Zoom for Government (ZfG) Security Best Practices

PROHIBITED: Controlled Unclassified Information (CUI)

DO NOT discuss, or exchange in any form, CUI (FOUO, PII, PHI, etc) when using Zoom or Zoom for Government (ZfG).
Microsoft Teams is the only authorized online meeting platform when discussing or exchanging CUI.
Please see sidebar to right on this page for explanation of CUI -->

Security Settings:

Enforced globally by Admin.
They may not be changed by users.
Security settings will be reviewed and adjusted periodically as needed.

Meeting Security:

Meeting Passcodes
- Complex passcodes requried for all meetings (10 characters).
- Numerical passcodes are required for users joining by telephone.
- Meeting passcode will not be embedded in invitation links. Attendees must manually enter the passcode to join the meeting.
Waiting Room: All attendees will be placed in a waiting room and must be admitted by the meeting host.

Account Security:

User Account Passwords:
- Must be complex, and at least 14 characters.
- Must be changed every 90 days.

PROHIBITED: Private Zoom Accounts (non-ZfG):

Using a private Zoom account to join a ZfG hosted session degrades the cyber-security benefits of operating in the ZfG environment.
No Zoom account of any type is necessary to participate in meetings hosted by NPS ZfG accounts.

FACULTY:

Faculty must use their NPS furnished ZfG account when using Zoom for DL instruction and hosting or attending meetings involving official NPS business.
- Instructions here: Are You Using The Right Zoom Account?

STUDENTS:

Students should not be signed in to ANY private Zoom account when attending class or meetings hosted in ZfG.
It is not necessary for anyone to have a ZfG account to attend class or join NPS hosted ZfG meetings.
NPS students are not normally issued ZfG accounts except for special requirements.
- Students who do have ZfG accounts issued by NPS or other DOD agency may use those accounts for participation in NPS hosted ZfG sessions.
- Students who have privately acquired Zoom accounts must SIGN OUT of those accounts in the Zoom app and all web browsers before joining ZfG sessions.
- Instructions here: Are You Using The Right Zoom Account?

STAFF:

NPS Staff should not be signed in to ANY private Zoom account when joining sessions hosted in ZfG.
- Instructions here: Are You Using The Right Zoom Account?

WHO GETS ZfG ACCOUNTS?

NPS faculty and limited staff are issued ZfG "host" accounts for academic instruction and NPS business requirements.
- Host accounts are limited resource.
NPS students are not issued ZfG accounts as a rule. Special exceptions will be made on an ad-hoc basis.
- Students must demonstrate thaT:
  - Microsoft Teams cannot meet their meeting requirements
  - Meeting requirements do not include discussion or exchange of CUI.

Zoom Past Updates

90-Day Security Plan Progress Report: June 17 (here)

End to End Encryption Update (here): 6/16/2020

Zoom Expands Hardware Certification Program (here): 6/16/2020

Zoom Hires Lieutenant General Herbert Raymond “H.R.” McMaster and Jonathan “Josh” Kallmer (here): 5/6/2020

Zoom Updates Personal Meeting ID Controls and Basic Account Security (here): 5/5/2020

Zoom Founder Background Update (here) : 5/4/2020

Zoom 90 Day Progress Update (here): 4/29/2020

Important Zoom Update in Client or Download App!: 4/27/2020

Blog post references: AES 256 GCM encryption (additional information), data routing control, security icon on meeting bar, and more.

Zoom Client Updated with New Features (new version 4.6.11): 4/14/2020

Today's blog post references: passwords, cloud recording, third-party file sharing, meeting ID extension, and chat preview.

Zoom Update (Coming April 18) Control Your Zoom Data Routing: 4/13/2020

Brendan Ittelson, Zoom's CTO, published another blog introducing the new option to control where your data routes. This will be managed by ITACS administrators.

Zoom Security 90-Day Plan to Bolster Key Privacy and Security Initiatives Update: 4/8/2020

Zoom published a blog post with an update on its 90-day plan to better identify, address, and fix issues proactively. This update includes the creation of a CISO Council and Advisory Board and the hiring of Alex Stamos, former Chief Security Officer of Facebook, as an outside advisor.

Zoom Security Update: 4/6/2020

Zoom recently updated the company's privacy policy to be more transparent about the data that it does collect. Furthermore, Zoom has offered clarification on how encryption works within the platform, acknowledging that it had at times implied that data was encrypted end-to-end.

The addressable space for meetings insufficient (9 to 11 digit number), ‘war dialing’ or guessing the meeting ID through sequential iteration is possible.

Action by Zoom - None
Action by NPS - Ensure every meeting is password protected

Zoom sending information to Facebook within Zoom app for IOS.

Action by Zoom – Removed Facebook software development kit from iOS app
Action by NPS – Ensure latest version of Zoom installed

Zoom privacy policy too broad (allowed gathering of video sessions, contents of whiteboards, uploaded documents, instant messages, chat sessions, names of the individuals on the call, and contents of Zoom cloud storage)

Action by Zoom – No longer collects data
Action by NPS – None

Zoom marketed as End to End (E2E) encryption. Reports show use of simpler TLS security from endpoint to Zoom servers, decrypt – re-encrypt, then TLS back to the other endpoints.

Action by Zoom - Immediate statement, “Currently, it is not possible to enable E2E encryption for Zoom video meetings,” as well as, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.” However, on 1 April 2020, Chief Product Officer Oded Gal explained that Zoom operates something closer to the first kind of E2E system (centralized company management of keys) than the second (endpoint-only possession of keys). Zoom apparently does provide end-to-end encryption between participants using Zoom native and Web apps. The data passes across Zoom’s servers without decryption and re-encryption. However, in order to connect sessions to other kinds of services, Zoom operates “connectors” that will decrypt data in certain circumstances (phone connection, polycon, cloud recording). Zoom uses a single shared key among all meeting participants. The key generated uses SHA1, which is susceptible to cracking. The keys are generated not by endpoints, but by company-run servers. These keys could be stored overseas in China.
Action By NPS – Investigate full transition to Microsoft Teams. Password all events, enable waiting room globally, password all phone connections, and use Teams if able for CUI.

Zoom automatically converts anything it thinks is a link into a hyperlink in a chat session. In Windows, that included file paths that, when clicked, opened remote SMB file-sharing sessions.

Action by Zoom: On 1 April 2020, Zoom updated its Windows client
Action by NPS: Ensure Zoom application is patched, to the latest version

On 30 March 2020, it was identified that two “zero-day” bugs could expose Zoom’s Mac users to exploits. However, these exploits can’t be invoked remotely unless a malicious party could embed the exploit in software, they convince someone to download and install, such as a Trojan horse or malware disguised as something useful.

Action by Zoom: On 1 April 2020, Zoom updated its OSX app
Action by NPS: Ensure Zoom application is patched, to the latest version

When an individual hosts a meeting with a paid account, that individual can opt to save a recording of the meeting. That can include a text transcript of public chat messages sent among participants, and all participants gain access to that transcript as well as the video recording (including private chat). This is a bad design choice, because private messages should, by their nature, remain private.

Action by Zoom: None
Action By NPS: Investigate full transition to Microsoft Teams, do not use cloud recording for CUI (Use OneDrive or NPS.Box.com), inform participants that recordings will include any chats within Zoom including private ones

On 3 April 2020, it was identified that it was trivial to find video recordings made in Zoom by searching on the common file-naming pattern that Zoom applies automatically.

Action by Zoom: None
Action By NPS: Investigate full transition to Microsoft Teams, do not use cloud recording for CUI. Use OneDrive or NPS.Box.com.

Meeting Settings for All NPS Zoom Meetings

Changes effective as of Tuesday, April 7th at 1800

As of April 5th the following settings are enabled by ITACS and are a globally locked setting.

All meetings will use a meeting room. Hosts must now allow participants (either all at once or one by one) in the Zoom meeting.
All meeting invites will not include embedded password in meeting link for one-click join by default.
All meeting participants joining by phone will have to enter a password.
All scheduled meetings (including ones that were previously scheduled) will have passwords (set globally)
All instant meeting will have passwords (set globally)
All meetings using the personal meeting ID (not recommended) will have passwords (set globally)

Keep the Zoom App Updated:

Windows and MacOS Instructions

The latest version update information of Zoom for Windows can be found here / MacOS can be found here.

Open the Zoom app
Click your user icon on the top right
Click Check for Updates
You will be prompted to update if out of date

IOS Instructions

This will only apply if automatic updates are not enabled. The latest version update information of Zoom for IOS can be found here

Open the App Store
Search for Zoom
If an update exists, Open will be replaced with Update. Click Update

Android Instructions

Open the Zoom app
Click Settings
Click About
Click Version
You will be prompted to update if out of date

Alternative: download the latest version of zoom here.

What is Controlled Unclassified Information (CUI)?

CUI is unclassified information to which access or distribution limitations have been applied in accordance with national laws, policies, and regulations of the originating country as well as some of those developed by other Executive Branch agencies.

Examples of CUI: For Official Use Only (FOUO), DoD Unclassified Controlled Nuclear Information, Distribution B-F

Public Release of CUI: In accordance with DoDD 5230.09, Deputy Secretary of Defense Memorandum, and other applicable regulations, ALL DoD unclassified information MUST BE REVIEWED AND APPROVED FOR RELEASE before it is provided to the public, including via posting to publicly accessible websites. If you are unsure contact your PAO.

More Info on Zoom:

90-Day Report, What Is Next? 1 JUL 2020 (here)

Webinar 90-Day Progress Report: 1 JUL 2020 (here)

90-Day Progress Report: 24 JUN 2020 (here)

Space shortcuts

Child pages