Zoom Meeting Guidelines
The use of Zoom call/meetings during the pandemic has made the platform a target of cyber criminals. Hackers have been attacking Zoom calls/meetings in one of 3 different ways:
- Searching on the web for call/meeting ID’s and then joining uninvited and eavesdropping and stealing information
- Searching on the web for call/ meeting ID’s and then joining uninvited and Zoom-Bombing users where they hijack the screen sharing and display unwanted content
- Sending Zoom based phishing emails that mimic a Zoom invite and entice users to join a call/meeting. Then they send malware and hijack the user’s machine
In order to protect our meetings from these criminals, the Information Technology Team is making some changes to how we use Zoom. Below are the changes which will go into effect next week.
Prevent eavesdropping and Zoom-bombing – The best way to prevent these activities is to prevent unauthorized users from joining the meeting. We will be instituting a password requirement for all Zoom meetings. We ask that the host monitor and verify attendees to ensure that there are no unwanted guests. The password will be set up during the scheduling of the meeting. We have reviewed the security requirements and are comfortable having a standard password from class/meeting to class/meeting, as the purpose of the password is to ensure that only invited guests are in attendance. We will use a standard numeric password for all meetings that will be generated when the class/meeting is scheduled. The numeric password will be included in the join meeting URL link to allow the participants to join with just one click. If you would like to use a different password for “Secure” meetings, this is also allowed. When you are scheduling the class or meeting you will need to replace the prepopulated numeric password field with the “: XXXX@YYYY! ” password. The meeting invite will create a one-click URL that will mean that the attendees will not have to enter the password and can just click on the link provided.
In addition to the new password usage, the other tactic we need all hosts to adhere to is validating the participants in the call/meeting. A simple roll call of the participants and a check of the participants screen will ensure that there are no one uninvited participants lurking in the background. This should include validation of Dial-in users as well. If you find an uninvited participant, you can kick the user off the class or meeting from the same window. If all students or participants are in the class or meeting the host can “Lock” the call/meeting which prevents any further attendees from joining.
If the user is dialing into the meeting on a cell phone there are 2 options:
Mobile Application – Attendees who will join the call/meeting using the Mobile App from their device can simply click on the URL in the invite and will be joined to the call/meeting. (The same as from a web browser)
By Phone – The attendees joining by phone will use a numeric password issued for the call/meeting that is in the initial invite along with the dial-in number. They may be asked for a Participant ID but they may skip this step.
Preventing Zoom Phishing attacks – The hackers that are trying to Phish users will create a Zoom meeting request that looks like a real zoom invite. It will have a Zoom meeting URL in the body of the email that will take you to a malicious site. If you hover over the embedded link in the email you will see that the site is not for a Cooper Union URL (or even a real zoom address). Cooper Union uses a registered domain address with Zoom that will signify that the meeting is legitimate. Our domain is cooper.zoom.us. You should always verify that the meeting room is cooper.zoom.us before clicking the link. We are proactively blocking these types of emails, but sometimes one could slip through. If you see one of these malicious emails, please let the Information Security Team know.
We will be implementing these changes next week and this will require some actions on the part of Zoom Meeting Schedulers. There will be three main impacts:
- New meetings will be required to use a password. This will take effect on Monday, April 13th, 2020.
- Recurring meetings will need to be modified to include a password and the updated URL will need to be sent to attendees. (We are asking for this to be completed by Friday, April 17th, 2020)
- For non-recurring meetings that occur after Friday, April 17th, 2020, the invites will need to be modified to include a password and the invites updated.
If you have any questions, or are still seeing abnormal activity, please notify the Information Technology Team at email@example.com