Ms. Janell & her husband, whose is the CTO and Information Security Officer for a company that does education technology consulting, put together a comprehensive guide to Zoom safety & security for the Renaissance staff, and suggested we share these tips with the whole community. Please make sure you review these and have a safe online experience!
If you need to use Zoom to host meetings, take the following precautions to guard against "zoom bombing." We have direct reports of school class zoom sessions being accessed by malicious actors who then proceed to disrupt the group with profanity, pornography displayed via screen sharing, and inappropriate images or nudity on their webcam. Below are the steps that you can take to prevent malicious actors from disrupting your meetings and classes:
1. When you schedule a Zoom meeting, enable a password to prevent unauthorized users from joining. Use a numeric password so that those joining by phone and not computer can join. Open the Zoom application, click schedule a meeting, check the checkbox by "Require meeting password" and choose a number. Share that number with your class or other attendees in advance.
2. Disable allowing users to join before the host. Expand the Advanced option on the Schedule Meeting screen, and uncheck "Enable join before host". This prevents the attendees from getting into the virtual meeting before the host so that the host can intervene quickly if a malicious actor has joined. We recommend muting participants on joining as well. You will need to un-mute participants for them to speak to the group. (We've seen one Kindergarten teacher master that mute button during "group share", enable each child to speak during their turn).
3. When you end a meeting, make sure that you choose "End meeting for all." This ensures that all participants will forced to leave and the meeting will end.
4. Consider only allowing the host to screen share. Click on the settings gear in the upper right of the Zoom application window. This will take you to a web page (you'll need to log into your zoom account), scroll down to Screen Sharing, and set "Who can share?" to Host Only.
5. Consider what chat features you want to enable. You might want to turn off Private Chat so that attendees cannot send private messages that the host cannot see or moderate. If you don't need participants to contribute to a group chat, consider disabling chat completely. The shot below shows both Chat types enabled. These controls are on the web page as well. If you make changes, you may get various Save or Confirm buttons or dialog boxes (it is different for different settings - some enable immediately).
If a malicious actor gets into your meeting, end the meeting and do not try to restart with that meeting ID. If the meeting has not been configured to require a password or guest can join in advance, it is very likely that the malicious actors will return.
The FBI released guidelines as well that include these recommendations. If you want to read more, here is the full guidance from the National Cyber Awareness System:
The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.
The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:
Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
Ensure VTC software is up to date. See Understanding Patches and Software Updates.
CISA also recommends the following VTC cybersecurity resources: