This week’s Drilldown focuses on two items (included below) from NewsBites Issue 32 and Issue 33. I’m continuing the theme of thinking ahead to keeping business secure as some parts of the economy try to reopen, while also trying to make permanent security gains that last through the new normal.
The first item relates to the need for added trust services when virtual actions replace (or at least augment) in-person transactions or other security-relevant actions. Proctoring of exams, requirements for public notarization of documents or the movement of sports and gambling events to online versions are public examples.
There are also implicit dependencies on physical “togetherness” within many security operations processes. Help desks often rely on internal telephone extensions to verify a call is from an employee. Procurement, shipping and logistic staffs (and security operations!) often work in a common space, and a shout across the room is used for sanity checking many sensitive actions.
Putting in place virtual equivalents of verifying identity or quick shoutouts for verification, as well as means to verify infection status before allowing physical entry to newly reopened facilities, will mean a new testing and resetting of the boundaries between security and individual privacy. Now is a good time to make sure your chief legal counsel or privacy officer are aware of where the issues will likely arise and to start the dialogue before the rush to resume business hits.
The second item is more progress from Zoom in addressing security deficiencies in its service, a very good thing. However, I want to emphasize there is a predictable curve when a vendor finally starts to emphasize the security of its product.
[Skewing old her, feel free to skip this paragraph] Back in 2001, Microsoft’s IE browser and IIS web server were getting hammered by malware worms, causing worldwide disruption of business. In January 2002, then-Microsoft CEO Bill Gates sent out his “Security Is Now Job 1” memo to all Microsoft employees and resulted in a moratorium on application features while all developers focused on rectifying known and newly discovered vulnerabilities. Very similar to Zoom’s actions after CEO Eric Yuan’s apology for having “...fallen short of the community’s--and our own--privacy and security expectations.”
Back when Microsoft finally began to emphasize security (and later on when Salesforce.com, Amazon Web Services (AWS) and other cloud services providers did the same), many strong security features were added and the overall security of the products and services increased tremendously, but only when those features were properly configured, managed and monitored. Security management capabilities lagged for years.
Zoom is adding security features, but still has a simple browser-based administrative dashboard that mostly focuses on performance, with no security admin role defined and with only .CSV export supported for needed monitoring and analysis. Zoom administrators are not likely to be knowledgeable on those settings without training or support from security experts. Third-party vendors will step up with add-on products or extend existing cloud security monitoring products to integrate with Zoom. But .CSV export only goes so far--scalable monitoring is dependent on Zoom publishing (and testing) more security APIs.
For the interim, security teams with business dependency on Zoom should keep up with the security releases, work with Zoom admins on optimizing configurations and evaluate third-party cloud security monitoring tools for increasing visibility into security-relevant Zoom events.
____________________________________________________________________________
Virtual Exam Monitoring Raises Privacy Concerns
(April 1 and 20, 2020)
Students at the Australian National University (ANU) are protesting the school’s plan to install monitoring software on their home computers to ensure that they do not cheat on exams. The software, Proctorio, identifies students biometrically, locks down the system to prevent the transmission of outside information during the exam and records the environment during the exam. It also tracks students’ eye movements. In a separate story, some U.S. schools are using Proctorio as well as live remote proctors to monitor students during exams.
Editors’ Notes
[Pescatore] In many ways, dealing with the current impact of the coronavirus and coming out of it will require some trade-offs between privacy and safety/security/trustability. Some U.S. states are suspending laws requiring in-person notarization of legal documents; some are not. Some will risk cheating over invasive controls. For now, these will be local “learn as we go” decisions, but in the future I think we will see “remote drills” to test processes a few times per year, just as we do fire drills in most buildings.
[Neely] A great success story, while it still uses in-person proctors, is the Anchorage Amateur Radio Club remote testing, which has been performed in 32 states and Antarctica to date. For those seeking GIAC certification attempts, or other exams proctored by Pearson VUE, check the Pearson VUE site for relevant information.
Zoom 5.0 Includes Security and Privacy Improvements
(April 22, 2020)
Zoom has released a new version of its teleconferencing software. New features in Zoom 5.0 include controlled data routing and passwords on by default for all meetings, and administrators can now establish password complexity requirements. Zoom is also implementing stronger encryption, which is expected to be enabled systemwide by the end of May. The newest version of Zoom will be rolled out to users over the next week.
Editors' Notes
[Pescatore] Zoom continues to live up to its promise to enhance security, but there is a predictable trajectory when IT platforms retroactively add security features. Security management capabilities tend to lag, providing limited visibility into and tracking of critical security policies/events. The Business version of Zoom has an admin dashboard that is mostly performance oriented and relies on exporting .CSV files for any deeper analysis--never a scalable approach. Third-party partner vendors can fill the gap, but the Zoom App Marketplace has a very limited choice of small vendors. Zoom may add more security management capabilities, but training will be required for admins and security analysts on how to properly configure and monitor security relevant features, how to integrate to SIEM, etc. Many will require direct vendor support until these capabilities mature. At the Enterprise pricing level of Zoom ($1,999/month minimum), organizations get a dedicated “Customer Success Manager,” which many may need to buy.
[Neely] The update is not available yet--yes, I tried to update before reading that, too. The plan is to push out client updates next week. Zoom is updating to AES-265-GCM encryption and allowing your account admin to control meeting routing. Also, Zoom is grouping the security settings under a new security icon. The Zoom blog explains the new features.
