Zoom Security Settings

Many of us have moved (or are moving) to a “Work From Home” model, which introduces the need to leverage collaboration tools like Zoom, Slack, Microsoft Teams and others to help us stay connected and continue to “do business”. The problem is, if you rush to use these new platforms without taking into consideration the security implications, you could end up putting yourself, your business and your customers in a very precarious position.

As a platform that has seen rapid uptake in recent weeks, it’s also been under heavy scrutiny by security researchers and the media as a by-product of potential security flaws and a s spike in what’s referred to as “Zoom Bombing” — a practice where univited guests jump into your Zoom conference call and display pornographic material; or simply just record what is otherwise a private conversation.

References:

  • https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/
  • https://techcrunch.com/2020/04/01/zoom-doom/
  • https://www.tomsguide.com/news/zoom-security-privacy-woes

Whilst many of these security issues will not affect most users, there are still some settings you might want to tweak to protect yourself against the sorts of mallarky you may expose yourself to.

Don’t use your Personal Meeting ID

Zoom makes it really easy to run meetings and just give out the same number over and over again. The problem with this approach is that once someone has your Personal Meeting ID (PMI), that person can jump into your meeting whenever you are using it – even if they are not meant to be in that meeting.

Always create a new meeting ID to avoid people being able to jump into a meeting they are not meant to be in!

Set a PIN/Password

Whilst the meeting ID in Zoom is pretty damn long, with so many people using it presently it is possible to guess an active meeting ID. To overcome this potential risk, simply ensure you set a meeting password. It’s as simple as making sure the box is ticked when you schedule a meeting!

Enable the Meeting Waiting Room

If you promote your Zoom event out to the public via an eBlast or something, all it takes is for someone to grab the URL/link or meeting ID and jump in. By enabling the waiting room, the host of the meeting has to accept attendees into the main meeting when they join.

Obviously this can be a little bit painful if you’re running a webinar with 100 participants, but if you’re running a small group chat which should remain private, this will ensure that only those who should join can.

Enable Two Factor Authentication

Enabling Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA) on important platforms should be gospel. If the system supports MFA/2FA, turn it on.

To do this you’ll need to log into the Zoom.us website, under Admin->Security you’ll find the option.

Use Unique, Long, Complex Passwords

If you share a Zoom account between multiple people, that gets a little more complex. If that’s the case, make sure you set very long, complex passwords!

You can also set minimum standards for all users, again via the Zoom.us website.

Other settings you should consider

There are a couple of other settings you can configure for your own profile from within the Zoom.us website. Just go to the Personal section then Settings.

The settings I would recommend enabling include:

  • Require a password when scheduling new meetings
  • Require a password for instant meetings
  • Require a password for Personal Meeting ID (PMI)
  • Require Encryption for 3rd Party Endpoints (H323/SIP)
  • Prevent participants from saving chat
  • Screen sharing -> Who can share? -> Host only

What about the security issues?

The sad reality is that most common video conferencing solutions have at some point, had horrible security bugs. Some of this has to do with the way in which these systems “hook into” your computer system or mobile device. Some of the big names have had bugs so bad that if you simply had their software installed and visited a website with malicious code on it, your computer would be compromised and under the control of a remote attacker.

Many of the security flaws in Zoom that have been hitting the media relate specifically to the Apple MacOS version of the software, which hasn’t had a good history as far as bugs are concerned.

If you go looking hard enough, most software has bugs. Because Zoom has become so popular it is a big target with a good chance of reward for anyone wanting cheap thrills or to cause chaos. If you maintain a minimum standard for cyber security (good passwords, multi factor authentication, safe browsing on your work computer, etc) then you minimise the risk that these types of risks will be realised.

Need help working from home safely and securely?

We specialise in helping our clients and partners work safely and securely. Whether you’re a small to mid sized business wanting someone to keep an eye over their mobilised workforce or a Managed Service Provider (MSP) looking for an independent and non competitive partner to provide their clients with peace of mind, we’re here to help.

No comment yet, add your voice below!


Add a Comment

Your email address will not be published. Required fields are marked *