If you’ve been keeping up on the COVID-19 news, you’ve probably heard about a form of hacking that’s been on the rise over the past few weeks: “Zoombombing.”
Zoombombing incidents are a form of trolling – hackers get a hold of a Zoom meeting link from a social site or email and join a video chat simply to cause disruption. In specific recent examples, they’ve upset participants by yelling profanity and racial slurs, and sharing disturbing images in the video feed.
In response to recent criticism over these issues, Zoom announced a few changes to their platform to help users safeguard from these bad actors. Now all participants of a Zoom meeting will be placed in a waiting room until the meeting organizer allows them entry. If the organizer does not recognize someone in the waiting room, they can simply not admit the person to the meeting. Zoom now also requires passwords for meetings as a default setting. That means if you’re used to joining a meeting just by entering the meeting ID, that won’t work. Instead, you’ll have to either join directly via a link sent to you in an invite, or you’ll need a password.
In addition to these system updates, there are a few other things you can do to safeguard your next Zoom meeting:
Four tips to prevent Zoombombing:
- Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to the specific people you want to invite.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.“
- Ensure users are using the updated version of remote access/meeting applications. As mentioned above, Zoom has updated its software to require passwords by default for meetings and has also disabled the ability to randomly scan for meetings to join. However, if your meeting guests don’t have the latest updates, your meeting may be easier to hijack.
- Ensure that your organization’s telework policy addresses requirements for information security.
While the above security hygiene will make it difficult for unwanted users to Zoombomb, an enterprise can take additional precautions to protect their meetings using advanced, yet simple-to-implement security measures. IT security experts are familiar with Security Assertion Markup Language (SAML) and OpenID Connect (OIDC), two well-known standards for authentication and identity federation. These two standards enable an enterprise to use their own authentication methods and systems to validate access to resources like Zoom meetings and conferences.
Zoom happens to be an SAML Service Provider (SP) that can be federated with a SAML Identity Provider (IdP) for authentication purpose. In order to allow only authorized and authenticated participants in a Zoom meeting, use the following steps:
- Use a strong authentication mechanism like a digitally signed push authentication, which can be either biometric or PIN controlled.
- Enable an authentication profile for participants joining the meeting. Authentication profiles allow hosts to restrict participants who can join a meeting or webinar to those who are logged into Zoom. They can even restrict it to Zoom users whose email address uses a certain domain. The authentication profiles can be set at a user, group, or account level. And it’s a simple toggle switch setting to enable “Only authenticated users can join meetings,” use the authentication option to sign into Zoom, or add a new configuration.
- Federate Zoom with an Identity Provide (IdP), such as IntelliTrust, using Zoom’s Single Sign On (SSO) feature.
Zoom is one tool employees and enterprises can use to make it easier to connect with colleagues and partners while working from home. If implementing the above options still don’t inspire trust that your meeting will be safe, there are other SaaS apps you can deploy. No matter what system you choose, security in the context of COVID-19 is critical to protecting data and avoiding malicious disruptions to your daily virtual interactions.
If your enterprise has not already deployed security coverage for your virtual meeting tools and other systems you use daily to accomplish your work, you can get a 30-day free trial of our IntelliTrust cloud authentication service.