Thinking about Zoom and risk

· 4 MIN READ · BRUCE POTTER · APR 21, 2020 · TAGS: CISO / Company news / Get technical / Heads up / Managed security

Like you, we’ve been paying attention to the news about Zoom. In particular, we’re looking into various security findings and concerns shared on social media and in news outlets. The situation changes by the day, but I want to give you a quick overview of our opinion on all the various security findings and our thoughts on managing risk from using Zoom.

First, the TL;DR. We are continuing to use Zoom. We’ve looked at the product, how we use it, the company, and the overall risk to Expel, and we’re comfortable continuing to use it as part of our daily operations. How did we reach this conclusion? Read on.

Dealing with third-party risk

Stepping back from Zoom for a minute, when it comes to ANY external vendor, you’re constantly balancing the reward of the service they offer with the risk of using that service. All of us (hopefully!) have a third-party risk program to document and guide the third-party risk management process. Not that long ago, managing third-party risk involved taking deep dives on individual products and asking: “is this product suitable for use?” But in a cloud native environment, the assessment has shifted. In a SaaS solution, a company can deploy updates to services without any notification that can dramatically change the product. It’s nearly impossible to do a point in time assessment of their product and have it mean anything. Instead, we are now asking ourselves: “is this company suitable for us to do business with?”

Let’s look at Zoom and the company’s actions to date.

Zoom created a remote collaboration product with a relatively low learning curve, a common user experience across multiple platforms, and ran it in a reliable way. In 2020, they’ve scaled from an average of 10 million meetings a day in January to 200 million meetings a day in March. They’ve moved many of their engineering resources over to focus on security and privacy issues. Zoom released numerous security updates to both fix vulnerabilities and add new security features. The CEO has been interviewed several times being incredibly frank about their security challenges and indicates security is going to be a big part of Zoom going forward. Zoom also recruited skilled security professionals such as Katie Moussouris (and her company Luta Security) and Alex Stamos to make sure the right things are being done both internally and externally.

All in all, Zoom is making all the right decisions and doing the right things to address security concerns and build a more secure product. They’re not burying their heads in the sand and they’re being very transparent. From a third-party risk perspective, Zoom is a company we want to do business with.

What about the product?

The product clearly still matters. So, let’s take a look at the types of problems that were recently uncovered.

Zoombombing. This is when uninvited people join Zoom meetings and cause disruption. It’s a real problem right now. However, it appears to only occur during meetings with publicly accessible meeting IDs. This problem isn’t limited to Zoom, unfortunately. The current spike in video conferencing leads to a spike in disruption as well. On April 15th, Fairfax County in Virginia had to cancel school for three days to develop countermeasures against students and other parties being disruptive using techniques such as racist and homophomic names and memes during distance learning classes.

There’s anecdotal evidence of some non-public meetings being Zoombombed but not enough to convince us that it’s a real risk. Zoom quickly implemented countermeasures to dramatically slow the ability to find valid meeting IDs with brute force.

Zoom also provided guidance to help run meetings more securely as well as grouped all the security controls under a big “security” button that hosts can use to quickly configure security options and maintain control of meetings. It seems that while Zoom can’t control human nature, they’ve put some controls at our fingertips to keep out those who want to disrupt or cause chaos in our meetings.

Overall security of the Zoom app. Zoom can run in two ways: inside your browser or as a standalone application. The Zoom application has been getting a lot of attention lately and there have been several low risk vulnerabilities discovered including the ability to send malicious links in chat and to potentially be able to read Windows password hashes remotely. Also, security expert mudge had some choice words on the overall security of the Zoom binaries. In a nutshell, while the findings mudge talks about aren’t security vulnerabilities on their face, they are indicative of a development process that doesn’t have security baked into it.

Zoom quickly addressed these issues but there’s likely to be more discoveries in the coming weeks. Looking at Zoom the company, they appear to be taking these concerns to heart and are working to build more secure applications as time goes on. All the attention from both security researchers and malicious users alike will continue to press Zoom to make their core application more secure.

Encryption. While Zoom indicated sessions were “end-to-end” encrypted, the actual architecture is end-to-Zoom and Zoom-to-end encrypted. While it’s not ideal from a privacy perspective, Zoom meetings are encrypted on the wire. However, according to a Citizen Lab report even the encryption that’s in place is home-rolled and generally not up to industry standards.

While you’re forced to trust Zoom to not intercept and do something malicious with your data, in general the real risk to this kind of communication is interception on the wire. And even if you capture data on the wire, you still have to do work to decrypt it. While weak encryption is never a good thing, in this case attackers have to be a) on the wire and b) motivated enough to perform the cryptanalysis to recover the cleartext data. These types of attackers are few and far between and generally tend to be interested in national security interests, not a meeting of your marketing department.

Like everything else listed here, Zoom’s working to address this encryption issue. In a webinar on April 15th, Zoom indicated they’ll be migrating to AES 256 GCM (instead of ECB) in a “matter of weeks” and are working towards full end-to-end encryption.

Again, do you trust Zoom on this? Given their transparency to date, we believe that this is really the goal they’re working towards. If they focus the current discussions on end-to-end encryption and law enforcement access, they’ll get to where they’re trying to go.

So what?

Every day that passes is a day that Zoom is a little more secure than it was the day before. Given the current encryption concerns, it makes sense that certain government agencies have said “no” to Zoom use. But for most corporate applications (and certainly your family and community activities), we believe Zoom is suitable for use. Barring any major changes in Zoom’s security posture, Expel will continue to use Zoom for our business needs.

Have any other concerns about using Zoom? Let us know and we’ll do our best to answer your questions.