Users Connected to a Zoom Meeting

Zoom Security Advisory

April 16, 2020 Scott Evangelist

Given the recent information that has come to light about Zoom Meetings, we wanted to share some insights and provide some simple ways you can safeguard your organization:

  • This increased scrutiny has come following a massive increase in utilization by groups/users that the product was never targeted towards (consumers, healthcare providers, and educators, for example).
    • If you’re sharing trade secrets, are a government entity, or deal with PII you should exercise increased caution and even reconsider your use of Zoom until additional security releases and assurances are made available. 
  • Zoom does not in fact utilize end-to-end encryption, but rather transport encryption. This means Zoom could theoretically view your meeting data, though they state emphatically they do not.
  • ‘Zoombombing’ can be avoided by enabling meeting passwords for all meeting types, avoiding use of Personal Meeting Rooms, and enabling the Waiting Room feature.
    • More restrictive steps to take include disabling file transfer, screensharing, and rejoining by removed attendees.
  • Ensure you keep your mobile and desktop versions up to date, as new versions are released frequently.
    • Some recent notable changes include:
      • Removal of the LinkedIn Sales Navigator integration that disclosed attendee information to the host without their consent
      • Removal of Facebook data sharing function on iOS
      • Resolution of a security issue that allowed malicious actors to use UNC links and potentially leak a user’s hashed password
  • Consider implementing Single Sign On (SSO) and Multi-Factor Authentication to provide greater access control.
    • Either through your SSO method (ex: Active Directory) or via Zoom authentication, enable password requirements including complexity and expiration.
  • Consider restricting who can access meeting recordings.

As always, Atomic Data is available to assist with best practices and implementing any of these configuration changes.