Sunday, April 12, 2020

Zoom Meeting Security


Zoom Security Concerns


We are hearing A LOT about security flaws in Zoom. Most headlines are over-hyped to encourage readership. This article explores the major threats and how to easily fix them.

Zoom security is a popular topic because Zoom has become the go-to software-as-a-service application for meetings online.

This article is mostly for people who are hosting/organizing virtual meetings, but it has value for people invited to attend them.


First, here are the things that can go wrong:

  • You're holding a private meeting that contains privileged information that you don't want plastered on a billboard on the Interstate.
  • Someone's microphone is turned on, and...
    • The attendee can control and overpower the meeting
    • The attendee has distracting background noise, such as a yapping dog, doorbell, or an incoming cell phone.
  • Someone is sharing their desktop, and it contains advertisements or other content not related to what the meeting is supposed to be about. 
  • Someone's camera is broadcasting inappropriate content. I've already heard one story from a teach about a student who had pornography running in the background... 
These are all valid concerns!

The first caution is for companies and organizations that have trade secrets or discussions that are not for public consumption. Use the "public restaurant" test: your meeting does not fit into a secretive category if you're comfortable talking about it over dinner.

The last three items are opportunities for Zoom-Bombing, much like photo-bombing. None of this harmful but it can be very very embarrassing for the host and attendees. It's a huge annoyance and a big distraction, but its only words and pictures; quickly disposed of.

Risk #1: Announcing the meeting(s)


If you publicize your meeting in Social Media (Facebook, Twitter, etc.) then that's out there for the whole world. While you have no control over what a recipient does with a message, email is still the best method to deliver the invitations.

Risk #2: Finding the meeting


The URL is easy: https://zoom.us and the rest is variable: date, time, and the 9-digit meeting number.

The final meeting piece is a password, which is now enabled by default. I generally recommend a 4-8 digit number so attendees don't have to worry about upper/lower case and special characters.

Risk #3: Entering the meeting


Once someone knows the where and when of a meeting then they still must be admitted!

The "waiting room" is the first web page they see. That, too, is now enabled by default. There are two messages: "Waiting for the Host to begin the meeting" and "Waiting for the host to admit you." I just discovered if the meeting is locked then potential attendees will only see the first message.

This means a meeting host (or co-host) has to watch the participants panel. There is literally a doorbell sound that will announce when someone wants to join the meeting. The "lock meeting" option prevents late-comers from ringing the doorbell to get in.

The host and co-hosts should have a sense of who belongs in the meeting.

Of course, all that goes for naught if you publish your meeting on Facebook then disable the password and waiting room features.

Risk #4: Meeting Etiquette


This last risk is a function/responsibility of the host. The first 2-3 minutes of any virtual meeting should be a review of what controls to push and when to use them. These are some of the items I like to review:
  • Mute button - when/how to use
  • Space Bar to press-to-talk when audio is muted
  • Stop Video button
  • Chat button (open and leave open)
The host and co-hosts must remain vigilant throughout the meeting. They need to be ready to mute someone's audio or video. Offenders can be removed from the "meeting" and placed back in the waiting room.


Zoom Meeting Security Recap


The biggest danger to your meeting is an uninvited guest dominating the meeting with inappropriate conduct or content. That "hacker" cannot infect any other attendee's computer.

Here is a summary, from Rick's perspective: Advertise the existence and date/time of your meeting judiciously, communicate directly to the people you want to attend. Then, while..

  • Setting up a meeting:
    • YES: Use a Topic Title
    • Optional: requiring registration
    • YES: Use a Randomly-Generated Meeting ID
    • YES: Require a Password
    • YES: Audio: "Computer Audio"
    • Meeting Options:
      • Turn Off "Join Before Host"
      • Optional: "Mute on Entry"
      • Turn On "Waiting Rooms"
      • Optional: "Only authenticated users can join"
      • Optional: "Record the meeting automatically"
  • Security Tab (once Meeting is started)
    • Lock Meeting = UNchecked
    • Enable Waiting Room = Checked
    • Allow Participants to:
      • Share screen = UNchecked
      • Chat = Checked
      • Rename themselves = Checked 

Then, as the meeting progresses: REMOVE NUISANCE ATTENDEES

Here is a link to Rick's earlier blog: "How to Join a Zoom meeting" (No Zoom account needed!)

No comments:

Post a Comment

Your comment will be reviewed before it is posted. Please check back later.