With the advent of our need for remote connection and collaboration, Zoom and other similar tools have rocketed to the top of the “must-have” list for most businesses’ remote workers. Any tool that is used broadly around the world will attract those who seek to misuse it and abuse it; Zoom is no different. In fact, Zoom is really no different than the iPhone or Facebook; they are digital tools, they are powerful, they have inherent risks in their use, and if used incorrectly they can be abused.
Whether it’s fake internet Zoom domains, password issues, Zoom-based phishing attacks or internal privacy concerns, there are a host of issues to consider. Since there is no one person or entity that controls everything about a digital tool, it’s important to understand who is involved and what they are doing.
Let’s talk about the roles at play here.
When tech companies start out, they often are not the most secure, that is just a fact of life because founders are thinking about keeping the doors open, and not every incremental security risk. So, when a comparatively young company like Zoom rockets to prominence ahead of schedule, which is happening now, we must assume they were not ready for the security implications of this growth and ubiquitous use.
Zoom will no doubt be “running and gunning” to shut down all the holes they know about and others that are being brought to their attention, and they will be for a while, if not forever, depending on their code quality and architecture.
Zoom will need to communicate and cooperate with security teams all over the world to win the long-term battle and retain this newfound market share. Their biggest challenge may be yet to come, as Zoom has become critical to business operations and they may become targets themselves for ransomware attacks and other denial of service threats that could damage their ability to operate.
The Bad Guys
Most of the bad guys, or hackers, are generally looking to make money from your misfortune or vulnerabilities that they discover in your environment, and that companies have left open. Generally, the motivation would be to capture some private information in the chat, or copy documents being collaborated on, or eavesdrop or record a sensitive conversation, anything that allows them to somehow monetize the result. Maybe it’s as simple as trying to steal passwords to be used in a secondary attack or sold on the dark web.
In security we have a term for things that attract large pools of people that can be attacked – it’s called a watering hole. Like on the planes of Africa, animals will walk for miles to get a drink of water because that is where the water is. This is no different, hackers will work hard to compromise digital tools like this because that is where the users are!
The Company That Uses Zoom
When companies allow their staff to use tools in the workplace, they assume some risk right away. Sometimes they understand what that risk is, and sometimes they don’t. Sometimes it’s because they have not evaluated the risk, and sometimes they don’t know it’s being used. But assuming they know it’s being used; the job should be to drive a set of circumstances where their staff utilize the tool in a way that meets the company’s acceptable risk tolerance level.
Zoom claims their product is used by 60% of the Fortune 500. We don’t know if that is one employee at a company or everyone, but we can assume it’s a lot of people, and that is good for hackers. Given that, this is a prime situation for risk assessment and a security strategy to minimize risk and respond to incidents should they arise.
The bottom line here is that companies should evaluate the risk of Zoom and all tools they allow their staff to use and apply controls and training to users, so they use it correctly. Incidents like Zoom Bombing or other types of attacks will likely continue but they must be handled like any other IT incident, with reporting, investigation, and response to mitigate the risk.
The key message here is that the risk must be assessed; that includes the tool, the process, the data involved, the bad guy motivation, etc. All must all be evaluated. A business risk decision needs to be made and appropriate controls need to be put in place. It may be settings and configuration requirements, training, or restrictions on what can be put into the system, or other such controls.
As long as the decision is made and the team executes the decision, that is the best you can do.
Users are generally considered the weak link in any system because humans are prone to mistakes. Frequent communication to users regarding the need to be vigilant in their security practices is essential during a crisis, especially with new tools where the risk posture is not as well understood as other commonly used tools. Helping the user know what to do to use a tool safely, and what to do if they see an unexpected risk while using the tool is the minimum you should ask.
The Security Team
The security team is often last to know about new tools in the best of times, during a crisis the security team will be very busy identifying attackers who will seek to do harm to the company, and by what methods. Zoom is a new platform they have to deal with and hopefully, users will share information with them when they see risky situations arise.
Zoom, and products like it, are fantastic tools, and any digital tools like these is an ecosystem unto itself, and with the right rules and governance, the risk can be managed. From a security perspective, you can download the Zoom security guide from the Zoom website and review the configuration options that can be utilized. There is significant debate on the “end-to-end” encryption offered in the zoom connection, so I recommend you treat the platform as insecure and control what information is discussed within it.
The white paper is located here: https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
If you would like to discuss this or any security issue, I can be reached at Dave@cisoinsights.com
So, Zoom on and drive business, just consider the risk!
About the Author
Dave Tyson– MBA, CPP, CISSP
As President and CSO of Apollo, Dave Tyson leads CISO Insights, the cybersecurity advisory and professional services business unit of Apollo Information Systems. Dave partners with Apollo’s clients to provide …Read More