Zoom Security. PHOTO: Cybercrime Magazine.

Cybersecurity: Zoom, Collab Tools Are Critical Infrastructure

Another balancing act for CISOs

David Braue

Melbourne, Australia – Apr. 29, 2021

Despite the value of security features like multi-factor authentication (MFA), “exhausted” CISOs are still struggling to convince stakeholders to accept the level of security necessary to keep cybercriminals at bay, a former White House IT executive has lamented amidst growing attacks on the collaboration and social apps that have come to define remote work in the COVID era.

CISOs “are exhausted, and they’re expected to do way too much with way too little resources,” Theresa Payton, president and CEO of security firm Fortalice Solutions and CIO within the Executive Office of former President George W. Bush from 2006 to 2008, recently told Cybercrime Magazine.

Although piecemeal adoption of collaboration tools like Zoom had become an accepted hallmark of the pandemic, she said, CISOs “are balancing the fact that business units don’t want to be inconvenienced, and neither do end customers — but for end users that are not in the security field, they see features like MFA as cumbersome and productivity killers, so they want to skip them.”

That left CISOs chasing after users, creating “a real ongoing challenge,” she said, “where we need to be able to seamlessly integrate collaboration tools into the workflow of both business units and customers while at the same time making security very seamless, and truly more elegant than it is today.”

Making security effective and making it elegant haven’t always been the same thing, but CISOs can’t keep infrastructure secure without bringing users along for the ride — so the elegance of which Payton speaks has now become table stakes in the continuing fight to stay ahead of security issues.

Vendor proactivity becomes particularly important in heading off potential security risks from near-ubiquitous applications like Zoom, Payton said, noting that “cybercriminals always go where the action is — so when they saw Zoom shooting up in popularity, they were always going to look for those potential weak spots.”

Zoom, as a company, had set a rapid pace during the pandemic with regular updates and had “taken ownership of the issue,” she said. “They work in such a way to promote better safety and security, not just for Zoom but for the greater collective good.”

Cybercrime Radio: Zoom Can Be Risky Business

Sniffing out anomalies in collaboration tools

Staying proactive to limit manipulation

Partnerships between software vendors and security firms had provided strong support for the mission of combining security and elegance in user interface, noted Otavio Freire, CTO and co-founder of social security firm SafeGuard Cyber, which has worked with Zoom throughout the pandemic to explore and remediate potential security holes before they impact real-world users.

“Security, compliance, and even governance of that channel are absolutely needed,” Freire explained, pointing out that Zoom “is really many apps in one — a chat, a video stream, an audio stream, and a file-sharing app — and all of these generate really critical data.”

“Each of these can be exploited, and ultimately generate company risk,” he added, “and this is not only the case for Zoom.”

“We need to start thinking of this as critical infrastructure,” he added, “and this all fundamentally changes how companies need to think about cybersecurity — so unless you think of it that way, and think through how to protect the various aspects that make them up, you will always have vulnerabilities as an enterprise.”

Given the proven adaptability of cybercriminals, those vulnerabilities may not always relate to code and conventional exploits.

A malicious insider could, for example, leak company secrets simply by holding up a document for an accomplice to read over Zoom — or a well-meaning project team member could expose intellectual property inadvertently written on a whiteboard in the background of a Zoom call.

Built-in chat and file transfer capabilities could be used to distribute malware or move sensitive data files through an application feature in a way that might not be picked up by conventional data loss prevention (DLP) tools.

“It’s not Zoom’s fault,” Freire said, “but this is all humans using an application for wrong purposes — and there are so many ways that it could be used improperly and weaken your security stance.”

Given the number of potential compromises, he added, the use of machine learning has become critical to creating detection engines that can sniff out anomalies in the usage of key collaboration platforms.

“As you scale up all the collaboration channels, you just can’t rely on humans because of the labor shortage to provide that security,” he said, noting the importance of companion automation capabilities to minimize the number of alerts that security staff have to deal with.

Otherwise, he said, “even if you have something that does detection, you have to have staff walk through detections and respond in real time.”

Often, access violations are substantiated by credential theft, or manipulations subtle enough that humans fail to pick up on them — as with the recent discovery that an online reporter named Kacey Montagu, who had engaged with White House staff remotely on several occasions, was actually a complete fabrication substantiated only by a few social-media accounts and email addresses.

“It goes to show that as we’re all reimagining how we do our processes,” Payton said, “and trying to be open and engaging and authentic, how people can take advantage of that.”

Although many companies deploy multiple solutions to protect well-travelled threat vectors like email, many others remain hopelessly exposed through channels whose implications they have never fully considered.

Now that remote work is here to stay, Payton said, it’s incumbent on CISOs to consider “where do you believe your blind spots could be, and where do you believe you have staffing and skill set concerns?”

“You may be pleasantly surprised at how the vendors you’re having the conversations with can actually rally around you to support your privacy and security needs.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by SafeGuard Cyber

In 2014, our founders realized businesses and governments were leaving the traditional security perimeter to adopt transformational digital and social media channels. They built SafeGuard Cyber as an intelligent system to systematically identify and take action against risks in these communication channels, at scale. We believe the security paradigm must shift to redefine these digital channels as the first line of defense. Today, we help companies detect threats in real time, defend their organizations, and automate information governance across all of their digital channels.