With the transition to work-from-home, many organizations, agencies and individuals are increasingly dependent conferencing platforms, like Zoom and Microsoft Teams, to stay connected during the Covid-19 pandemic.
Issues including what is being called “ZOOM BOMBING” have come up where malicious individuals are joining teleconferences uninvited and posting explicit content and eavesdropping on sessions.
The State’s standard for online conferencing is Microsoft Teams, but we are also aware that some organizations you interact with may leverage other technology including Zoom. We anticipate that due to the surge of popularity of remote conferencing software, new vulnerabilities will be discovered on a regular basis and attackers will move quickly to take advantage of them. We will be monitoring this situation closely. Zoom CEO Eric Yuan asserted that the company would freeze all new features for the next 90 days to focus on security and privacy issues.
The BEST Cybersecurity team is recommending that users:
- Use Microsoft Teams as a first choice. While not immune to security and privacy issues, we feel that this software is better vetted from a security and privacy standpoint and has had as many issues identified.
- Ensure conferencing software is up to date and patched regularly.
- Ensure that meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Add a passcode to your meeting, then share that passcode with your guests. Once set, the passcode is required in order to enter the meeting
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Do not use Facebook to sign in: It greatly increases the amount of personal data at risk.
- Consider turning on the “waiting room” for your meeting so that you can scan who wants to join before letting everyone in.
- If you don't want participants to join/interact before the host enters, uncheck "Join Before Host". Set an alternate host if you need a backup host.
- Disable "Allow Removed Participants to Rejoin" so that participants who you have removed from your session cannot re-enter.
- Disable "File Transfer" unless you know this feature will be required.
- Disable annotation if you don't need it.