Businesses and individuals are turning to Video Conferencing apps, for continuity during the coronavirus outbreak, but things aren’t as safe as they seem.
As many countries throughout the world have been placed into a lockdown, video conferencing apps have become the latest “must have”, and the companies behind them have seen their share prices rise while the rest of the global stock market falls.
Zoom, which allows users to talk to up to 99 other people simultaneously, is often leading the download charts in Apple’s app store, with Apptopia stating that the app was downloaded 2.13m times around the world on 23 March, the day the lockdown was announced in the UK (by way of contrast, this up from 56,000 a day just two months earlier.)
As more and more organisations turn to Zoom to aid the remote working necessitated by the Coronavirus outbreak, more and more IT systems are becoming vulnerable to a security flaw found in the application.
What’s worse, the urgency of needing to enable staff to work from home has meant, in many cases, security has not been a priority when establishing connections to enterprise systems.
What are Zooms Potential Security Flaws?
There could be many but, during April, Zoom have been frantically developing and releasing patches to close vulnerabilities such as; Allowing attackers to take control of a vulnerable Mac including the webcam or microphone, and closing a vulnerability for Windows users that allowed attackers to steal users login credentials.
The impact of such attacks could be HUGE for organisations as they come out of the other side of the Covid-19 pandemic, only to find that data has been stolen, and they are potentially facing further Loss of Revenue, Increased Costs or even significant Fines and Restrictions.
In an article on arstechnia.com, Zoom have stated “At Zoom, ensuring the privacy and security of our users and their data is paramount. We are aware of the UNC issue and are working to address it” in response to Zoom’s security flaw, and Zoom’s CEO recently accepted that he “really messed up” when it came to Security around the application.
How to Prevent Attacks
At SAMGarde we believe that the best, and possibly only, answer is to properly protect your IT estate and users by having adequate Processes and Governance in place, along with Policies that define an internal practice to follow.
Governance should be robust enough to answer the IT Asset Manger’s prayer “Please give my users the software they need, but only when they need it.”
It should be able to provide organisations with the ability to not only ensure that Zoom is the most appropriate video conferencing application for the organisation, based on functionality, security etc, but also that every user who needs this capability has an appropriately approved request to ensure that usage matches the profile required for the capability desired.
Additionally, it should ensure that IT Security are aware of where the Risks lie, and that the application can be swiftly removed should the risk become live.
In the current climate of lockdowns and time constraints to keep staff connected, SAMGarde’s three pillar model of ITAM Governance comes into its own:
Operational – Delivery of applications to users.
Quality Assurance – Ensuring that the application been properly reviewed, approved, and all requests are properly authorised.
Corporate Governance – Where there is not time to review and approve the application and associated requests by the normal process, an informed decision is taken by an appropriately authorised person to override the BAU way of operating, with agreed backout plan while continuing the process of application review and approval.