The coronavirus crisis has brought with it a host of new cybersecurity worries from increased phishing attempts to work-at-home vulnerabilities. Add to that the employment uncertainty both at the MSP and client level, and there’s a lot to deal with at the moment. Now, MSPs have another cybersecurity concern: Zoombombing.
Zoombombing is the new phenomenon where meetings are being disrupted by bad actors, sometimes spewing obscene rhetoric or posting objectionable content. Headlines have recently been filled with these cringe-worthy Zoom incidents.
With legions of people now working from home, there is a need for a user-friendly video-conferencing service that could be up and running fast, and Zoom quickly filled that void. While ease of use is Zoom’s most significant asset (one can be up and running in minutes), according to one noted cybersecurity expert, it’s also its biggest downfall.
“This is not an uncommon situation with new apps. You want to build to be very user-friendly out of the box, which is good. Unfortunately, when you do that, the bad guys out there take advantage of it,” Governor’s State University cybersecurity professor Bill Kresse tells Smarter MSP. Kresse is better known by his moniker, “Professor Fraud.” Kresse has lectured and publicly spoken extensively about Zoom’s strengths and weaknesses.
The waves of Zoom troublemakers
Kresse says that the problems with new services like Zoom come in waves. The first is the “pranksters,” the people Kresse observes as having nothing better to do with their time, so they storm online classes and conferences shouting obscenities, posting adult content just for the “lolz.” Once the pranksters have their fun, the real trouble begins.
The second wave is the fraudsters see what the pranksters accomplished and think, “Hey I can use this for my purposes, I can do the same thing,” Kresse states. But instead of slipping in and disrupting, they’ll go in and listen.
If the settings are not set up properly, a bad actor can record, download documents and use the data gathered for all sorts of nefarious purposes like posting them on the dark web or for blackmail and extortion.
“We are just beginning to see hints of that, I am afraid we are going to see more of it,” Kresse warns.
Kresse says that MSPs can play a role in safeguarding Zoom meetings. Zoom’s user base expanded exponentially almost overnight, and many of the new users aren’t necessarily the most tech-savvy. Users need to be schooled on best practices for Zoom and other online meetings.
“It falls on the tech folks and the MSPs to aggressively train people on the steps they must take to secure the meetings they are hosting or joining,” Kresse offers.
MSPs that have education clients in their portfolio need to put extra stringent safeguards in place to make sure children who are using Zoom as part of a remote learning experience are protected. Kresse adds that some police departments are getting concerned that bad actors may be lurking in the shadows trying to get information about children from Zoom meetings that have been breached.
Kresse says that most users could remedy Zoom’s weaknesses by just taking a half hour to read through the settings and instructions, but most people jump right into the service without taking that time. Kresse also states that for 95 percent of users, the built-in security features that Zoom offers are adequate.
“There are a few stories about holes in the software where people can get in, Zoom is on it, for the most part, and has fixed them,” Kresse says. So just taking the time to get to know Zoom’s security settings is the best remedy.
“The good thing about Zoom is how user friendly it is, and the bad thing is how user friendly it is. You have to look at settings, look at passwords and give the host greater control,” Kresse advises, which includes controlling the microphones and controlling who comes in and out.
Best practices to protect Zoom meetings
Still, even after Zoom is secured, other low-tech safeguards can put in place, according to Kresse:
DON’T POST MEETINGS PUBLICLY: Kresse says in the early days of Zoom, it would not be uncommon for people to post their meeting link on social media and then “boom, the whole world was going in on it.” Don’t do that.
DO A ROLL CALL: Kresse advises moderators to do an old-fashioned roll call when convening a Zoom meeting, so that you can hear everyone say “present” and account for anyone who sneaks in that shouldn’t be there.
WATCH YOUR BACKGROUND: Sensitive information shouldn’t visible warns Kresse. Whiteboards with phone numbers or data, Post-It notes, and bulletin boards in the background can all be mined for data.
There other remedies also, like not using Zoom at all. Other services including WebEx, Google Meet, and Microsoft Teams have learned from Zoom’s missteps and are already attracting users.
The shift to online meetings may be a difficult one to dislodge, Kresse adds. “Depending on how long this pandemic will continue, I think a lot of companies are learning we can conduct business without sending people into an expensive office,” he says.
Photo: ymphotos / Shutterstock