Work still means meetings, and meetings still mean people.
But with the coronavirus pandemic having caused many countries to define a “group” as a maximum of two people, and prohibiting people from meeting up face-to-face anyway, even with friends and family, then meeting with people means an online meeting.
Sophos Utm Zoom Video
What is Sophos UTM? Before I get to the details, I would like to share some information about the security solution I am using (and have been using for the past 6 years in both home and business environments): Sophos UTM (previously Astaro UTM). This piece of software is really the Swiss Army knife among networking services.
For very many of us, that means Zoom, not least because many of us were using Zoom already, and happily, and…
Sophos UTM drives threat prevention to unmatched levels. The artificial intelligence built into Sophos Sandstorm is a deep learning neural network, an advanced form of machine learning, that detects both known and unknown malware without relying on signatures. If your network is using a Sophos UTM v9 firewall, ensure you have the correct settings. You might notice that when using the Sophos UTM v9 firewall, your video traffic experiences problematic levels of packet loss. This is because the default settings on the Sophos UTM v9 firewall include a limit on packet size.
…or so we thought, safely.
But Zoom has had a bunch of security scares recently, as huge numbers of new users flock to it, and as crooks and miscreants try to take advantage of that.
Fortunately, a lot of the problems and risks people are having can be reduced enormously just by getting the basics right.
Unfortunately, a lot of the habits that existing Zoom users have fallen into need to change.
Insecure shortcuts – ways of using Zoom that the old-timers have inadvertently been teaching to the Zoom newcomers – didn’t seem to matter that much before, but they do now.
So here are our top 5 “things to get right first” – they shouldn’t take you long, and they are easy to do.
1. Patch early, patch often
Zoom’s own CEO just wrote a blog post announcing a “feature freeze” in the product so that the company can focus on security issues instead. It’s much easier to do that if you aren’t adding new code at the same time.
Why not get into the habit of checking you’re up-to-date every day, before your first meeting? Even if Zoom itself told you about an update the very last time you used it, get in the habit of checking by hand anyway, just to be sure. It doesn’t take long.
By the way, we recommend you do this with all your software – even if you have been using your operating system’s or an app’s autoupdating for years and it’s always been on time, a manual cross-check is quick and easy.
Zoom’s guide is here: Where do I download the latest version?
2. Use the Waiting Room option
Set up meetings so that the participants can’t join in until you open it up.
And if you suddenly find yourself “on hold until the organiser starts the meeting” when in the past you would have spent the time chatting to your colleagues and getting the smalltalk over with, don’t complain – those pre-meeting meetings are great for socialising but they do make it harder to control the meeting.
Zoom has a dedicated article on the Waiting Room feature.
3. Take control over screen sharing
Until recently, most Zoom meetings (or at least the ones we attended in the not-too-distant era before coronavirus) took a liberal approach to screen sharing.
But the term ZoomBombing entered our vocabulary very forcefully about two weeks ago, when a public “Happy Hour” meeting that was supposed to buoy everyone’s morale turned into an HR nightmare when one of the participants, who had entered under a false name, started sharing pornographic filth. (Unhappily for the organiser of the meeting, he’d chosen that day to invite his parents along as guests of honour.)
Actually, it’s not just screen sharing that can cause trouble. There are numerous controls you can apply to participants in meetings, including blocking file sharing and private chat, kicking out disruptive users, and stopping troublemakers coming back.
Zoom has a dedicated article on Managing participants in a meeting.
4. Use random meeting IDs or set meeting passwords
We know lots of Zoom users who memorised their own personal meeting ID long ago and have fallen into the habit of using it for every meeting they hold – even back-to-back meetings with different groups.
But that convenience is handy for crooks, too, because they already have a list of known IDs that they can try automatically in the hope of wandering in where they aren’t supposed to be.
We recommend using a randomly generated meeting ID, or setting a password on any meetings using your personal ID that are not explicitly open to all. You can send the web link by one means, e.g. in an email or invitation request, and the password by another means, e.g. in an instant message just before the meeting starts. (You can also lock meetings once they start to avoid gaining unwanted visitors after you’ve started concentrating on the meeting itself.)
Zoom has a dedicated article on Meeting and webinar passwords.
5. Make some rules of etiquette and stick to them.
Etiquette may sound like a strange bedfellow for cybersecurity, and perhaps it is.
But respect for privacy, a sense of trust, and a feeling of social and business comfort are also important parts of a working life that’s now dominated by online meetings.
If you’re expected or you need to use video, pay attention to your appearance and the lighting. (In very blunt terms: try to avoid being a pain to watch.) Remember to use the mute button when you can.
And most importantly – especially if there are company outsiders in the meeting – be very clear up front if you will be recording the meeting, even if you are in a jurisdiction that does not require you to declare it. And make it clear if they are any restrictions, albeit informal ones, about what the participants are allowed to do with the information they learn in the meeting.
Etiquette isn’t about keeping the bad guys out. But respectful rules of engagement for remote meetings help to make it easy for everyone in the meeting to keep the good stuff in.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
To configure the inputs for the Splunk Add-on for Sophos, enable the desired stanzas in a local copy of inputs.conf on the forwarder installed on the Sophos Enterprise Console server.
Sophos Endpoint Security application logs
The add-on collects system logs of Sophos Endpoint Security, stored in Windows event logs, using the Splunk Add-on for Windows.
There is nothing to configure in this add-on for these logs.
Sophos Endpoint Security patch logs
The add-on collects Sophos Endpoint Security patching logs using the Splunk Add-on for Windows.
To enable Sophos patch status monitoring, copy the first stanza in %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the [WinEventLog://Sophos Patch] stanza by changing disabled = 1 to disabled = 0.
Sophos Endpoint Console server logs
The add-on collects Sophos Endpoint Console server logs through monitor inputs.
Copy the all the monitor stanzas from %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the desired stanzas by changing disabled = 1 to disabled = 0. In each stanza, replace <SEC_LOG_PATH> with the path of the log files on the Sophos Enterprise Console.
Sophos Endpoint Console Syslog Logs
You can configure these logs to push via syslog over the network using Sophos Report Interface or by monitoring the SEC server log as with the server logs above. If you are monitoring the log files directly, set the source type to sophos:sec.
If you are pushing data via syslog, create an inputs.conf stanza in your syslog collector for these source types:
sophos:utm:firewallsophos:utm:ipssophos:utm:ipsec
For example, your stanza for sophos:utm:firewall might look like this.
Zoom Sophos Utm Proxy
If you are monitoring the log files directly, set the source type to sophos:sec.
Zoom.us Sophos Utm
Note: When collecting syslog, a best practice is to use a 3rd party aggregator (e.g. rsyslog or syslog-ng) for improved fault tolerance and scalability.