Don’t get “Zoom Bombed”

Unfortunately, there’s some people in the world who never learnt any manners when they were little. Some of these grow up to be Zoom Bombers in this current Virtual First world we find our selves in.

For those of you who don’t know, “Zoom Bombing” as it’s known is the practice of joining a virtual meeting online uninvited, and creating some mayhem. This can range from trivial being a pest to displaying graphic and horrific child abuse imagery, to stealing corporate information disclosed during the meeting.

So here’s a few tips to help you thwart the miscreants perpetrating these acts.

Try to avoid using Zoom and public registration.

Firstly, try to avoid allowing Public self registration of meeting if at all possible.  It is difficult to police self enrolment.  If you do allow it, make sure you record (permanently) registrant email addresses, and send follow up emails to ensure, you’re dealing with a real email address and not a 10minute email address.

Next, please alter the settings in your Zoom Application to reflect the following.

Disable these

  1. Disable “Embed Password in Meeting Link for One-Click Join”
  2. Set “Screen Sharing” to Host Only
  3. Disable “Remote Control”
  4. Disable “File Transfer”
  5. Disable “Allow Participants to Rename Themselves”
  6. Disable “Join Before Host”
  7. Disable “Allow Removed Participants to Rejoin”
  8. Disable “Recording” for participants.

Enable these settings

  1. Enable “Mute Participants Upon Entry”
  2. Enable “Always Show Meeting Control Toolbar”
  3. Enable “Identify Guest Participants in the Meeting/Webinar”
  4. Enable “Waiting Room”
  5. Enable “Require a Password When Scheduling New Meetings”
    1. For instant, Scheduled and PMI
  6. Also enable “Require Password Minimum Length”
    1. 7 characters is a good minimum even if you only allow digits.

Now of course this doesn’t guarantee you won’t have uninvited miscreants. But it does make what they can do in there far less effective.

The keys to the Kingdom.

Passwords

They’re everywhere.  It seems you nearly need one to go to the bathroom these days.  Unfortunately though, they’re Essential.  No, essential isn’t strong enough.  They’re absolutely CRITICAL!

As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you store your online documents with them, you reveal your personal life on social media with them, you shop with them.  In short you secure your whole digital world with them.

However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom. Particularly their email or social media accounts.   If you re-use passwords at multiple locations (and we know none of you ever would 😉 ), it is trivial for someone to access passwords from a breach at one of those sites, and use a technique known as Credential Stuffing to compromise your other accounts.  Once they have access to them, it all starts to unravel very quickly.

And let’s assume for the moment, that you truly don’t have anything important in your email or online documents (extremely unlikely, but I hear this argument all the time…). The issue is that other people trust you.  When you send an email to anyone you know, they assume that they can trust its contents. However, if your account has been compromised, all bets are off.  But your recipients may not know this.  We see this happen A LOT!!!

For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical.  When they fall into the wrong hands, bad stuff follows.  Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords. IMO it is safe to test your usernames and passwords at Troy’s site.

And please remember, what we are trying to do here is to minimise the effects of an attack.  Attacks against your passwords will continue to happen all the time.  They’re happening right now as you read this.  Your job is to do everything reasonable to minimise the effect of those attacks.  Below is a good starting point.

So here’s what to do…

If you follow this advice, your digital world will be a lot more secure than it probably is now.

  1. Never reuse the same username/password combination on more than one site.
    1. So that means every site needs a different username/password combination.  Every Single One!  This is the most important thing to do.
  2. Obviously this means you can’t remember them all.  So don’t!  Use a password manager.  We use, LastPass, but 1Password and Dashlane are also excellent.  At the very worst, write them in a book. LastPass has a free option that is pretty good if you just want it for home.
  3. A good password is hard to remember.  More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
  4. If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one).  Just something that you’ll remember, but would be hard to determine from knowing something about you.
  5. Use 2FA/MFA anywhere you can.  (Two Factor Authentication or Multi Factor Authentication.  This is something you know (like a password) and something you have or are (like Biometrics or an Authenticator App, or txt message).  It’s not infallible, but it is way better than not having it.
  6. Don’t share your password with anyone.
  7. You also need to run a minimum of an Anti-Malware (or better still some EDR software like Cisco AMP for end points.) on any computers or Android devices.
    1. If you’re using Windows 10 Defender is free and comes bundled with it.
    2. If you’re using a MAC consider MalwareBytes or ClamAV
    3. If using Andriod (reconsider your life choices 😉 ) and try any one of the 100s of name brands available. Androids are very prone to Malware unfortunately.
    4. At this point I haven’t seen an Apple iOS product I’d recommend.  Not to say it doesn’t need one.  I just haven’t found it yet.

And there you have it.  Simple! Well maybe not simple, but free and achievable.  And please persist with the password manager.  They’re a pain for the first month, while you load them up with all your info.  Then you’ll wonder how you survived without one.

If you manage an email mail exchanger, check out our baseline guidance article for Securing Mail Exchange Systems.

Safe Travels!

Ross Marston.

Culture Eats Process For Breakfast

BIS Happy Team

Creating a “secure” workplace culture.

It is never more true than when it pertains to Cyber Security.

We’ve all heard the saying, “Culture eats Process for breakfast”. In other words, you can have all the processes you want in place, but if the workplace culture doesn’t support the processes happening, they never will.

You can have as many processes in place as you want, but if you have a workplace culture, where staff are “shamed”, belittled or intimidated for security indiscretions, welllll…, you’ve already lost the battle I’m sorry to say.

In an environment where staff are in some way belittled for any security related incidents (opening a phishing email, being the object of a targeted attack, getting malware on their work station or server profile, etc, etc), most people will do the same thing.  They’ll avoid being belittled of course.

In other words, they’ll try their hardest to cover up the indiscretion.  They’ll avoid being associated with any security related incident at all costs. And why wouldn’t they.  They know the “consequences…”

What to do about it.

So what is the alternative?  We all know security incidents are bad, right?  The media is constantly banging on (mostly inaccurately) about various security incidents.  Who the latest victim is, or some other sensationalised, inaccurate story.

And of course, everyone hates being the person that clicked on the link in the phishing email, or went to the site infected with malvertising, etc.  Even  the IT guy who left his companies website exposed to SQLi or XSS attacks.

But what about if we change that culture?  What about being rewarded (or at the very least thanked) for finding the spear phishing, clone phishing or whaling attack email and notifying your staff mates and IT?  What if there was a demonstrable benefit to quickly notifying your IT specialists if you suspect your devices have been compromised.  What if there was even some sort of game and reward associated with prompt action regarding any security incident?

Now you have what we like to call a warmware firewall.  An early warning and detection system to rival the best NextGen, GenIV, AI, [insert other meaningless sales term here] Firewall available.  Now we have staff and IT motivated to find, notify, and help eliminate Cyber security threats as soon as they’re detected or even suspected.

So how does this work in practice

Humans (the warmware ones we’ve already mentioned) are the ideal firewall.  They’re self learning, they possess AI (Actual Intelligence as opposed to that other sort), and they’re motivated to help naturally as opposed to programmatically.

With some simple and ongoing training, and some motivation (Warm fuzzy, financial or otherwise) they’re the perfect resource to build significant resilience to your Cyber Defense systems.

Example

Here’s an example of how I think this might work, both before and after culture change…

A users inadvertently follows a link in an innocuous (or even obvious) looking email.

  • Before culture change
    • User thinks “last time Bob mentioned something like this the IT guys laughed at him, and everyone else gave him a hard time for being so ‘stupid’.  I’m just going to shut up.  If it has done any damage, someone else might notice it and, it won’t get traced back to me.  If it does, I’ll just deny it.”
    • User shuts up and just keeps working albeit with more perspiration than before.
    • Eventually IT department finds that nightly backups are getting filled with strange files.
    • Investigation reveals most of their file system has been encrypted and held for ransom.
    • It’s taken so long to discover that the encrypted files have written over all the “good Files”
    • Company is forced to negotiate with Cyber Criminals to try to recover their encrypted files.  Unsuccessfully!
    • Everyone hopes it wasn’t their fault.  But it doesn’t really matter as they probably won’t have jobs next week anyway.
  • After Culture change to a Security Rewarding culture
    • User thinks “I better tell IT and team straight away!”
    • User immediately logs off and turns computer off, calls IT.
    • Problem is rectified with very little damage to company infrastructure.
    • User is rewarded with new Mercedes, or TimTams in the ‘fridge  [or insert more practical reward of your choice here…] for their quick action saving the company from extinction.

Some things I think staff should be rewarded for…

There’s obviously no point just creating white noise of false positive alerts.  We need to encourage staff to be alert to certain (and ever changing) events to makes this system work.  But at the top of this list needs to be the end to victimisation (or vilification) of people for reporting issues.

So if users or staff make a false positive report, use the opportunity to encourage them and maybe even educate a little on what to look for in the future.  But if they alert you or others to a real issue.  Reward them!  It’s the best firewall you’ll ever purchase.

A (very non-exhaustive) rewards list…

  • Users who use good Password hygiene…
    • who use a Password Manager to store their myriad of passwords for various sites.  (we recommend either Keepass or 1Password .)
    • who don’t use the same username/password combination on multiple sites
    • who use complex passwords (16 characters with many different types of characters)
    • Who change their passwords regularly.
  • IT People finding vulnerabilities and patching.
  • Users or IT Staff finding un-patched browsers, Apps, or OSs
  • IT Staff noticing unauthorised devices on their networks.
  • Users finding scams or phishing attempt and alerting others.
    • emails with dodgy attachments
    • emails with suspect links
    • emails from suppliers or contractors that are “unusual or unexpected”.
    • AGL electricity bills when you don’t use AGL.
    • Emails that seem to know a lot about you from people you don’t know.
    • Parcel delivery notifications.
    • Overly amorous offers from unknown people.
    • I could go on all day here.  The point is if you find them.  Let others know that it is suspect, so they may be able to spot it next time.
  • Users notifying management about unusual behavior (other staff or their own workstation)
    • Someone copying large quantities of data to USB drives.
    • Their own computer behaving unusually after visiting a site ( weird pop up etc.)
    • Their computer behaving unusually after opening an email or clicking on a link.
      • e.g. “Nothing seemed to happen when I opened the document.”
      • “it asked me if I wanted to enable Macros”
      • strange popup windows appearing.
      • It took me to a completely different site than what I was expecting
    • Finding a file that looks like it has been encrypted, or a file that now has a weird extension
      • e.g. .enc or .locky when it should be .xlsx
  • Users finding that their browser or operating system is out of date or has patches ready to be applied that they think IT may be unaware of.
  • Users finding errors when accessing websites. (e.g. “Flash player is out of date”)
  • users finding your company info in places it shouldn’t be.
  • The list could go on and on.  Maybe create your own and share it with us.

The bottom line is, let’s stop the pointless practice of shaming staff and users who have either made a mistake or inadvertently done “the wrong thing”, and start rewarding our precious “Warmware Firewalls” for their great work in helping to build the defenses of our businesses.

You have absolutely nothing to lose with this approach.  This is a secure culture.

Contact our office for more information on our Workplace Cyber Awareness programs, or any other Cyber security Related issues.

Stay Safe
Ross Marston

Business Intelligence Security