Zoom Conference Woes

Web conferencing is not a new technology and has been mainly an enterprise tool to enable productivity. However, organizations that have massively scaled up the use of Zoom® to enable remote operations is not without new challenges. Bigger target, bigger menace. There has been an uptick in bad actors joining Zoom® conferences to be disruptive or eavesdrop and it's called Zoombombing, according to The New York Times®. The National Institute of Standards and Technology (NIST) has released guidance on preventing disruptions to your web conferences and protecting sensitive data. This security guidance will help secure web conferences using Zoom and audio conferences.

Web/Audio Conference Security Guidance:

  1. Limit reuse of access codes. If you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
  2. If the meeting is open to the public or includes external attendees, avoid using your personal meeting ID and generate a one-time meeting ID
  3. If the topic is sensitive, use one-time passwords and meeting IDs (review additional controls).
  4. Use the “waiting room” function and don’t allow the meeting to begin until the host joins.
  5. Enable notification when attendees join by playing a tone or announcing names. The meeting host should ask new attendees to identify themselves.
  6. Use the dashboard to monitor attendees – and identify all generic attendees.
  7. Do not record the meeting unless it’s necessary and in compliance with University policy.
  8. If you do not need video, make it an audio only conference
  9. If it’s a web meeting (with video):
    1. Disable features you don’t need (like chat or file sharing).
    2. Limit screen sharing to the host until all participants have been verified
    3. Before anyone shares their screen, remind them not to share sensitive information during the meeting inadvertently.

If you are conducting a conference where sensitive information is shared, employ these additional controls:

  1. Use only approved Zoom meeting services with unique meeting IDs and passwords for attendees and instruct them not to share them.
  2. Restrict meeting entry to authenticated users only; this will require attendees to sign in
  3. Use the dashboard feature so you can see who all the attendees are at all times.
  4. Lock the meeting once you have identified all the attendees and lines in use.
  5. Only conduct web meetings on UR approved devices.

This document is a handy reminder of security tips for conducting a conference that can be downloaded and posted in your office.

This video is from NIST and is a summary of teleconference security guidance: