Zoom Security
With CSUN's transition to virtual instruction, it might be helpful to understand Zoom's privacy policy. Zoom keeps CSUN data safe and secure. According to their privacy policy, Zoom:
-
Does not sell your personal data
-
Do not monitor meetings unless asked otherwise
-
Hosts have the option to save a recorded meeting. These meetings should be saved to myCSUNbox so they cannot be accessed by unauthorized individuals
-
Zoom only collects data necessary to provide you with full access to Zoom services. An example of data used is your IP Address or OS device details
-
Users have control over their cookie settings.
Zoom is committed to keeping your personal data secure. Zoom uses “industry-standard security technologies, procedures, and organizational controls.”
For more detailed information, visit their website, Zoom's Privacy Policy.
Zoom has discovered a vulnerability with their chat feature. In Zoom's chat feature, users can communicate through messages in a chat room. The vulnerability allowed users in meetings to send links that could possibly be malicious and/or lead to theft of passwords and in severe cases the theft of personal information. When links are sent thorough this chat they are converted to URLs. Users in these meetings can click on these URLs. This poses a threat when a malicious link is sent and users proceed to click on it. Due to the act of this conversion Zoom converted every URL and UNC to a clickable link, the problem with this is that Windows will share the users' username and password, which could then be easily intercepted.
This system can also be used to launch other applications. Usually, when your Windows computer launches a new application it will ask the user for permission; however, in this instance, it does not and opens the application immediately.
Zoom recently released an update that fixed this issue. Once this update is complete the links will not be clickable.
Why Working Remotely is Different
Working at home presents a unique challenge for information security because remote work environments don't usually have the same safeguards as working in the CSUN environment. When CSUN faculty and staff are on the CSUN campus, they are working behind layers of preventive security controls. While not 100% foolproof, it is harder to make a security mistake while in the CSUN environment. However, when CSUN issued devices leave the perimeter or faculty and staff work remotely, new risks arise and additional protections are essential.
Threats to Working Remotely
- Unsecured Wi-Fi networks: Not everyone has a secure home network with strong firewalls. Public Wi-Fi networks, such as those in coffee shops, are also unsafe for conducting business. Unsecured public Wi-Fi networks are prime spots for malicious parties to spy on internet traffic and collect confidential information.
- Using personal devices and networks: Many faculty and staff will be forced to use personal devices and home networks for work tasks. These home devices lack safeguards built in to business networks such as antivirus, firewalls, and backup tools. This increases the risk of malware finding its way onto devices and both personal and work-related information being breached.
- Scams target remote workers: Hackers target remote workers, because of the lowered security measures.
Security Musts When Working Remotely
These are some additional precautions that must be taken by employees when working remotely:
Never use public Wi-Fi
Public Wi-Fi introduces significant security risk and must be avoided. Instead of public Wi-Fi use a CSUN or personal hotspot from a dedicated device or your phone. If you are not able to access a hot spot you may also use a VPN to connect to CSUN’s network. Using a cellular network is safe.
Secure your home Wi-Fi
Change your router password. Make sure firmware updates are installed so that security vulnerabilities can be patched. The encryption should be set to WPA2 or WPA3. You can check this by reviewing your manufacture router manual or checking your WIFI network preferences on your device to see what your connected service encryption is set to. Make sure your Wi-Fi has a strong passphrase/password. Restrict inbound and outbound traffic, use the highest level of encryption available, and switch off WPS.
Use a CSUN maintained device
CSUN techs ensure your workstation, laptops and tablets have anti-malware, encrypted drives, licensed software and the latest patches. Your personal devices do not meet CSUN requirements. Your personal devices could introduce a risk to CSUN’s data and your account. If you have a CSUN laptop make sure to use it at home for work. Even for accessing your work emails. If you were not assigned a laptop, your department or college may allow you to take your workstation home. Check with your local tech.
Use CSUN VPN with Multi-Factor Authentication (MFA)
CSUN VPN encrypts, tunnels and protects all of your internet traffic, so that it is unreadable to anyone who intercepts it. This keeps it away from the prying eyes of any hackers and your Internet Service Provider (ISP). CSUN VPN protects your data. Use VPN even if you are checking your email, accessing SOLAR or storing a file in Box. If you are a Level 1 user or have opted-in for MFA, you will be prompted by CSUN’s MFA when accessing VPN as an additional security measure. The use of public networks with CSUN’s VPN is high discouraged due to the risk of compromising the information.
Level 1 Users
A Level 1 user is any CSUN faculty, staff or student worker who has access to Level 1 data other than their own. Level 1 users must use a CSUN maintained device when accessing Level 1 data or a Level 1 system. You may not access Level 1 systems from your personal devices. Use your CSUN maintained device (desktop or laptop) at home to access Level 1 data or systems. As an alternate, some departments and colleges have set up virtual machines that conform to the High Risk Workstation Standard. If your department has set up such machines and the machines are only accessible via CSUN’s Global Protect VPN with MFA, then you may access the virtual machines via your personal devices. If you need assistance, contact your local tech.
Keep work data on work computers or CSUN approved storage
If you don’t have a CSUN laptop or workstation at home, the next best thing is to access your CSUN workstation remotely. While certain remote access tools have security vulnerabilities, using the CSUN VPN with MFA will mitigate those issues. Make sure you are using Microsoft Remote Desk Protocol (RDP) software on both Windows and Mac machines. Make sure your patches for RDP are up to date. CSUN also has several virtual workstation options available. Contact your tech or IT to see if this option is available to you. Don’t store CSUN files on your home computer. Use your work computer or Box to store your CSUN files.
Do not share your device
If you are working from home and are forced to use your personal device, make sure you are the only one using your device (computer, tablet, etc.). CSUN data cannot be shared with family members. Allowing others to use a device that is being used to access CSUN data violates CSUN policy by potentially sharing it with persons that have no right to see CSUN data. This includes your spouse.
Patch all your software
Updates to device software and other applications can sometimes take a long time. But they really are important. Updates often include patches for security vulnerabilities that have been uncovered since the last iteration of the software was released. Patch your personal devices.
Set up the firewall on your computer
Firewalls act as a line defense to prevent threats entering your system. The firewall creates a barrier between your device and the internet by closing ports to communication. This can help prevent malicious programs entering and can stop data leaking from your device. Your device’s operating system will typically have a built-in firewall. Turn it on.
Use antivirus software
Although a firewall can help, it’s inevitable that threats get through. A good antivirus software can act as the next line of defense by detecting and blocking known viruses or malware. Even if viruses or malware does manage to find its way onto your device, an antivirus may be able to detect and, in some cases, remove it. Turn on anti-virus and keep it up to date.
Make sure you are using properly licensed software
Most software that CSUN licenses can only be used on CSUN devices. Exceptions are software on the Software Download page and software such as Microsoft Office that explicitly states it can be downloaded on multiple home devices. Please make sure when working from home and using your own machine that you do not violate any license agreements. If you have any questions please contact .
Never leave your devices in the car
Never leave their work computers or devices in a vehicle. It’s a best practice to keep work laptops and devices on your person at all times. The trunk of your car is not any safer. There may be criminals watching the parking lot from afar, waiting for their next victim. Putting valuables in the trunk may make life a little bit easier in the short-term - but why take that chance?
Taking home paper files?
Keep all confidential paper files locked up and inaccessible to other persons in the household except when using. Use a cross cut shredder if disposing of any paper files. Make sure you can account for any and all confidential files that are removed from the office by having a checkout system.
Look out for phishing emails and sites
Phishing emails, as well as voicemails (vishing) and text messages (smishing) are used by cybercriminals to “phish” for information. This information is usually used in further schemes such as spear phishing campaigns (targeted phishing attacks) and account takeover fraud. The recent outbreak of the Coronavirus has allowed cybercriminals to use it as a tactic in their mission to cash in or pursue personal information. These cybercriminals have been known to send out emails, make phone calls and publish websites with false information. To spot a phishing email, check the sender’s email address for spelling errors and look for poor grammar in the subject line and email body. Hover over links to see the URL and don’t click links or attachments unless you trust the sender 100 percent. If in any doubt, send the email to and we will check it out. If you do click a link and end up on a legitimate-looking site, be sure to check its credibility before entering any information. Common signs of a phishing site include lack of an HTTPS padlock symbol (although phishing sites increasingly have SSL certificates), misspelled domain names, poor spelling and grammar, lack of an “about” page, and missing contact information.
For More Information or If you Suspect a Breach
If you have any questions or suspect you may have been breached, please contact Information Security at iso@csun.edu or x6100
Additional Resources
For more information on tips for working at home please visit the NINJIO site for informational videos.
Zoom has seen a rise in users in the past few months that it did not anticipate. With this increase, they have also seen an increase in the number of challenges they have in front of them. They are working to solve all these issues and take all issues seriously. For more information on their story and how they are taking action, please visit A message to our users-Zoom.
Podcasts
- Collaborating Successfully for Cybersecurity Awareness
- Cybersecurity Awareness Success Stories
- How to Make People Care About Cybersecurity