A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Things people haven’t said about Zoom yet... Zoom Security Management Strategy Breadcrumb Home Insights Blog Things people haven’t said about Zoom yet... Zoom Security Management Strategy April 23, 2020 Things people haven’t said about Zoom yet... Zoom Security Management Strategy If you are a CISO or Security resource within your organization, you have likely gotten a few questions about Zoom in the past weeks. Is it being used? How do we use it securely? What happens if it is successfully attacked? Add to that the fact that more users are on Zoom due to the COVID-19 quarantine than were using it before the outbreak. This means that the bulk of the users are employing a product that was rapidly deployed and may have bypassed the typical safeguards for enterprise product deployments. When it comes to managing this situation as a CISO, there are a set of strategies you can employ to mitigate risk and be able to accurately convey the organization’s security posture. An important side note here is that while we are focused on Zoom, many of the same types of attacks can apply to other conference services, and as organizations look for a Zoom alternative you still need to ask the same questions about those services. At a fundamental level the facts to review here can apply to any large software suite or service: Who is using it and why? What features are we using? How do we secure or harden our configuration? How are we authenticating? What type of data is kept and where is it stored? Where are the logs and how are they monitored for security events? How do we know when to patch and what the update addressed? What’s probably happening at Zoom right now? Zoom has brought in an external advisor with direct experience for situations like this, in addition to an advisory board ( https://medium.com/@alexstamos/working-on-security-and-safety-with-zoom-2f61f197cb34). This is a positive sign which will likely lead to the standard response for an event like this, which is bringing in AppSec testing resources to perform a thorough assessment of the product and platform. From a Zoom user perspective, once this process starts you will see an increase in updates, along with new security feature additions. It’s critical that as a security team you ensure that your users are updating their clients when prompted; it’s better to be two minutes late to a meeting than to join it with an insecure client. Zoom maintains their release notes here: https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes Over the next two months it would be advisable for someone on your team to check this page daily for updates to the Zoom components you are using. Reviewing the release notes in addition to making sure the software is up to date will be critical, because Zoom is likely going to be adding new security features to counter various types of attacks, and you will want to be aware of them to take advantage of that functionality. An additional consideration if there is pushback on immediate patching of the Zoom client: As these patches are released, vulnerability researchers will be examining the patches to determine what has been changed. While Zoom itself has not given detailed disclosures of vulnerabilities on their own, issues impacting user-controlled components can be reverse-engineered from the update, and then the potential for in-the-wild exploitation follows. Remember, most of the global security community is stuck at home right now looking for something to poke at while much of current media attention is focused on the Zoom desktop client. The platform also contains a wide range of components like XMPP, SIP, Chatbots and the ZR-CSAPI. From a research perspective that varied attack surface allows a variety of disciplines to dive in. Situational Awareness Can someone determine if our organization is using Zoom? If you have a vanity URL (e.g. company.zoom.us) you can expect that an attacker interested in your organization will check if it exists within the Zoom domain. It’s also safe to assume that someone has performed subdomain enumeration of *.zoom.us with a wordlist that includes large organization names. In terms of mitigations the options are limited: if you are using SSO with Zoom you must have a Vanity URL in place. There is no option to use an SSO solution without it. Can someone discover our meetings? While Zoom has implemented throttling of individual IPs scanning the meeting ID space, approaches using IP rotation like zWarDial have shown that it is still possible as long as an attacker routes the request through a sufficient pool of source IPs. This approach isn’t dependent on having access to zWarDial, and you should assume other actors are identifying live meeting IDs. Zoom rooms can also be discovered via other routes, such as searches within Google or Threat Intelligence feeds, for occurrences of Zoom related strings such as “zoom.us/j”. While discovery is not preventable, you can take steps like employing a meeting password, requiring authenticated users and leveraging waiting rooms. What should we do with Personal Meeting ID’s? Personal meeting IDs (PMIs) and personal links are used for static meeting rooms as a way to give them an easy-to-remember identifier. While this functionality gives internal meetings a fixed value, if actual usernames are included as personal links it makes the meeting identifier more trivial to guess. PMIs are global across the entire Zoom user population, so John Doe at company A will not be able to use that PMI name if John Doe at Company B has already taken it. Discovery of those PMI names could also be narrowed down by leveraging employee names associated with a known vanity URL. In terms of best practices, it is recommended that personal meeting IDs be used for internal meetings only if discovery is a concern. Like any other meeting they should also use a password. Since the focus on meeting discovery is high at the moment, it may be best to avoid using static meeting identifiers and employ randomly generated meeting IDs. How should our meetings be set up? The core rules to follow at the moment are using a Zoom generated ID to prevent long-term association of that ID to your meetings, enabling feature control capabilities as the meeting host, and most importantly using passwords and other authentication options to access the meeting itself. While having a password assigned to the meeting does mitigate some of the worries around discovery, we can’t predict vulnerabilities that may appear in the near future and using a random ID will provide some mitigation against targeted attacks. We are also going to disable most of the non-fundamental features that Zoom provides, along the following assumptions: Zoom is being used for video conferencing and screen sharing only There are no requirements to retain conference recordings Other services exist to replace features like chat What setting should we pay attention to in the Admin Portal? If you are using an enterprise-level Zoom account with access to the Admin Portal you will have some additional options when it comes to configuration. Admins have the ability to enforce most of the user-level settings we would be concerned with in a security context, as well as other components like Zoom Rooms. As with the user-level settings we are assuming that the use case in the current climate will be purely video conferencing and screen sharing, with other subsystems like chat and file transfer disabled. Of these subsystems chat is probably going to be the most heavily utilized in meeting with users outside of your organization. If it’s heavily leveraged enough to need to be enabled, then include some security awareness training along with it. Communication with other internal users should be over the existing enterprise chat solution, and users should follow the same rules with Zoom chats as they would with external emails in terms of acceptable content. Best Practices Aggressive Patch Management Whatever mechanism you need to utilize to make sure your endpoints have up-to-date Zoom software, execute on it. Users should be trained to accept the Zoom updates when launching, even if it causes a delay in joining a meeting. Disable Features Not in Use Always a good rule, especially given the high profile Zoom has at the moment. Attack surface management applies to Zoom and any other enterprise product. When functionality is enabled it should be for a required use case, and features enabled by default that are not used should be disabled. Manage Meeting Data Meeting recordings that aren’t being used should be deleted If you don’t need to use Zoom’s cloud storage for recordings, then a conservative approach would be to migrate that data off of the platform for now. Be aware of when 3rd parties are recording your Zoom session “Is it OK if we record this meeting?” Train your users that it’s OK to say no to recording a meeting you are participating in. Treat recorded meetings like any third-party holding your data, and you should consider what you say in a meeting to be “On the record.” While participants could still record the meeting via other mechanism, this policy would at least ensure the recording isn’t in the standard storage location, where an attacker would look first if the Zoom account were to be breached Recommended Settings for User Profile: Profile https://zoom.us/profile Host Key Change if you haven't recently updated it Personal Link Blank Settings https://zoom.us/profile/setting Use Personal Meeting ID (PMI) when scheduling a meeting Disabled Use Personal Meeting ID (PMI) when starting an instant meeting Disabled Require a password for Personal Meeting ID (PMI) Enabled/All Meetings Using PMI Meetings Meetings/Personal Meeting Room https://zoom.us/meeting Enable join before host Unchecked Mute participants upon entry Checked Enable Waiting Room Checked Only authenticated users can join Checked/Sign in with specified domain for your org Record the meeting automatically Unchecked Meetings/Schedule a new meeting https://zoom.us/meeting/schedule Meeting ID Generate Automatically Meeting Password Require meeting password checked Enable join before host Unchecked Mute participants upon entry Checked Enable Waiting Room Checked Only authenticated users can join Checked Record the meeting automatically Unchecked Recordings https://zoom.us/recording Delete any that aren't required by the organization Settings/Meetings Settings/Meeting https://zoom.us/profile/setting Join before host Disabled Only authenticated users can join Enabled Only authenticated users can join meetings from Web client Enabled Require a password when scheduling new meetings Enabled Require a password for instant meetings Enabled Embed password in meeting link for one-click join Disabled Require password for participants joining by phone Enabled Mute participants upon entry Enabled Require Encryption for 3rd Party Endpoints Enabled Chat Disabled/Prevent participants from saving chat checked Private Chat Disabled Auto Saving Chats Disabled Play sound when participants join or leave Disabled File transfer Disabled Feedback to Zoom Disabled Display end-of-meeting survey Disabled Polling Disabled Screen sharing Host Only Annotation Disabled Whiteboard Disabled Nonverbal feedback Disabled Allow removed participants to rejoin Disabled Allow removed participants to rename themselves Disabled Breakout Room Disabled Remote support Disabled Captioning Disable unless actually needed Far end camera control Disabled Save captions Disabled Identify guest participants in the meeting/webinar Enabled Waiting Room Enabled Show a "Join from your browser" link Enabled Blur snapshot on iOS task switcher Enabled Settings/Recording Local Recording Disabled Cloud Recording Disabled Automatic Recording Disabled Only authenticated users can view cloud recordings Enabled Require password to access shared cloud recordings Enabled The host can delete cloud recordings Enabled Recording disclaimer Enabled, both options checked Multiple audio notifications of recorded meeting Enabled Zoom Account Admin User Management https://zoom.us/account/user#/ Join before host Disabled Use Personal Meeting ID (PMI) when scheduling a meeting Disabled Use Personal Meeting ID (PMI) when starting an instant meeting Disabled Only authenticated users can join meetings Enabled Only authenticated users can join meetings from Web client Enabled Require a password when scheduling new meetings Enabled Require a password for instant meetings Enabled Require a password for Personal Meeting ID (PMI) Enabled Embed password in meeting link for one-click join Disabled Require password for participants joining by phone Enabled Mute participants upon entry Enabled Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled Chat Disabled Private Chat Disabled Auto Saving Chats Disabled Play sound when participants join or leave Disabled File Transfer Disabled Feedback to Zoom Host Only Display end-of-meeting experience feedback survey Disabled Polling Disabled Screen Sharing Disabled Annotation Disabled Whiteboard Disabled Remote Control Disabled Allow removed participants to rejoin Disabled Breakout room Disabled Remote Support Disabled Closed captioning Disabled unless needed Far end camera control Disabled Identify guest participants in the meeting/webinar Enabled Auto-answer group in chat Disabled Waiting Room Enabled/All Participants Show a "Join from your browser" link Enabled Blur snapshot on iOS task switcher Enabled Room Management Room Management https://zoom.us/location Room Passcode Set Require Code to Exit Enabled Hide Room in Contacts Enabled Device Operation Time Set for business hours Room Personal Link Leave blank Host Key Set Zoom Room Admins Verify Emails Account Settings/Meeting Meeting https://zoom.us/account/setting?tab=meeting Automatically accept incoming call and far end camera control Disabled Transform all meetings to private Enabled Hide host and meeting ID from private meetings Enabled Always Turn Zoom Rooms Video On for Internal Meetings Disabled Automatic start scheduled meetings Disabled Encrypt direct share content Enabled Show call history in Zoom Rooms Disabled Send Whiteboard to internal contacts only Enabled Use Personal Meeting ID (PMI) when starting an instant meeting Disabled Require a password when scheduling new meetings Enabled Require a password for instant meetings Enabled Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled Chat Disabled Private Chat Disabled Auto saving chats Disabled Enable chat notifications on TV Disabled Allow host to put attendee on hold Disabled Annotation Disabled Polling Disabled Breakout room Disabled File transfer Disabled Far end camera control Disabled Waiting room Enabled Cloud recording Disabled Local recording Disabled Automatic recording Disabled Require password to access shared cloud recordings Enabled Recording disclaimer Enabled Multiple audio notifications of recorded meeting Enabled Cloud recording for instant meetings Disabled Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled Require password for participants joining by phone Enabled Bypass the password when joining meetings from meeting list Disabled Account Settings Account Settings https://zoom.us/account/setting Only authenticated users can join meetings Enabled Only authenticated users can join meetings from Web clients Enabled Require a password when scheduling new meetings Enabled Require a password for instant meetings Enabled Require a password for Personal Meeting ID (PMI) Enabled Require a password for Room Meeting ID (Applicable for Zoom Rooms only) Enabled Embed password in meeting link for one-click join Enabled Require password for participants joining by phone Enabled Meeting password requirement Check all but "Only allow" 10 characters Bypass the password when joining meetings from meeting list Disabled Require Encryption for 3rd Party Endpoints (H323/SIP) Enabled Chat Disabled Private chat Disabled Auto saving chats Disabled File transfer Disabled Feedback to Zoom Disabled Display end-of-meeting experience feedback survey Disabled Polling Disabled Annotation Disabled Whiteboard Disabled Nonverbal feedback Disabled Allow removed participants to rejoin Disabled Allow participants to rename themselves Disabled Breakout room Disabled Closed captioning Disabled unless needed Save Captions Disabled Far end camera control Disabled Identify guest participants in the meeting/webinar Enabled Waiting room Enabled Show a "Join from your browser" link Enabled Blur snapshot on iOS task switcher Enabled Allow users to contact Zoom's Support via Chat Disabled IM Management IM Management - https://zoom.us/account/imgroup File transfer Disabled Code Snippet Disabled Enable advanced chat encryption Enabled Cloud storage Disabled Delete local data Disabled Store edited and deleted message revisions Disabled Security Advanced/Security https://zoom.us/account/setting/security Basic Password Requirement Aligned to organization standards Enhanced Password Rules Aligned to organization standards Enable advanced chat encryption Enabled Users need to sign in again after a period of inactivity Aligned to usage (e.g. 60 minutes) User need to input Host Key to claim host role with the length of Over 6 currently in beta Sign in with Two-Factor Authentication Enabled Single Sign-On Use if available By: Woodrow Brown Vice President, Research & Development | Optiv Woodrow Brown has over twenty years of leadership, service delivery and research experience. As vice president research and development at Optiv, Brown's team analyzes market and technical trends providing continuous input into Optiv’s solution roadmap. Cutting through industry spin, Brown delivers research that provides an accessible understanding of how security technologies can provide optimal business outcomes. By: John Bock Senior Research Scientist | Optiv John Bock is a Senior Research Scientist for Optiv Inc., where he focuses on the emergent security landscape and threats to new, security-immature technologies. Prior to this role, John was the leader of Optiv’s Application Security practice, which provided application penetration testing and other software security services. With over 15 years of application security and pen testing experience, he’s able to provide practical strategies for addressing security challenges and employing advanced capabilities to enable security assessment and defense. Before joining Optiv John held consulting and engineering positions at Casaba Security, Foundstone and Internet Security Systems. He’s also a contributing author and technical editor for multiple security publications, including the Hacking Exposed series. Share: Threat COVID-19 Remote Work Vulnerability Management
Would you like to speak to an advisor? How can we help you today? Image E-Book Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation Download Now Image Events Register for an Upcoming OptivCon Learn More Ready to speak to an Optiv expert to discuss your security needs?