Child pages
  • Zoom Security Best Practices
Skip to end of metadata
Go to start of metadata

Zoom Hires Lieutenant General Herbert Raymond “H.R.” McMaster and Jonathan “Josh” Kallmer (here): 5/6/2020

Zoom Updates Personal Meeting ID Controls and Basic Account Security (here): 5/5/2020

Zoom Founder Background Update (here) : 5/4/2020

Zoom 90 Day Progress Update (here): 4/29/2020

Important Zoom Update in Client or Download App!: 4/27/2020

Blog post references: AES 256 GCM encryption (additional information), data routing control, security icon on meeting bar, and more. 

Zoom Client Updated with New Features (new version 4.6.11): 4/14/2020 

Today's blog post references: passwords, cloud recording, third-party file sharing, meeting ID extension, and chat preview.

Zoom Update (Coming April 18) Control Your Zoom Data Routing: 4/13/2020

Brendan Ittelson, Zoom's CTO, published another blog introducing the new option to control where your data routes.  This will be managed by ITACS administrators.

Zoom Security 90-Day Plan to Bolster Key Privacy and Security Initiatives Update: 4/8/2020

Zoom published a blog post with an update on its 90-day plan to better identify, address, and fix issues proactively. This update includes the creation of a CISO Council and Advisory Board and the hiring of Alex Stamos, former Chief Security Officer of Facebook, as an outside advisor.

Zoom Security Update: 4/6/2020

Zoom recently updated the company's privacy policy to be more transparent about the data that it does collect. Furthermore, Zoom has offered clarification on how encryption works within the platform, acknowledging that it had at times implied that data was encrypted end-to-end.

  1. The addressable space for meetings insufficient (9 to 11 digit number), ‘war dialing’ or guessing the meeting ID through sequential iteration is possible. 
    1. Action by Zoom - None
    2. Action by NPS - Ensure every meeting is password protected
  2. Zoom sending information to Facebook within Zoom app for IOS.
    1. Action by Zoom – Removed Facebook software development kit from iOS app
    2. Action by NPS – Ensure latest version of Zoom installed
  3. Zoom privacy policy too broad (allowed gathering of video sessions, contents of whiteboards, uploaded documents, instant messages, chat sessions, names of the individuals on the call, and contents of Zoom cloud storage)
    1. Action by Zoom – No longer collects data
    2. Action by NPS – None
  4. Zoom marketed as End to End (E2E) encryption.  Reports show use of simpler TLS security from endpoint to Zoom servers, decrypt – re-encrypt, then TLS back to the other endpoints.
    1. Action by Zoom - Immediate statement, “Currently, it is not possible to enable E2E encryption for Zoom video meetings,” as well as, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.”  However, on 1 April 2020, Chief Product Officer Oded Gal explained that Zoom operates something closer to the first kind of E2E system (centralized company management of keys) than the second (endpoint-only possession of keys). Zoom apparently does provide end-to-end encryption between participants using Zoom native and Web apps. The data passes across Zoom’s servers without decryption and re-encryption. However, in order to connect sessions to other kinds of services, Zoom operates “connectors” that will decrypt data in certain circumstances (phone connection, polycon, cloud recording). Zoom uses a single shared key among all meeting participants. The key generated uses SHA1, which is susceptible to cracking. The keys are generated not by endpoints, but by company-run servers.  These keys could be stored overseas in China.
    2. Action By NPS – Investigate full transition to Microsoft Teams.  Password all events, enable waiting room globally, password all phone connections, and use Teams if able for CUI.
  5. Zoom automatically converts anything it thinks is a link into a hyperlink in a chat session. In Windows, that included file paths that, when clicked, opened remote SMB file-sharing sessions.
    1. Action by Zoom: On 1 April 2020, Zoom updated its Windows client
    2. Action by NPS: Ensure Zoom application is patched, to the latest version
  6. On 30 March 2020, it was identified that two “zero-day” bugs could expose Zoom’s Mac users to exploits. However, these exploits can’t be invoked remotely unless a malicious party could embed the exploit in software, they convince someone to download and install, such as a Trojan horse or malware disguised as something useful.
    1. Action by Zoom: On 1 April 2020, Zoom updated its OSX app
    2. Action by NPS: Ensure Zoom application is patched, to the latest version
  7. When an individual hosts a meeting with a paid account, that individual can opt to save a recording of the meeting. That can include a text transcript of public chat messages sent among participants, and all participants gain access to that transcript as well as the video recording (including private chat). This is a bad design choice, because private messages should, by their nature, remain private.
    1. Action by Zoom: None
    2. Action By NPS: Investigate full transition to Microsoft Teams, do not use cloud recording for CUI (Use OneDrive or NPS.Box.com), inform participants that recordings will include any chats within Zoom including private ones
  8. On 3 April 2020, it was identified that it was trivial to find video recordings made in Zoom by searching on the common file-naming pattern that Zoom applies automatically. 
    1. Action by Zoom: None
    2. Action By NPS: Investigate full transition to Microsoft Teams, do not use cloud recording for CUI.  Use OneDrive or NPS.Box.com.
Meeting Settings for All NPS Zoom Meetings

Changes effective as of Tuesday, April 7th at 1800

As of April 5th the  following settings are enabled by ITACS and are a globally locked setting.

  1. All meetings will use a meeting room. Hosts must now allow participants (either all at once or one by one) in the Zoom meeting.
  2. All meeting invites will not include embedded password in meeting link for one-click join by default.
  3. All meeting participants joining by phone will have to enter a password.
  4. All scheduled meetings (including ones that were previously scheduled) will have passwords (set globally)
  5. All instant meeting will have passwords (set globally)
  6. All meetings using the personal meeting ID (not recommended) will have passwords (set globally)

Controlled Unclassified Information is NOT authorized for Zoom.  Local recording can be enabled.

  • Selecting, ‘Local Recording’ saves your recording files on your computer. You are able to share your local recording with others by uploading it to third-party cloud storage such as OneDrive or Box, content/learning management, or video streaming services.

  • Local recording is only supported in the desktop client. The mobile only supports cloud recording.
  • Do not use external or network storage for local recordings; for example, an external hard drive or network-attached storage. These storage methods can result in data loss. It is recommended to save directly to  OneDrive or Box.

  • There are several factors that affect the file size of recordings including resolution, duration, and shared content in the recording. As a result, you might notice variations in recording files.

Consider Using Microsoft Teams

  • For more sensitive conversations - alternatives can be considered and more stringent measures put in place. For public releasable education, Zoom is sufficient, but when dealing with proprietary data or CUI a more trusted application, Microsoft Teams, is authorized.

Keep the Zoom App Updated

Similar to any other application, it is important to keep the app up to date to protect it from the latest vulnerabilities. If you having trouble updating via the methods below, you can always download the latest version of zoom here.


 Windows and MacOS Instructions

The latest version update information of Zoom for Windows can be found here / MacOS can be found here.

  1. Open the Zoom app

  2. Click your user icon on the top right

  3. Click Check for Updates

  4. You will be prompted to update if out of date


 IOS Instructions

This will only apply if automatic updates are not enabled. The latest version update information of Zoom for IOS can be found here

  1. Open the App Store

  2. Search for Zoom 

  3. If an update exists, Open will be replaced with Update. Click Update


 Android Instructions
  1. Open the Zoom app

  2. Click Settings

  3. Click About

  4. Click Version

  5. You will be prompted to update if out of date

Application Patch Released: 4/27/2020 (5.0.1)

MacOS 5.0.1

Windows / Android 5.0.1 (23502.0430)

Your ITACS staff takes the privacy and the security of your data seriously and is mandating *REQUIRED* settings for all Zoom meetings (CUI NOT AUTHORIZED) hosted on NPS accounts. Additionally ITACS is offering security best-practices when hosting virtual meetings/classrooms. These mandated *REQUIRED* settings must be implemented by all NPS personnel hosting meetings.


What is Controlled Unclassified Information (CUI)?

CUI is unclassified information to which access or distribution limitations have been applied in accordance with national laws, policies, and regulations of the originating country as well as some of those developed by other Executive Branch agencies.

Examples of CUI: For Official Use Only (FOUO), DoD Unclassified Controlled Nuclear Information, Distribution B-F

Public Release of CUI: In accordance with DoDD 5230.09, Deputy Secretary of Defense Memorandum, and other applicable regulations, ALL DoD unclassified information MUST BE REVIEWED AND APPROVED FOR RELEASE before it is provided to the public, including via posting to publicly accessible websites. If you are unsure contact your PAO.