Zoom is a meeting-at-distance tool that has seen explosive growth in users as the COVID-19 pandemic has swept the planet. Due to its increasing popularity and relative ease of use, people are flocking to Zoom for daily use in all kinds of scenarios. Not coincidentally, security researchers have been quoted in multiple news articles questioning the “safety” and “security” of Zoom.
The point of this blog post is not to debate the relative merits of the recent coverage
that Zoom has experienced. Instead, the point of this blog post is to help you make
Zoom as safe as possible for you to use while understanding the risks associated with
using it. Nothing in life is risk-free, and Zoom is no different. Also, these tips
are offered for individuals using personal accounts, whether free or paid. If you
are using Zoom in a corporate context as part of your job, you should follow whatever
guidance your corporate security staff provides for employees.
With that in mind, please consider the following tips when creating meetings in Zoom:
Meeting ID – Enable the “Generate automatically” setting so that Zoom will generate the Meeting ID automatically unless you have a solid reason not to. Zoom creates a 9-digit identifier for all meetings. Randomizing the identifier for each meeting makes it more difficult for adversaries to target you specifically since each of your meetings will have a different Meeting ID.
Meeting Password – Enable the “Meeting Password” option unless you have a solid reason not to. Enabling this feature requires all attendees to enter the password before being allowed into the meeting. (NOTE: Since the original blog post, Zoom has enabled this option by default, but meeting hosts should still verify it is set).
Video – Set both Host and Participant to “off” by default. This will ensure that participants cannot share their screen without the host’s permission and will also ensure that the host does not accidentally share their camera before they are ready to.
Audio – Enable the “Both” option. This is more of a general usability recommendation rather than a security tip. Allowing both enables users to use their computer for video viewing while enabling them to hear the meeting by dialing in on their phone. For users with slower systems or Internet connections, the ability to connect to meeting audio with both their computer and their cell phone can help lighten the network load.
Meeting Options – There are four settings here to discuss:
Enable join before host – Disable this option to prevent users from entering the meeting before the host does. This will allow meeting hosts to start with a “clean room” so that they can have better management and control of attendees.
Mute participants upon entry – Enable this option to prevent attendees from speaking during the meeting unless permitted by the host to do so.
Enable waiting room – Enable this option to hold attendees in a virtual “waiting room.” Hosts are then able to allow attendees into the meeting one at a time, ensuring that only authorized attendees are present. (NOTE: Since the original blog post, Zoom has enabled this option by default, but meeting hosts should still verify it is set).
Record the meeting automatically on the local computer – Disable this feature. Meeting hosts can manually trigger recording inside the meeting if needed. If meeting hosts choose to record a meeting, they should expressly state that in any meeting notifications as well as before beginning actual recording of the meeting itself. Meeting hosts should give attendees an opportunity to leave the meeting before recording, and it is also a good idea to repeat that process once they begin recording so that attendees can be recorded giving their permission to record the meeting.
Below is a screen capture of an example of a meeting set up with all of the options
set as described above:
Once the meeting host saves the meeting, they should see a screen that looks similar
to this:
Notice the “Save as a Meeting Template” link at the bottom? Meeting hosts should click that link to save the settings in a template to ensure that future meetings have the same settings. Name it something that makes sense to you and save it.
To schedule future meetings with the same settings, meeting hosts simply have to click on the “Meeting Templates” link at the top of the page, where they will now see the template along with a button that they can click to create a new meeting using these settings.
Zoom has proven to be an effective meeting at-distance tool for many, and its popularity
and use will only increase over time. But, as with any software product, it does not
come without some risks. By implementing the tips above, meeting hosts have taken
the necessary steps to ensure their meetings are free of uninvited attendees, thus
lowering risks for everyone involved.