The Importance of Security in Design: Zoom and Lessons from my Grandmother

The Importance of Security in Design: Zoom and Lessons from my Grandmother

Blog by Chris Flynn, Arcanum Cyber Security Consultant.

My Grandmother is a fantastic knitter and often tells me that “a stitch in time, saves nine”. Rather than knitting, I do cyber security but the lesson still resonates; if you’re going to do security stuff, do it early.

Zoom, the innovative new boy in the video conferencing world that we’ve now entered, is very much a case in point. According to Zoom, over 200 million of us now use the platform daily to conduct meetings [1]. Which is great, isn’t it?

Unlike some of the more established video conferencing tools, Zoom is simple, accessible and easy to set up and use, hence its popularity. In only a couple of weeks, it’s gone from relatively nothing to being used by everyone, from small social groupings to the highest levels of government. Because of that and because it looks good, we assume that Zoom is also well designed and secure.

But as numerous reports have pointed out, that’s not the case. We have seen multiple vulnerabilities exploited, government, religious and school groups have been disrupted by organised groups of ‘zoom-bombers’ [2, 3, 4, 5]. We have seen a mis-use of personal data when Zoom’s link to Facebook became apparent, no doubt a lawsuit will follow [6]. We have seen falsely-claimed encryption when using Zoom [7] as well as huge numbers of user data available on the dark web, leading to widespread hacking of Zoom accounts [8].

But not all of the security issues are down to Zoom. Users have not helped themselves as password re-use has been very common and meeting details have been shared publicly on social media [9 & 10]. Both are a very definite no-no in the world of cyber security.

Many groups are now refusing to use Zoom despite attempts to rectify security problems. Zoom’s profits will likely decrease and the reputational damage to the company and its products may be irreversible. The most important question is “how could Zoom have avoided this situation?”

In this case, Zoom could have done much worse than applying the NCSC’s Secure Communications Principles [12] and “Secure by Default” guidance [13]. Another good place to look is the Government’s Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers [14]. Adherence to these would have addressed Zoom’s issues at an early, and far less-damaging, stage.

Accepting that the lack of security is a risk from the outset is the first step. ‘Baking-in’ security to the product from the outset is pretty much essential if you have made something that is brilliant and clever and you want it to succeed.  If you have designed or coded a product that people and businesses are going to want to use, then it really should have security built-in to the design.

Going back to what my Grandmother said; adding security at a later stage is always time consuming, more complicated and very definitely more expensive so, “a stitch in time, really can save nine”.

Our talented and experienced consultants here at Arcanum are experts in all aspects of security assistance.

Get in touch with Arcanum and we will help you with:

  • Secure-by-design
  • Vulnerability assessments
  • Threat assessments
  • Risk assessments
  • Risk management
  • Through-life Security

Please note Arcanum Cyber Security are still fully operational. For more information please do not hesitate to get in touch today.

Please give us a call 01558 669140 or email admin@arcanum-cyber.com

 

Sources:

[1] blog.zoom.us

[2]  www.zdnet.com

[3] www.thesun.co.uk

[4] nltimes.nl

[5] www.zdnet.com

[6] www.independent.co.uk

[7] www.wired.com

[8] www.businessinsider.com

[9] www.androidheadlines.com

[10] metro.co.uk

[11] www.reuters.com

[12] https://www.ncsc.gov.uk/guidance/secure-communication-principles-alpha-release

[13] https://www.ncsc.gov.uk/information/secure-default

[14] https://www.gov.uk/government/collections/secure-by-design