Things to consider before using Zoom

One such tool that has received considerable negative media attention is Zoom. A number of vulnerabilities were highlighted by cyber security researchers, which bring into question whether Zoom is a suitable product for organisations to use.

There is no question that Zoom is performing well when it comes to user experience and break out meetings to support online training and education. However, in making the right decision about whether to use Zoom for general use there are some considerations you need to think about:

1. What will you be using Zoom for?

Zoom indicates the level of encryption used is Advanced Encryption Standard (AES) 256 bit over TLS 1.2 in Electronic Codebook (ECB) mode. However, researchers have identified the key length is closer to 128 bit. This is still a very good level of encryption, but there are two considerations to note:

• ECB mode is not suitable for video conferencing or as a mode to use with AES, as it contains predictable patterns in its block cypher
• Cryptographic keys are managed in offshore servers.

Zoom is working on changing the mode of encryption to Galois/Counter Mode (GCM), which is a stronger mode. 

What this means for you

Until the mode of encryption has been changed, organisations need to consider the level of discussions they are holding over Zoom, as ECB mode of encryption is vulnerable to exploitation.

As encryption keys are held offshore, information can be obtained through compel orders, issued by the countries where the cryptographic keys are located, which could also have privacy implications. 

The new mode of encryption will still not be end-to-end – the cryptographic keys will still be held in offshore servers accessible by third parties.

Our tips to be cyber secure:

• Have a clear policy in your organisation that dictates the level of discussions that should be held over Zoom
• Always make sure “Advanced Encryption Chat” is enabled when you set up a Zoom meeting.

2. Will I be affected by Privacy Laws?

It is important to remember that regardless of where information is stored, if you own it, then you own it. Unless you are using the enterprise version and have Zoom servers set up in your private network, then you will potentially be sending information offshore. When recording to the Zoom cloud, your information could be stored in offshore servers. Although Zoom uses geographical fencing, with preferences as close to the host as possible, if there are availability issues, the information could be routed through either Singapore, Hong Kong or Japan (if you are based in Australia).

Personally Identifiable Information (PII) might be sent offshore if you record to the Zoom cloud. Depending on the level of discussion or functionality you use (e.g. file sharing, chat), sensitive information might also be sent offshore, which has more serious implications and stringent mitigation requirements under both state and federal legislation.

Zoom provides the option for its users to record locally to devices, but organisations will need to ensure staff are aware of how to configure this in the settings because it is not a default setting.

The enterprise versions of Zoom still rely heavily on infrastructure outside of Australia and, therefore, many of the regulations they adhere to are US-centric and do not consider Australian Privacy Laws.

What this means for you

It is important that you maintain positive control of PII and sensitive information. It is often a target for cyber criminals, who sell the information on the dark web where it can be used for identity fraud (e.g. sensitive health information). A data breach of information your organisation is meant to control can result in serious reputational damage and significant fines.

If you are a paying Zoom customer, you have the option to choose where your meeting is routed through and stored. You will need to select your location on setup and, depending on availability, this may not be guaranteed. Serious consideration to these implications needs to be given when recording to Zoom cloud.

Local recording to a device mitigates the risk of sending PII or sensitive information offshore. This makes it the user’s responsibility to ensure each meeting setting is configured properly. Additionally, organisations need to consider the implications of staff recording sensitive information to personal devices and how the information will be securely stored and transferred.

Our tips to be cyber secure:

• If you are going to record meetings or chats, configure the session to record locally, and password protect/encrypt the recording
• If you are not hosting the meeting, ask the host to configure the meeting settings, so all participants are informed when recording starts
• Use internal methods for file-sharing or transfer (e.g. a password-protected file sent through email)
• Consider using the on-premises enterprise version of Zoom for Telehealth and Zoom for Education to significantly mitigate the risk of human error.

3. Zoom options

There are three forms of Zoom: application-based, web client and an enterprise version. Zoom provides the application and web client versions as free options. As indicated, the enterprise version gives the option to host Zoom servers within a private network. Doing so enables organisations to manage their recordings and encryption keys, but comes at a price. The application and web client versions both come with pros and cons.

What this means for you

When you introduce a new application into your network the most important consideration is patching. Noting the considerable changes Zoom is making to its security, there is likely to be more updates than usual. Organisations will need to stay on top of everyone updating to the latest version. Unpatched applications are one of the most common ways cyber criminals breach a network.

Using the web client can expose users to malicious sites posing as the real thing. Web browsers should be configured with security in mind to use HTTPS everywhere. Phishing is by far the most common reason an organisation will have its network breached, so everyone needs to be aware of the risks and be supported with the right controls.

Our tips to be cyber secure:

• The use of the web client version will reduce the impact on internal resources to update applications sitting on their network
• If you are paying for Zoom, consider setting up the on-premises version to maintain positive control of your information and encryption keys
• Ensure someone is responsible for checking Zoom updates and then sending reminders to users within the organisation to implement the patch.

4. Access controls

Access controls are an area where considerable attention has been placed on the operational security of Zoom. So much so that a term was given to the particular attack – “zoombombing”. Zoom has upgraded their security to increase meeting IDs to 11 digits and hardcoded random passwords into meeting IDs/URLs so uninvited users must have both the meeting ID and password to enter the meeting. However, given the surge in Zoom usage, there is likely going to be a surge in cyber criminals looking to exploit users.

What this means for you

It is not just about access to Zoom. Users should consider how they manage access to other important applications and accounts on their devices. Cyber criminals may enter through one area (Zoom) but quickly pivot and exploit another application or account on your device/network if it is not adequately protected.

Our tips to be cyber secure

• If you only do one thing ensure multi-factor authentication (MFA) is turned on across all accounts and applications (e.g. email, social media)
• Enable the waiting room feature for meetings so you can control who is let in
• Make sure you keep your personal Zoom meeting ID or URL secure.

Conclusion 

During this uncertainty of working remotely, Zoom is providing a means for healthcare providers, schools and organisations to deliver services that may not have been possible otherwise. There are vulnerabilities with everything, so be smart, be informed, and mitigate the risk with some of the basic measures discussed.

Matthew Bunker, BDO cyber team