Safe Network Archives - Foster Institute

Zoom Security Settings – The Concise Details

Mike Foster — Wed, 08 Apr 2020 16:50:02 +0000

Zoom has many security settings. This is a detailed but concise guide to the settings and how they work.

Update: The information in this video is applicable and useful now. As of April 27, Zoom v5.0 is making security improvements and moving settings. Once Zoom’s settings are stable, we’ll update this video. The video applies to the paid version of Zoom. Login to the Zoom website to set your security settings.

Fasten your seatbelt. There are lots of security settings in Zoom. You must change default settings to help close the doors to hackers.

To access the account settings, sign into the Zoom website, click on your account on the far right of the top bar. You can also select a link to Account Management, under which you can reach the Account Settings.

The free version of Zoom lacks some essential security controls. In the paid version, the best place to start is, in the left-hand column, under ADMIN, select Account Management > Account Settings. By default, you’re already on the meeting tab.

One of the first things you’ll notice is that some settings have a lock symbol next to them. Zoom allows you to configure settings at an account level, group level, and user level. Here, at the account level, if you click the lock icon, that setting will override the group and user settings.

HOST VIDEO: Disable this setting so the host will start meetings with their video off. The host will be able to show their video when they choose.

JOIN BEFORE HOST: Disable and lock the setting that would allow others to join the meeting before the host arrives. Never let anyone start communicating until you join to moderate the conversation.

USE PERSONAL MEETING ID (PMI) WHEN SCHEDULING A MEETING: You may not know it yet, but Zoom sets up a private meeting room for you that runs all the time. Your Personal Meeting ID, abbreviated PMI, is the Zoom address to your room. You want your PMI address to be confidential. Disable this setting.

USE PERSONAL MEETING ID (PMI) WHEN STARTING AN INSTANT MEETING: Disable this too for the same reason.

ONLY AUTHENTICATED USERS CAN JOIN MEETINGS: Enable this to add more protection if you meet with coworkers and other people you know who have Zoom accounts. However, you might choose to disable the setting if you will meet with clients, prospects, or anyone else who might not have Zoom accounts.

REQUIRE A PASSWORD WHEN SCHEDULING MEETINGS. Enable this option for all meeting types. Jot down your PMI password.

Here’s a tip. In case you are ever in a meeting and need to know the password quickly, click on the icon to invite someone, then Zoom displays the meeting ID at the top and the meeting’s password on the lower right corner of your window.

EMBED PASSWORDS IN MEETING LINK FOR ONE-CLICK JOIN: Leaving the setting enabled means the invitation’s link to the meeting includes a built-in password. Invitees are not prompted for and do not need to know the password. That means you can require passwords, and your clientele doesn’t even need to know.

However, embedding the passphrase inside the invitation exposes you to risk. If an unauthorized person obtains the email message, then they, too, can authenticate to your meeting without needing to know the password. If you disable this setting, tell everyone in the meeting the password through some method other than email.

REQUIRE PASSWORD FOR PARTICIPANTS JOINING BY PHONE: Enable this if you want to protect against unauthorized callers.

MUTE PARTICIPANTS ON ENTRY: Enable this, not only for security but to protect the meeting from background noise near a participant.

CHAT: Disable this setting here. If an unauthorized person joins the meeting, you don’t want them to send disturbing chat messages for all to see. If some sessions require chat, do not click the lock.

PRIVATE CHAT: Disable private chat. Protect your participants from unwelcome interruptions from others, perhaps uninvited participants.

PLAY SOUND WHEN PARTICIPANTS JOIN OR LEAVE: Enable this setting to avoid being surprised to find out someone joined, and you didn’t notice. Check the box if you want to require telephone participants to record their names for an announcement when they join.

FILE TRANSFER: Disable and lock this setting. Blocking file transfers helps stop the spread of malware and potentially offensive content.

FEEDBACK TO ZOOM: Disable this feature.

ALLOW HOST TO PUT ATTENDEE ON HOLD: Enable and lock this setting for when you need to have a conversation without everyone listening.

ALWAYS SHOW MEETING CONTROL TOOLBAR: Enable this setting to make your life easier.

SHOW ZOOM WINDOWS DURING SCREEN SHARE: Disable this setting. Unless you are training people to host Zoom, no one needs to see what the host sees.

SCREEN SHARING: Unless you need people to show what’s on their screens to everyone during the meeting, set sharing to host only. If participants can share, there is a risk that someone, perhaps an uninvited participant, could show unwelcome content.

DISABLE DESKTOP/SCREENSHARE FOR USERS: Zoom allows the sharing of an entire monitor or sharing just one program’s window. Enable this setting if you want Zoom only to show the program window. This setting helps protect your participants, and the host, from accidentally sharing sensitive information somewhere on their desktop.

If, however, someone plans to use PowerPoint in presenter mode, disable this feature so that the host can share the whole monitor for displaying the slides.

ANNOTATION: Unless annotation is essential for your meeting, disable it. Turning off annotation prevents an uninvited participant from interrupting the flow of the meeting by placing images all over the screen.

WHITEBOARD: Unless you need the Whiteboard, disable it for the same reason you disable annotation.

REMOTE CONTROL: Unless you need participants to let others remotely control the shared content, disable this feature.

ALLOW REMOVED PARTICIPANTS TO REJOIN: Unless you think you might accidentally remove someone from a meeting, disable this feature to tell Zoom to keep them out.

FAR END CAMERA CONTROL: Disable this setting unless you want someone else to take control of your camera during your meeting.

VIRTUAL BACKGROUND: For security and privacy, tell workers to hide what is in their home office. Your workers can use a green screen backdrop, some attach to the back of chairs, but Zoom can usually differentiate between them and their background either way.

ENABLE IDENTIFYING GUEST PARTICIPANTS: This setting makes it easier for people who belong to your account to identify a potential intruder.

ALLOW USERS TO SELECT ORIGINAL SOUND IN THEIR CLIENT SETTINGS: Enable this feature. It isn’t so much for security as for sanity. If a participant’s voice is garbled, they can select original sound. Then you may be able to hear them.

WAITING ROOM: This is one of the most important and useful security settings in Zoom. Enable and lock this setting so that when participants try to join the meeting, they are held in a waiting room until the host permits them to enter.

Go back up to the top of that very long page. You’ll notice three headings: Meeting, Recording, and Telephone. Click the word Recording to move to the recording tab.

LOCAL RECORDING: Local recording means a participant can save the meeting to their computer. Disable the setting for confidential meetings. Otherwise, an unauthorized person could access that recorded file. A security risk is that the user could store the data in the cloud without a password.

CLOUD RECORDING: Unless you need to have a recording of the meeting, disable cloud recording too. In theory, cloud recordings are more secure since the users don’t have a file they must protect.

You’ll find many additional options. You might want to involve your IT Professional to help you choose the settings.

Scroll back up. Look in the left-hand column under PERSONAL and click on the Profile settings:

PERSONAL MEETING ID: Leave the random number alone. Zoom sets up a private meeting room for you to use anytime, and that PMI is the address to your room. Don’t make it easy for someone to find your PMI address. It is tempting to make your PMI match your phone number, but don’t.

In the left-hand column on the screen, skip down to Personal > Settings. On the Meeting tab, confirm that the host video is off and that Join before the host is disabled too.

Now go back up in the left-hand column to your Personal > Meetings settings, click on the Personal Meeting Room tab at the top. Confirm the settings match what you configured already. Essential settings include a green checkmark for Mute participants upon entry and a green checkmark in front of the Enable waiting room setting.

If you have other users and groups, Zoom suggests you review their account to verify the settings took hold.

When you schedule a meeting: Meeting ID: Generate Automatically. By now, you know to keep your Personal Meeting ID private except for a few people you trust.

Last, you can check for Zoom updates. Open your account settings by clicking on your account icon. Then select the option to check for updates. Zoom makes updates that improve Zoom’s security, but the updates do not help you until you install them.

To help protect your Zoom meetings, watch other videos that cover concerns about using Zoom, configuring the two-step login feature, and a video run-through of settings for paid accounts so you can simply follow along.

Zoom Security – Set Up Two-Step Login

Zoom Security Issues – Protect Yourself

Zoom Security – Follow Along to Set Settings

The post Zoom Security Settings – The Concise Details appeared first on Foster Institute.

Your Software, such as CCleaner, May Have Backdoors

Mike Foster — Tue, 19 Sep 2017 15:12:28 +0000

Can you trust programs you download? Millions of users, including outsourced computer firms, use a program called CCleaner on their own and on customers’ computers. CCleaner just announced that some of its software was compromised and has been stealing data from users’ computers.

Every program that you install on your computer is a potential security risk.

CCleaner may be installed on your computers, right now, by well meaning, qualified, IT professionals who care about you and your organization. It is a powerful tool with many beneficial features. Yet it has been hacked.

It will not help you to invest energy being angry at your in-house, or outsourced, IT professionals, or to be angry at the developer of CCleaner. They mean well and are using their skills to protect you and your company. CCleaner has undoubtedly added a great deal of value to the world by speeding up computers and removing malware. At some point, IT professionals have to trust that some programs are secure.

But their trust is exactly what attackers are counting on.

What you, as an executive, must do is to ask your IT team for a list of all programs installed on your network. Ask IT to uninstall all programs, that you, with their input, decide are not absolutely essential for you to use to serve your employees and customers. Do not burden them with making that decision on their own.

You owe that to your customers who trust you with their information.

You may decide to stick to using programs from well known and vetted companies, although that is no guarantee that the program is safe. Any program that is installed by millions of users becomes a target for attackers to use as a vector into your organization’s computers.

If you use CCleaner, uninstall it. Know that some of your data, perhaps whole computers, have been compromised. You can read their official announcement here: https://forum.piriform.com/index.php?showtopic=48869

Know that uninstalling software does not remove the malicious code imbedded in your computer. And don’t count on your anti-virus to find the code. Attackers know how to hide malware from anti-virus programs. The best thing to do would be to rebuild the computers from scratch. Hackers are counting on the fact that your IT Pros do not have time to reload each computer. Ask your IT Pros if they have time. Either free up some of their time so they can perform the reload, or bring in an outsourced company to help, or choose to accept the risk and go on. That’s a decision for the executives to make. Using a technology called VDI makes the reinstallation process much easier.

If you want to continue to use CCleaner, if there is an executive level decision that the risk is worth the benefit, then you can ask IT to re-install the newest version.

Forward this to every executive you know. Tell them about this crisis, and how they must be involved in identifying all non-essential programs, so that IT can uninstall them.

The post Your Software, such as CCleaner, May Have Backdoors appeared first on Foster Institute.

Credit Monitoring is Not Enough – You Must Place Credit Freezes to Protect Yourself

Mike Foster — Mon, 18 Sep 2017 16:10:26 +0000

Regarding the Equifax breach, the breach affects about half of America’s population, so take action. Experts agree that one of the best things you can do to protect yourself is to place a credit freeze on your credit reports.Credit monitoring is nice because it can tell you something bad has already happened, but prevention is important too. The FTC provides more info to you about credit freezes and why they help so much: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

To save you time, below are shortcuts that worked on Saturday. Freeze all 4; go to all 4 sites:

Experian (888) 397-3742
https://www.experian.com/freeze/center.html

TransUnion LLC – To Freeze: (888) 909-8872
https://www.transunion.com/credit-freeze

Equifax Information Services, LLC (800) 685-1111
https://www.equifax.com/personal/credit-report-services/

Innovis – To Freeze: (800) 540-2505
https://www.innovis.com/personal/securityFreeze

The post Credit Monitoring is Not Enough – You Must Place Credit Freezes to Protect Yourself appeared first on Foster Institute.

What You Need to Do to Protect Yourself after the Equifax Breach

Mike Foster — Fri, 08 Sep 2017 20:09:08 +0000

You may be one of the 143 million people affected by the Equifax hacking breach that was announced yesterday.

Data stolen may include contact information, dates of birth, driver’s license information, and Social Security numbers. Attackers can make money selling the information to people who could steal your identity and take out loans in your name.

Place a credit freeze on your credit report. To do so, contact all four: Experian, Innovis, Trans Union, and, you guessed it, Equifax. In total, you’ll spend less than $75 to place the freeze.

A credit freeze stops people for gaining access to your credit report. It is difficult for an imposter to borrow money if a lender cannot check a credit report first.

Remember, credit monitoring, though good, sometimes only catches bad things when it is too late.

A security freeze is more effective, and lasts longer, than a fraud alert.

Additionally, watch out for anything odd or abnormal on your bank statements. Download your credit reports every quarter to see what is on them. One way to see your credit reports is to use a service such as annualcreditreport dot com

The FTC gives suggestions about avoiding and handling identity theft at consumer.ftc dot gov/features/feature-0014-identity-theft

Equifax has set up a website equifaxsecurity2017 dot com for people to see if their information was part of the breach. However, many people have been experiencing problems with that website.

Executives – FYI: Reports say that the attack did not result from social engineering. In other words, nobody clicked a bad link in an email. The attackers got in because an Equifax website was insecure. Have you had someone check the security of your website lately? If your site simply displays static information, you are at a much lower risk than if your site has a place for someone to login and/or look up information via your site.

Reports say that the breach may have happened as early as May, and Equifax discovered the breach on July 29. The time between when attackers compromise a system, and when it is discovered, is called dwell time. The best thing to do is to stop hackers from getting in to begin with. Keep security a top priority at your organization! The attackers are counting on you to overlook important steps.

Please forward this to anyone you care about…

The post What You Need to Do to Protect Yourself after the Equifax Breach appeared first on Foster Institute.

Make Life Easier – Go Back to Easy Passwords

Mike Foster — Tue, 05 Sep 2017 16:09:08 +0000

NIST, the National Institute of Standards and Technology in the US, is releasing new password standards that make passwords so much easier…

Using plain letters is enough; numbers and symbols are optional.

Passwords need to be long, at least 8 characters. 16 or more is better.

You don’t have to reset passwords unless you suspect a data breach. Wow!

However, passwords cannot match a database of stolen or easy to guess passwords. And, your login mechanism has to have a way to verify that.

That’s the basic gist. You can read the details in the NIST Special Publication 800-63 at https://pages.nist dot gov/800-63-3/sp800-63-3.html It covers secret questions, two step login, etc.

Now, hopefully PCI and other standards will update their rules too.

Please forward this to anyone who is sick of complicated passwords and having to change them every 90 days.

The post Make Life Easier – Go Back to Easy Passwords appeared first on Foster Institute.

Moms, Dads, and Friends: Take 7 Steps to Secure Your Students’ Computers

Mike Foster — Tue, 29 Aug 2017 15:58:37 +0000

School is starting again and many students need computers. Take these important steps to help make them more secure:In addition to how they back up now, they also need to perform image backups that will back up everything, even programs, so that restore operations can go quickly and not interfere with schoolwork. Image backup tools include Shadow Protect Desktop from Storage Craft, and Acronis True Image. For Macs, use Carbon Copy Cloner.

Be sure the “automatic update” feature is turned on in Windows and in Mac OS. Students must have the critical security patches installed to dramatically increase security. They’ll need to patch their browsers separately.

Uninstall all programs that they don’t think they will use. Start with the programs that are easy to recognize and skip the rest for now. Each program is a potential toe-hold for an attacker to gain access to a system. Worst case, if they delete something now that they need later, they can re-install it. In particular, remove Java and Flash. These are two tools that are frequently hacked and may be unnecessary. If a student finds they need either, he or she can reinstall them with the newest version. Make sure they get Java only from java dot com and Flash from get.adobe dot com/flashplayer/

Make sure they make their user account a “standard user” on their computer. This helps block attackers. Steps for Windows and Mac: 1) Create a new user 2) promote that user to be a local administrator 3) Demote your account to a standard user and use your own account.

Turn on two-step verifications on all the websites they visit. The setting is usually in the security settings of the website.

They need to keep their computer physically secure. Someone could access their files, social media, and e-mail accounts easily and without their knowledge. Passwords aren’t that helpful. It is usually trivial to bypass passwords on computers once an attacker gains physical access to a computer.

And though they may not heed this last step, it is a really good idea to avoid connoting to Wi-Fi services at school, coffee shops, etc. It is better if they use their phone or personal hot-spot to connect their computer to the Internet when they need to. The phone charges may be lower than you expect, especially if you call your phone provider and check about new data plan options.

Please forward this to your friends who have students; it can help prevent some big heartaches.

The post Moms, Dads, and Friends: Take 7 Steps to Secure Your Students’ Computers appeared first on Foster Institute.

Hacker Convention Starts Later This Week

Mike Foster — Mon, 24 Jul 2017 13:00:02 +0000

Expect to see an increase in interesting news stories about what can be hacked this week. The big hacker convention DEFCON starts this week and lots of new announcements will be made as part of the program.

If you will be in Vegas, leave your laptop and phone at home – lest you end up on the infamous wall of shame for being hacked. The website is defcon dot org

The post Hacker Convention Starts Later This Week appeared first on Foster Institute.

Fix A Computer in Minutes and It Works Almost Every Time

Mike Foster — Fri, 21 Jul 2017 15:43:56 +0000

I was stranded in the Portland airport last night because of a mechanical failure on the first flight. You’ve had similar situations for sure. What would your travel experience be like if the airlines could immediately reset a plane to be brand new if it breaks?

With computers, you can be up and running ASAP. Unless there is something broken with the computer’s hardware, a broken computer can be revived in just a few minutes.

In order for this to happen, ask your IT department (if they haven’t already) to create a golden image.

First they will set up a computer and configure it exactly the way it needs to be for your business – and you could do this for home computers too. Second, make an image backup of the computer. Recommended tools are below.

Now, you have a golden image, configured in the way you like with all the right software installed, etc., that can be restored to a computer to reset the computer to be like new again.

From now on, whenever you suspect that a computer is infected with a virus, has been hacked, or is just malfunctioning in general, do not troubleshoot it. Dump a golden image back onto the computer and refresh it to be like new.

Note: All the data will be overwritten when you restore the image. So, for personal computers, be sure to back up the data prior to restoring an image. At the office, all users store their data files on servers, not on workstations, right?

You may find that your IT team can create a single golden image that can be used on different models of computers, or they may need to make separate images for each model. If you use a technology called VDI, this is even easier. VDI is a different topic though.

Image backup tools include Shadow Protect Desktop from Storage Craft, and Acronis True Image. For Macs, use Carbon Copy Cloner.

Please forward this to everyone you know who troubleshoots a computer if it is acting up. There is another way, and troubleshooting may not be able to completely remove a virus if the computer is infected anyway.

The post Fix A Computer in Minutes and It Works Almost Every Time appeared first on Foster Institute.

Recover Quickly if Ransomware Attacks at Remote Worker and Home Computers

Mike Foster — Fri, 14 Jul 2017 21:19:21 +0000

Ransomware is a common problem. If an attacker encrypts all your files and demands that you pay ransom to unlock your files, you will want to be able to recover quickly. Regular backups are not enough.

Regular backups, including file backups, can do a great job of protecting your documents, pictures, and other files. But a full restore of a computer after an attack can take a very long time, and often requires you to reset the computer to factory defaults and spend hours reloading your programs.

If you need to restore after an attack, restoring an entire image is much faster than starting a re-installation from scratch. Disk images are a one-to-one copy of everything on your computer’s internal hard drive. Most often, you will replicate your drives to an external USB hard drive.

Image backup tools include Shadow Protect Desktop from Storage Craft, and Acronis True Image. For Macs, use Carbon Copy Cloner.

Keep using whatever backup method you already use for backup too. Image backup is an addition, not a replacement.

Please forward this to everyone you know who would like to be able to recover their computer quickly in the event of a ransomware attack.

The post Recover Quickly if Ransomware Attacks at Remote Worker and Home Computers appeared first on Foster Institute.

The UK Is Preparing to Attack Hackers with Army, Navy and Air Force.

Mike Foster — Mon, 03 Jul 2017 19:09:58 +0000

The UK is preparing to attack hackers with Army, Navy and Air Force.

Sir Michael Fallon, the UK’s defense secretary, warned attackers that the UK will hunt them down, and respond not just in cyber-space, but also using air, land, and sea forces.

Imagine soldiers, drones, and even missiles directed at anyone the UK identifies as a cyber-criminal.

Will attackers receive this as a deterrent? Or will attackers respond: “You realize, of course… This means war!” (Bugs Bunny cartoons).

You can read more details at www.bbc dot com/news/uk-politics-40423164

The post The UK Is Preparing to Attack Hackers with Army, Navy and Air Force. appeared first on Foster Institute.