One thing I’ve learned from a career in the information security industry is that any big global event has security implications — elections, hurricanes, earthquakes, matters of war and peace, you name it.
The dots that connect infosec to COVID-19 were apparent from the beginning. I saw the virus becoming the main preoccupation among attendees at the RSA Conference — the last in-person event I attended before all hell broke loose.
Since then, it’s been the main concern among clients my company serves. (It bears repeating that I’m grateful to be doing work that matters during this crisis.)
As we all hunker down and work from home, videoconferencing has become a front-and-center security challenge. Malicious hackers have set their sights on these platforms to cause disruption and steal our personal data.
Amid this, Zoom has become the poster child for the technology’s security holes. Zoom CEO Eric Yuan has addressed the problems — vulnerabilities that enable such things as “Zoombombing,” when intruders hijack video calls and post hate speech and pornography.
“‘If we mess up again, it’s done,’ I thought a lot last night,” he told The Wall Street Journal.
There has been a rising chorus of security professionals warning people not to use Zoom, especially for business meetings. There are many other, more secure options for videoconferencing, they say. There’s some validity in that. I’ve also seen reports of similar security holes in other video platforms. That’s a vulnerability management issue corporate security teams must stay on top of.
But for the larger population, I don’t see Zoom going away, nor should it. Yuan is right — his company needs to get a handle on this. But there will never be 100 percent security. There never is with anything.
I also don’t believe the security challenges should diminish our gratitude for what has become a critical lifeline during the pandemic.
Personally, Zoom has allowed me to stay connected to friends, family and industry peers. Without it, I can’t say for certain that I’d be managing my emotions as well as I have. I’ve even made new connections that I’ll be learning from long after this crisis passes.
I suspect many of you could say the same.
My takeaway: Keep using Zoom. Just be mindful of the security risks and take the necessary precautions. Some people I collaborate with in my day job have offered some useful advice.
It’s also worth noting that some of the smartest security minds on Earth continue to use Zoom for things like virtual happy hours. If they still feel safe using it, so do I.
I’ll end with some perspective from my friend Dave Kennedy, founder of Binary Defense and TrustedSec, along with Amit Serper, VP of security strategy and principal security researcher at Cybereason, and Russ Handorf, Ph.D., principal threat intelligence hacker at White Ops.
Together they have written about concrete security steps all users can take. I recommend you read it all. As they note in the article:
The Internet, and especially infosec twitter is full of hot takes and attempts to generate sensational headlines and alarmist news items. It’s important to remember that “not all that glitters is gold”. Vulnerabilities exist in many programs and no piece of code is immune to such issues. Not every vulnerability or exposure is critical and creates an unmitigated or dangerous risk. Knowing what your threat is and applying careful thought to threat modeling is a crucial part of understanding the problem and determining its true effects.