Despite gaining overnight popularity during the COVID-19 global outbreak, video conferencing tool ZOOM is in knee-deep trouble for various security concerns. Large companies like Tesla, Google, and Microsoft have already banned the app from being used among their employees.
The Zoom.us was also found with a significant flaw in its macOS and iOS app, which could transfer camera and microphone control to a con artist. And the latest find by BleepingComputer was that tens and thousands of Zoom users' data is being offered at a throwaway price in the black web domain.
Despite these controversies, Zoom is getting popular among millions of people around the world for educational or business purposes amid the coronavirus lockdown throughout the world. Zoom maintains that it is resolving all the existing security issues in a 90-day plan.
IBTimes SG edition interviewed Logan Kipp, the Director of Sales Engineering at SiteLock over the privacy measures undertaken by Zoom. Being a security analyst for long, Logan has also shared some concerns that every Zoom user should follow. Here is an excerpt from the interview. SiteLock is a US-based global cybersecurity company providing service to millions of sites around the world.
IBTimes SG: Many believe Zoom's simplicity is what makes it easy to abuse, is this true? Does the security have to be compromised for ease of use?
Logan: While Zoom's ease of use has made it popular among users, it would be inaccurate to blame its security issues on this [fact] alone. Finding a balance between security and usability can undoubtedly be challenging, but having a simple interface should in no way be a scapegoat for not following security's best practices. Adding security and privacy measures, or in some cases, simply changing the application's defaults to protect users against abuse, doesn't have to necessarily complicate the user experience.
For instance, in the late 1990s, credit card brands began introducing the three-to-four digit verification code to cards for added security in the card, not present payments such as online shopping. Using this verification method meant needing to type a few extra digits, but in practice provided for a substantial decrease in credit card fraud. This is an excellent example of significant companies shifting their policies and requiring users to slightly adjust their behavior for added security, one that goes almost entirely unnoticed today.
IBTimes SG: Why did Zoom lack the necessary privacy measures?
Logan: It would be easy to blame the overlooking of privacy issues on the rapid growth in adoption of remote conferencing due to the COVID-19 social distancing guidelines, but missteps, like using substandard encryption methods or electing to share data with outside entities, are decisions that would have been made at the corporate level prior to this growth. I believe the best takeaway is that large or small, companies need to adopt a proactive security approach from the very beginning, and avoid policies that could alienate, or worse, threaten the privacy and security of your consumer base.
IBTimes SG: How can users protect themselves on Zoom?
Logan: The best way for users to protect themselves is to ensure that they utilize a meeting pin and have the host admit attendees to the meeting individually. Doing this is similar to enabling Two-Factor Authentication (2FA) on a website. Even if bad actors discover a zoom meeting link, they won't be able to gain full access to the meeting.
Additionally, Zoom users should take advantage of the number of advantageous features within Zoom that help to prevent abuse. Some of these features include:
- Disabling the Join Before Host feature to prevent guests (or adversaries) from beginning your meeting without you.
- Enabling the Waiting Room feature, which allows you to admit guests on a per-person basis. This is a great way to prevent Zoombombing, which is the unwanted intrusion into a video conference by an individual looking to cause disruption.
- Locking your meeting once all of the invited guests have arrived.
IBTimes SG: What security considerations businesses should keep in mind when using telecommuting tools outside their network?
Logan: With the sudden shift to remote work, businesses should educate their employees on security best practices when working remotely and ensure that a VPN is always used when working with business-related materials.
Additionally, employees should take phishing attacks seriously during this time and not download any attachments or click on any links within an email. In many cases, employees are the primary targets for cybercriminals looking to attack small businesses. For this reason, successful phishing campaigns continue to be the number one cause of data breaches.
It is prudent for organizations to teach employees to keep security top of mind at all times and establish a protocol and communicate how documents should be handled and shared in the organization when working remotely. Nowadays, there are other resources aside from email to deliver documents, such as Box and Microsoft Teams, that create a more secure infrastructure for sharing files.
This is also the perfect time to ensure you have an incident response plan in place in the event an attack happens.
