zoom

By David Kane, Ethical Intruder

During the period of time where remote work has become a necessity for all, there has been one company that has really come to the forefront of communications and collaboration and that is Zoom. To be clear, Zoom is not the only tool on the market, but their ease of use and free video conferencing sessions for up to 100 participants has been the key to its success.

Many organizations already have O365 which comes with Microsoft Teams, a very powerful collaborative tool, especially for internal collaboration and meetings. You can create teams outside of your organization, yet it is more cumbersome than using a service such as Zoom, although still easy to use. For those who do not have O365, Microsoft is offering a six-month trial to all companies for their Teams platform. Additional conferencing tools are available from Adobe, GoToMeeting, WebEx and Pittsburgh’s own Chorus Call. For those looking for a more permanent White Glove service that is highly secure and comes with operator support, Chorus Call should be considered as an option. The remainder of this guidance will be primarily focused on Zoom.

Zoom’s success has been in a large part due to ease of use and convenience. It is common with almost any product that more convenience and ease of use may mean less security or privacy, while more security and privacy may lend itself to less convenience and possibly a lower ease of use. These are not universal rules, and most companies try to find a good balance. Zoom is working quickly to make its platform more secure and a big part of the security is using built-in features that can reduce vulnerability.

For your own business it is important to understand who needs to collaborate, what topics are you discussing, and how sensitive are the discussions you need to collaborate on. This review may help you to determine the product or service right for you. It is possible you may have different segments of your business on different platforms. Now this may seem less convenient and the coordination may seem less easy, but that again may be the tradeoff for increased security and privacy. Zoom is being used as the collaboration tool of choice by many top cyber security firms that we consider to be exceptional organizations. If you follow the guidance and tips, choose to use the tools Zoom has included and limit sensitive conversations, Ethical Intruder feels Zoom is appropriate to use.

** For transparency, Ethical Intruder uses Microsoft Teams primarily for internal collaboration, and Citrix GoToMeeting for most external collaboration. We are software and product agnostic and do not ever profit from any guidance via vendor relationships, while also trying to not to discourage client use of any product platforms.

Terminology

User/Host – Depending on the platform this is the person or account which can set up or manage your conference sessions.

Zoombombing (uninvited participant) – When you use the Zoom and distribute a link for conference access, especially via social media platforms, anyone with that link can (in many cases) join the meeting, interject any topics of beliefs they chose or share any data they chose to share.

PMI – This is Zooms Personal Meeting ID. If you do not change this for specific meetings, this same ID can be reused by anyone who has the ID at any time when you have a meeting utilizing the same ID.

For those who have chosen Zoom as their platform of choice and simply want Notes and Tips about using Zoom, those have been added to the end of the document for easy access.

Conference / Collaboration Options

Zoom Free

Pro’s

  • Service is Free
  • This service is great for quick access to meetings that are up to 40 minutes in length
  • Create a permanent meeting ID and have meetings with the same link at almost any time which is extremely easy and very convenient

Con’s

  • Meetings over 40 minutes are not available if 3 or more attendees are on the sessions
  • If the permanent ID is shared with a large team, the company or the public, anyone can try to join that has access to the link
  • Highest level of Zoom Bombing incidents and the least secure or controlled option

Zoom Pro

Pro’s

  • Service is reasonable at $14.95 per
  • This service is great for quick access to meetings that are up to 24 hours in length
  • Create a permanent meeting ID and have meetings with the same link, at almost any time, which is extremely easy and very convenient
  • Includes Admin features such as Waiting Room and enabling or disabling features as notes in the “Tips” section of the document

Con’s

  • If the PMI is shared with a large team or company, anyone can try to join, that has the link, at any time. As an example, if you share the PMI with multiple clients, you could have one client join in on any other client meeting in the future as an unintended consequence
  • Potential for Zoombombing when controls such as waiting room and others features listed in the “Tips” section below are not used

Zoom Business

Pro’s

  • Service is reasonable for companies that do host a large amount of external collaboration, especially collaboration or meetings outside of the organization. 19.95 per Host based on a minimum of 10 host or $199 a month
  • Admin Dashboard for monitoring existing conferences
  • Admin features such as Waiting Room and enabling or disabling features such as chats or recordings
  • Create your own company URL and branding for Zoom meetings
  • Single Sign on is available

Con’s

  • If the PMI is shared with a large team or company, anyone can try to join, that has the link, at any time. As an example, if you share the PMI with multiple clients, you could have one client join in on any other client meeting in the future as an unintended consequence
  • Potential for Zoombombing when controls such as waiting room and others features listed in the “Tips” section below are not used

Microsoft Teams (Google Gsuite collaboration is similar)

Pro’s

  • Included if you have a subscription to O365
  • Free version available during Coronavirus for six months for any organization
  • Built for employee collaboration with chat, video calls, document collaboration and more
  • Resides inside your own O365 tenant which creates an additional layer or security when discussing confidential or sensitive information
  • No restrictions on how many users can join a session or a time limit
  • Almost no chance of ZoomBombing

Con’s

  • If you do not have O365 today, there would be a fee after 6 months.
  • While simple and intuitive, it is less convenient to initially set up than vs Zoom
  • While strong for internal collaboration, less convenient for conducting sessions with customers or anyone outside of your company

Zoom Notes & Tips

Notes:

Zoom has acted quickly to address many of the security vulnerabilities and has made privacy changes to address consumer concerns including:

  • The removal of a Facebook feature that was collecting some personal information
  • Updated their Privacy notice to note that no information is ever sold to a 3rdparty
  • Disabled the attendee attention tracker, which monitored if you were multi-tasking or not paying attention to a session
  • Removed the LinkedIn Sales Navigator App integration
  • Addressing encryption (which should not be a concern)
  • Fixed known Mac issues when using an Apple device
  • Zoom is holding a weekly webinar at 10 am Pacific time to address concerns and updates weekly webinar (Yes, Ethical Intruder has verified this link as non-malicious 😊)

Zoom Tips:

  • Generate a random meeting ID for specific meetings and do not use your PMI (Personal Meeting ID). If you use your PMI, anyone can join that meeting at any time which increases unintended visitors (Zoombombing).
  • If you post your public meeting on social media or the web, remember that anyone can now search and find your meeting.
  • For public links or sensitive meetings, consider using a link which you can share on social media or e-mail. Then you can follow up with a direct message or e-mail to share the password individually. This may lessen the feeling of accessibility, may increase administrative overhead and time, but can greatly increase security and the experience of your intended audience.
  • Enact waiting rooms for public sessions or larger sessions to control who enters a meeting. Your host will monitor users as they arrive and let them into the session.
  • Utilize controls to limit screen sharing. This can be controlled in the Host control bar where “Host Only” can be selected as a screen sharing option.
  • Use the sign-in feature to assure control over the guest list
  • It is possible to lock meetings after they have begun to keep anyone else to gain unintended access.
  • Monitor meetings as an admin and consider utilizing muting controls during a session to limit disruption.
  • Admin/Hosts can disable a user’s chat, audio or video during a session if you feel they are violating the terms of your intended session.
  • Consider turning off file sharing feature in the chat to avoid the sharing of unintended information.
  • Disable the private chat feature if you feel it is being used for unintended purposes.
  • If you record sessions that are not considered public or that has confidential information, consider changing the name of the file to avoid someone searching for meeting content.
  • Please read the Zoom Privacy notice and make sure you are comfortable with the terms.
  • Finally, please reach out to Ethical Intruder (David.Kane@ethicalintruder.com) with any deeper questions or concerns we may be able to address about Zoom or any other collaboration product or service.