The recommendations from Kaspersky come following recent scrutiny towards Zoom regarding security and privacy.
Video chats over Zoom have recently been reported as hacked by ‘Zoom bombers’, and while coding measures have been put in place to improve security, users must remain vigilant about continued insecurities.
With this in mind, researchers at Kaspersky have provided 10 tips for staying secure while using Zoom.
Protect your account
Firstly, Kaspersky has recommended that Zoom accounts, as with accounts for any other platform, are protected using a strong password and two-factor authentication (2FA).
Passwords, according to Kaspersky, should not only be strong, but be kept in the long run as opposed to being changed, as changing them makes them more difficult to remember, and changes made aren’t major enough to prevent cyber criminals from hacking an account.
More specific to Zoom, though, is the Personal Meeting ID (PMI), which must not be shared publicly, as access to meetings can be gained by anyone who has it.
Use your work email when registering
Using your work email when creating a Zoom account, or using a burner account with a well established public domain will help to keep personal contact details private.
A recently discovered glitch within the platform’s Company Directory function involves users with the same email domain being grouped together, with the exception of email addresses with common domains such as @gmail.com.
This allows for the sharing of contact details, and is yet to be fixed.
Strangers in your inbox: safeguarding against business email compromise
Don’t fall for fake applications
The amount of malicious files that share the names of video conference services such as Zoom and Webex has roughly tripled within the past year, according to research conducted by Kaspersky’s Denis Parinov.
This makes it even more vital that users do not use any source other than Zoom’s official website (zoom.us), the App Store or Google Play to download the application.
Don’t share conference links over social media
The fourth tip Kaspersky has given relates to the rise in ‘Zoombombing’, the act of entering a Zoom meeting unauthorised and implementing offensive content, that has occurred over social media.
If there is no other option for hosting a public meeting, users should disable the ‘Use Personal Meeting ID’ option.
Protect every meeting with a password
Going back to passwords, Kaspersky not only recommends protecting your account with one, but your meetings, too. This can ensure that no unwanted guests join the meeting.
Just like conference links, conference passwords, which are enabled by default on Zoom, should not be shared over social media.
Identity and access management –– mitigating password-related cyber security risks
Enable the Waiting Room function
Another way to prevent unauthorised access is to enable Zoom’s ‘Waiting Room’ function, which prevents entry without approval from the host, and is also enabled by default.
This can come in handy if the password for the meeting somehow gets outside the host’s desired sphere of participants.
Consider screen-sharing features
Users should also be careful about sharing their screen view with other participants, according to Kaspersky.
An eye should be kept on the following aspects of these features:
- Whether to limit screen-sharing ability to the host or allow all participants to have this ability.
- Allowing for simultaneous screen-sharing from multiple participants.
Stay with the Web client if possible
Many client apps that are affiliated with Zoom have demonstrated some kind of vulnerability, according to Kaspersky. These flaws include lack of security for the user’s camera and microphone, and letting websites add users to calls without consent.
Although Zoom has since fixed these issues, a lack of a proper security assessment means that Zoom apps may still be vulnerable, meaning that using its web client is always recommended where possible.
The web client operates in sandbox conditions, allowing for increased security due to an absence of external access permissions.
Additionally, users should aim to limit devices connected to their Zoom account to one if possible, and have this be a spare laptop or smartphone with minimal personal information.
How to secure, manage and monitor edge devices
Avoid discussing personal or trade details
Zoom recently admitted that its so-called end-to-end encryption meant that one end was its server, meaning that this wasn’t actually possible.
End-to-end encryption is also on other video conferencing platforms, so Kaspersky does not recommend leaving Zoom on this basis. However, the security company does recommend that users avoid revealing personal details, or confidential details relating to trade.
Consider what can be seen or heard
Finally, Kaspersky stated that users of not only Zoom, but other video conferencing services, be wary about what can be seen or heard on camera, as well as when screen-sharing.
Basic grooming is recommended before joining a call, as is closing any windows you would rather not see.