home_banner

This content is available to the public and does not require IANS login credentials. Questions? Reach out to us at ians@iansresearch.com.

Content Icon

Poll: Defend Zoom Meetings Against Attacks During COVID-19

April 2, 2020 | Ask-An-Expert Writeups | Business Productivity

Download PDF

The Challenge: Keeping Meetings Secure

As more companies use Zoom videoconferencing to meet and collaborate amid COVID-19, attackers are turning their attention to ways they can target the platform. Many large companies are asking:

  • From a settings and best practices perspective, what can companies do to defend themselves?

Here are some suggestions. They are in order of importance/effectiveness as it relates to threat actor activity people are actually seeing.

  • Problem 1: Attackers are brute-force guessing Zoom’s meeting ID.

    • Mitigation A: Use passwords (even simple ones) for your meeting.

    • Mitigation B: Enable one or more of the following settings:

      • Require a password when scheduling new meetings.

      • Require a password for instant meetings.

      • Require a password for the Personal Meeting ID (PMI).

      • Require a password for participants joining by phone.

    • Mitigation C: Enable “Only authenticated users can join meetings.”

  • Problem 2: Meeting ID with password or URL to meeting (with password) are posted publicly and disruptive people join.

    • Mitigation A:

      • Enable “Allow host to put attendee on hold.”

      • Disable “Participants video.”

      • Enable “Mute participants upon entry.”

      • Disable sharing for all participants.

      • Enable “Disable desktop/screen share for users.”

      • Disable “Annotation.”

      • Disable “Whiteboard.”

    • Mitigation B: Enable “Waiting Room.”

    • Mitigation C: Disable “Virtual backgrounds.”

  • Problem 3: Zoom renders UNC paths as clickable.

    • Mitigation: Until a patch is available, prevent NTLM credentials from being sent to remote servers.

  • Problem 4: Meeting attendees are broadcasting inappropriate content.

    • Mitigation A: Allow the host to put attendees on hold.

    • Mitigation B: Disable “Virtual backgrounds.”

  • Problem 5: Attackers can see directory information for users logging in via non-corporate email domains.

    • Mitigation: Restrict usage of personal accounts (particularly on uncommon hosted email domains).

This is a case where having security standards and policies to address all vendors and business applications will come in handy. Local system monitoring and alerting around Zoom-related network connectivity is worth analyzing, although you might not see much or be able to do anything about it.

One of the most important things is to get legal counsel and/or the organization's security committee involved for a review of legalese and related security issues.


From a purely security standpoint, Zoom does a decent job and has a number of security-related features, such as:

  • Multifactor authentication (MFA)

  • The ability to encrypt chat communications

  • Password options for meetings

End-to-end encryption is actually very difficult to do in Zoom’s environment, based on how the interaction works. I’m not saying it’s impossible, because GoToMeeting employs it. But a solid policy and stance around privacy would go a long way, such as having no ability for Zoom personnel to eavesdrop or intercept Zoom customer communications.

To Kevin's point, the top issues happen when people fail to:

  • Use a PMI.

  • Create conference bridges with passcodes associated with them.

  • Ensure the end-to-end encryption is enabled in the account (which only impacts chat sessions, not the video).

Users should set up waiting rooms and then lock the meeting once everyone has joined. Also, the host can restrict who can join a meeting by login or email domain.

 

 

Further Reading

Harden VPN, Video and IM Against Attacks Exploiting COVID-19, March 26, 2020

COVID-19 and InfoSec: What You Need to Know, April 1, 2020

Poll: Likely COVID-19-Themed Attack Vectors, March 17, 2020

Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.


Related Research

Ransomware Preparation and Response Checklist (Updated)

Like other network events and security incidents, ransomware infections should be integrated into your overall business continuity efforts and incident response plan. This checklist steps you through the process. 

For Best Anti-DDoS Results in AWS, Use AWS Shield Advanced

Distributed denial-of-service (DDoS) attacks are a major concern for all organizations. In this Ask-an-Expert written response, IANS Faculty George Gerchow recommends Amazon Web Services (AWS) users invest in AWS Shield Advanced to get the most protection.

Exec Comms Briefing: Apple Zero-Day Flaws Target Default iOS Mail App

Newly discovered flaws in all versions of Apple's iOS allow attackers to gain full access to email within iOS' built-in Mail app. In this briefing, IANS Faculty Jake Williams explains how the flaws are exploited and offers recommendations for protecting iOS devices while we wait for Apple to roll out a patch.

DNS Filtering and Blocking Tools: An Overview

DNS filtering and blocking tools work well, but they should be considered more of an add-on vs. a primary security control. In this Ask-an-Expert written response, IANS Faculty Jake Williams explains their pros and cons, and provides an overview of top vendors in the space.