Zoom has been under a lot of scrutiny lately, and it's commendable that the vendor has been working through as many security issues as it has. With great growth and visibility comes great scrutiny, and as Zoom has experienced an unprecedented uptake of users, more eyeballs have been on the platform poking holes in it.
The media has been rife with stories about various Zoom security holes, vulnerabilities, and insecure default settings to the extent that many users have been hesitant to use Zoom. This includes teachers trying to remotely educate their students, families keeping in touch, and many others.
To its credit, Zoom has not been ignoring these concerns and have been quite transparent. Eric S Yuan, founder and CEO of Zoom posted a message to all users, which highlighted many of the challenges and initiatives the company is taking.
Furthermore, the company made some changes to its user interface and display. These improvements include making security features easily accessible, such as locking the meeting, enabling a waiting room, removing participants, and restricting participants’ access.
All of this is very good, and the company should be commended for its efforts during these trying times.
However, one change stuck out to me the most – the removal of the meeting ID from the toolbar. The reason being that when people have shared screenshots of their virtual meetings, bad guys can use the meeting ID to try and join and ‘Zoombomb’ the meeting.
Image: Boris Johnson Twitter account
While I’m not against the removal of the meeting ID from the toolbar, it probably didn’t serve much purpose, if I’m honest. But I do see it as treating the symptom and not the cause.
As my learned colleague Roger Grimes states in his book ‘A Data-Driven Computer Defense ’, many organisations do not appropriately align computer security defenses with the threats that pose the greatest risk (i.e., damage) to their environment.
In other words, we need to be better at understanding the root cause of our threats and applying countermeasures to those instead of playing an elaborate game of whack-a-mole where we try to fix every issue, no matter how large or small.
With Zoom, the security or privacy risk wasn’t actually presented from the meeting ID being displayed in the title bar. The real threat is user behaviour.
The meeting ID didn’t magically post itself onto social media. Users took a photo of their computer screen which, amongst other things contained the meeting ID, and posted it onto social media.
What happens when someone posts a photo on social media where the whiteboard in the background has some sensitive information written on it? Do we demand that whiteboard manufacturers build a capability to clear the board when it detects a photo is being taken? No, that would be ridiculous – yet that is what we tend to expect from technologies.
Rather than trying to convince every software manufacturer to remove sensitive information from the toolbar on the off chance that a user may take a photo and post it online, wouldn’t it be easier to provide security awareness training to users so that they can identify potential risks, and make smarter security decisions themselves?