Ah, end users--and their propensity for doing unexpected things. Well, the same can be said for vendors, which means IT administrators have an obligation to monitor vendor behavior as closely as they monitor end user behavior. This is especially true with business collaboration tools (especially in the age of shadow IT).
Case in point: The Zoom meeting application flaw disclosed earlier this month by security researcher Jonathan Leitschuh (who has posted a full explanation of the vulnerability). Before Zoom fixed the issue, the flaw affected users of Zoom’s and its white label partners’ Apple MacOS client.
Zoom included a web server in its MacOS application package that enabled users to join a meeting with a single click. While this made it easy to join meetings seamlessly by clicking a URL, it also made users' webcams vulnerable to being hijacked, not to mention opened up users to possible phishing attacks and remote code execution.
But here’s the bigger problem: An estimated 750,000 companies globally use Zoom to conduct meetings. Some percentage of those have Macs in the workplace. When those companies evaluated Zoom, they may have fallen short when it came to due diligence. The fact that the application would reinstall itself if uninstalled--a glaring red flag--should have prompted security teams to ask questions. They should have been thinking about the implications of installing a web server on end users’ systems and how a one-click join experience could lead to unintended consequences.
My point is not to pick on Zoom Video Communications. All software companies want to differentiate their products and make them more compelling to purchase. And enterprise software--and business collaboration tools, in particular--needs these kinds of improvements to boost productivity. My point is that IT professionals must not take these changes for granted or leave them to chance.
Here are three things IT pros must do to ensure that new features will not open the business up to new security risks.
1. In this age of business users driving technology purchase decisions, and the app store simplifying the deployment of software, IT needs to proactively engage with users to understand their collaboration needs beyond the firewall. With web meetings, for example, many end users will need to participate with partners beyond the firewall, and they may be asked to download software in order to facilitate a particular function--say, download a document from a prospective customer.
A complete administrative lockdown of end user systems definitely keeps users from installing these apps, but today's dynamic business environment typically requires more flexibility than that. Yes, it is good practice to limit software installed by third parties. But no one wants to have the same conversation with their partner- and customer-facing end users every time they have a problem joining a web conference. Some flexibility is warranted, but that means having to be aware of, and keep up on security issues with, applications that aren’t part of an approved list.
2. If it sounds too good to be true, it may well actually be good. However, don't just assume that it is. Find out how the vendor did what it did to develop the latest and greatest feature. Zoom's one-click meeting join experience, for example, should have seemed a little too good to be true to security teams. In that case, the vendor was making it simpler for users to bypass steps that inform consent. Security teams should be asking vendors questions like: “How do you do that?” "What happens when ...?" and “What if …?”
And, of course, security teams need to be thinking about how a vendor deploys new versions of an application and what the SecOps team can do to forestall changes they don’t want deployed. What if enough prospects evaluating Zoom’s solution had said, “We can’t use your application because you are installing a web server with an undocumented API on our Mac clients?”
3. Ensure that vendors have checks and balances in place in their development process. Leitschuh described putting a web server on a user’s Mac as “sketchy.” That’s polite. Going back at least a decade, installing a web server on an end user system would be a red flag. In the collaboration market, every vendor’s security team needs to advocate for the customer on features that simplify the sharing of data.
During evaluations of solutions, ask vendors difficult questions. Vendors often use non-disclosure agreements to facilitate free discussion--use those NDAs to your advantage. If the vendor doesn’t provide a full and transparent explanation of how a capability works, choose one that does.
In our connected world, plan for these types of inevitabilities, be diligent, about routinely audit technology being used across the organization--no matter how it made its way in.