if the Zoom account were to be breached

 

Recommended Settings for User Profile:

 

Profile https://zoom.us/profile  
Host Key Change if you haven't recently updated it
Personal Link Blank
Settings https://zoom.us/profile/setting  
Use Personal Meeting ID (PMI) when scheduling a meeting Disabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Require a password for Personal Meeting ID (PMI) Enabled/All Meetings Using PMI

 

Meetings

 

Meetings/Personal Meeting Room https://zoom.us/meeting  
Enable join before host Unchecked
Mute participants upon entry Checked
Enable Waiting Room Checked
Only authenticated users can join Checked/Sign in with specified domain for your org
Record the meeting automatically Unchecked
Meetings/Schedule a new meeting https://zoom.us/meeting/schedule  
Meeting ID Generate Automatically
Meeting Password Require meeting password checked
Enable join before host Unchecked
Mute participants upon entry Checked
Enable Waiting Room Checked
Only authenticated users can join Checked
Record the meeting automatically Unchecked
Recordings https://zoom.us/recording Delete any that aren't required by the organization

 

Settings/Meetings

 

Settings/Meeting https://zoom.us/profile/setting  
Join before host Disabled
Only authenticated users can join Enabled
Only authenticated users can join meetings from Web client Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Embed password in meeting link for one-click join Disabled
Require password for participants joining by phone Enabled
Mute participants upon entry Enabled
Require Encryption for 3rd Party Endpoints Enabled
Chat Disabled/Prevent participants from saving chat checked
Private Chat Disabled
Auto Saving Chats Disabled
Play sound when participants join or leave Disabled
File transfer Disabled
Feedback to Zoom Disabled
Display end-of-meeting survey Disabled
Polling Disabled
Screen sharing Host Only
Annotation Disabled
Whiteboard Disabled
Nonverbal feedback Disabled
Allow removed participants to rejoin Disabled
Allow removed participants to rename themselves Disabled
Breakout Room Disabled
Remote support Disabled
Captioning Disable unless actually needed
Far end camera control Disabled
Save captions Disabled
Identify guest participants in the meeting/webinar Enabled
Waiting Room Enabled
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled
Settings/Recording  
Local Recording Disabled
Cloud Recording Disabled
Automatic Recording Disabled
Only authenticated users can view cloud recordings Enabled
Require password to access shared cloud recordings Enabled
The host can delete cloud recordings Enabled
Recording disclaimer Enabled, both options checked
Multiple audio notifications of recorded meeting Enabled

 

Zoom Account Admin

 

User Management https://zoom.us/account/user#/  
Join before host Disabled
Use Personal Meeting ID (PMI) when scheduling a meeting Disabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Only authenticated users can join meetings Enabled
Only authenticated users can join meetings from Web client Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Personal Meeting ID (PMI) Enabled
Embed password in meeting link for one-click join Disabled
Require password for participants joining by phone Enabled
Mute participants upon entry Enabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Chat Disabled
Private Chat Disabled
Auto Saving Chats Disabled
Play sound when participants join or leave Disabled
File Transfer Disabled
Feedback to Zoom Host Only
Display end-of-meeting experience feedback survey Disabled
Polling Disabled
Screen Sharing Disabled
Annotation Disabled
Whiteboard Disabled
Remote Control Disabled
Allow removed participants to rejoin Disabled
Breakout room Disabled
Remote Support Disabled
Closed captioning Disabled unless needed
Far end camera control Disabled
Identify guest participants in the meeting/webinar Enabled
Auto-answer group in chat Disabled
Waiting Room Enabled/All Participants
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled

 

Room Management

 

Room Management https://zoom.us/location  
Room Passcode Set
Require Code to Exit Enabled
Hide Room in Contacts Enabled
Device Operation Time Set for business hours
Room Personal Link Leave blank
Host Key Set
Zoom Room Admins Verify Emails

 

Account Settings/Meeting

 

Meeting https://zoom.us/account/setting?tab=meeting  
Automatically accept incoming call and far end camera control Disabled
Transform all meetings to private Enabled
Hide host and meeting ID from private meetings Enabled
Always Turn Zoom Rooms Video On for Internal Meetings Disabled
Automatic start scheduled meetings Disabled
Encrypt direct share content Enabled
Show call history in Zoom Rooms Disabled
Send Whiteboard to internal contacts only Enabled
Use Personal Meeting ID (PMI) when starting an instant meeting Disabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled
Chat Disabled
Private Chat Disabled
Auto saving chats Disabled
Enable chat notifications on TV Disabled
Allow host to put attendee on hold Disabled
Annotation Disabled
Polling Disabled
Breakout room Disabled
File transfer Disabled
Far end camera control Disabled
Waiting room Enabled
Cloud recording Disabled
Local recording Disabled
Automatic recording Disabled
Require password to access shared cloud recordings Enabled
Recording disclaimer Enabled
Multiple audio notifications of recorded meeting Enabled
Cloud recording for instant meetings Disabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Require password for participants joining by phone Enabled
Bypass the password when joining meetings from meeting list Disabled

 

Account Settings

 

Account Settings https://zoom.us/account/setting  
Only authenticated users can join meetings Enabled
Only authenticated users can join meetings from Web clients Enabled
Require a password when scheduling new meetings Enabled
Require a password for instant meetings Enabled
Require a password for Personal Meeting ID (PMI) Enabled
Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled
Embed password in meeting link for one-click join Enabled
Require password for participants joining by phone Enabled
Meeting password requirement Check all but "Only allow" 10 characters
Bypass the password when joining meetings from meeting list Disabled
Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled
Chat Disabled
Private chat Disabled
Auto saving chats Disabled
File transfer Disabled
Feedback to Zoom Disabled
Display end-of-meeting experience feedback survey Disabled
Polling Disabled
Annotation Disabled
Whiteboard Disabled
Nonverbal feedback Disabled
Allow removed participants to rejoin Disabled
Allow participants to rename themselves Disabled
Breakout room Disabled
Closed captioning Disabled unless needed
Save Captions Disabled
Far end camera control Disabled
Identify guest participants in the meeting/webinar Enabled
Waiting room Enabled
Show a "Join from your browser" link Enabled
Blur snapshot on iOS task switcher Enabled
Allow users to contact Zoom's Support via Chat Disabled

 

IM Management

 

IM Management - https://zoom.us/account/imgroup  
File transfer Disabled
Code Snippet Disabled
Enable advanced chat encryption Enabled
Cloud storage Disabled
Delete local data Disabled
Store edited and deleted message revisions Disabled

 

Security

 

Advanced/Security https://zoom.us/account/setting/security  
Basic Password Requirement Aligned to organization standards
Enhanced Password Rules Aligned to organization standards
Enable advanced chat encryption Enabled
Users need to sign in again after a period of inactivity Aligned to usage (e.g. 60 minutes)
User need to input Host Key to claim host role with the length of Over 6 currently in beta
Sign in with Two-Factor Authentication Enabled
Single Sign-On  
Use if available  
Woodrow Brown
Director, Partner Research and Strategy
Woodrow Brown has over a decade of leadership, service delivery and research experience. As director of partner research and strategy at Optiv, Brown's team provides objective analysis of cyber security products, enabling our clients to make informed decisions for technology selection. Cutting through industry spin, Brown delivers research that provides an accessible understanding of how security technologies function.
John Bock
Senior Research Scientist | Optiv
John Bock is a Senior Research Scientist for Optiv Inc., where he focuses on the emergent security landscape and threats to new, security-immature technologies. Prior to this role, John was the leader of Optiv’s Application Security practice, which provided application penetration testing and other software security services. With over 15 years of application security and pen testing experience, he’s able to provide practical strategies for addressing security challenges and employing advanced capabilities to enable security assessment and defense. Before joining Optiv John held consulting and engineering positions at Casaba Security, Foundstone and Internet Security Systems. He’s also a contributing author and technical editor for multiple security publications, including the Hacking Exposed series.