Application Security – Zoom is a Knife Crime!

Application Security – Zoom is a Knife Crime!
17/04/2020 Comments Off on Application Security – Zoom is a Knife Crime! CISO Blog, DPO Blog, Security Advisory Blog EditoratLarge

The news ebbs and flows and so too do people’s attitudes to the world around them. We are all influenced by the media. Take knife crime. In 2019, knife crime was a significant problem in London. So we should ban knives! Knives are dangerous! Knives should not be used under any circumstances. Why are you using a knife – are you insane!?

GDPR Practitioner Guide 2nd Edition now outclick here for special offer

Now, in 2020, crime has fallen by as much as 20% in some areas of the UK. Knife crime, in particular, has plummeted. So knives are not dangerous. We should all use knives. Let’s all carry a knife on the off chance you may need to cut something. What AREN’T you using a knife – are you a Luddite?

But we all know that is not the case. Crime, and in particular knife crime, has gone down because we’re all in lockdown due to coronavirus. It’s a lot harder to stab and be stabbed when you’re stuck indoors. It’s a lot harder to burgle a property when the residents never leave. So what has this got to do with application security?

At the time of writing, there has been a lot of controversy about video conferencing applications. People who would have very little exposure to such technology in a professional context are now finding video conferencing is ubiquitous in their day-to-day lives more than ever before. People who didn’t have this infrastructure already set up rushed out to the market to find something that worked – one product stood out. Zoom! But, just like knives, software applications have the potential to be dangerous if used inappropriately. Video conferencing software is no different.

Hysterical Reaction

Since the surge in usage of Zoom, there has been article after article about how it has breached privacy by sending data to Facebook (since removed) and had security vulnerabilities that allowed Windows to be hacked (so Windows could be hacked…). The newly coined phrase Zoombombing came into fashion as pranksters gatecrashed insecure meetings (because users didn’t secure their meetings). So the overwhelming message coming out of the Data Protection / GDPR community has been to poor shame on Zoom users much akin to Cersei’s walk through King’s Landing.

“How could you use this tool, knowing what you know?!?!”

Now the UK parliament is planning on using Zoom at the heart of their virtual parliament, they too have had shame heaped upon them by some in the community for setting a poor example. The belief is that if the UK government are using it for a very specific purpose then it must be ok for all purposes. This is a clear logical fallacy that needs to be nipped in the bud.

Do you Excel at Data Protection?

The greatest data protection threat to personal data is not the tool, it’s the use case. It’s the use case that we must assess for risk. Take Microsoft Excel. What is Excel but a tool for manipulating data? I could quite easily use Excel to harvest public data and use it at the centre of a self-coded spam engine. That’s a basic example but what about what is happening in organisations all around the world – how are they using (and abusing) Excel. With an ODBC connection into your “secure” databases, users can circumvent every single one of the database controls set up in to protect personal data. Users can pull in data into Excel, manipulate it and upload data back into the original system of record – all with no audit trail. Do you really know what is going on with all this data…do you?! This is going on in many organisations – and something many do not even monitor as part of their Identity & Access Management (IAM) programme. Finance Teams are doing it right now to forecast and budget. Why does happen? Mainly because they know Excel – it’s easy. Additionally, it’s cheaper than a licence for a proper business analytics tool (which they would then have to learn…). So…do we ban Excel because of all this often unauthorised, uncontrolled processing? No, of course not.

Do you have a leaky [S3] bucket?

Cloud storage has been at the heart of a number of security breaches recently. Often the breach originates from a lack of engagement from the business on how to secure such storage solutions properly. Misconfiguration of security controls is oft at the heart of breaches. So too are poorly implemented changes, inadvertently exposing systems and data that were originally secured. So…do we ban the use of cloud storage because some users don’t know how to keep their data secure? No, of course not.

Be more nuanced!

There are plenty of other examples of knee-jerk reactions to the use of technology. An adverse reaction is not necessarily unwarranted either. Facial Recognition in the wrong hands, and for certain purposes, would go against the culture and values of some societies – but perhaps not in others. So we need to have a discussion about what is appropriate, we need to stop talking in terms of right or wrong in a holistic way. In short, we in the data protection and cybersecurity community need to be more nuanced. Nothing is black or white in this world (even pandas have brown eyes). The data protection community adds value not by telling our organisations and clients that something is bad, we add value by showing them how to use tools safely…and when these tools are safe to use.

Start with the Use-Case

Every organisation uses software in slightly different ways. Some are not even anticipated by the vendor when the tool was originally conceived. Take the Zoom family quizzes that now go on during the lockdown, or that you can now hire a goat or llama to attend your meeting…[yes, this is a real thing]. Did Zoom anticipate this? Most likely not. That’s why it’s the responsibility of the end-users to make the assessment as to whether a tool is safe for their particular use case. That’s where application security risk assessments must start. We must ask the question:

“What do you want to use this tool for?”

Once we know the context of why we are then able to provide appropriate information and advice. When conducting your application security risk assessment, assess the tool(s) as a complete system against the use-case specified. Don’t stop there though. Research other use cases and make it clear in your risk assessment where the tool would not be appropriate without additional controls. No application is ever going to be 100% secure in isolation but good security professionals know how to make applications “secure enough”. If you need help securing your technology environment for new use-cases, get in touch. We can help!

About The Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning

About The Author