Re: Zoom - Penetration Test

["Shankar, Anurag" <ashankar () IU EDU>]

I completely agree with Nick. One of the reasons for engaging a vendor is so you can transfer risk.  I used the HIPAA 
Security Rule Toolkit when we did an assessment of Box prior to allowing PHI on our Enterprise instance.  It asks a 
thousand questions, which I think was overkill.  I found that the purely technical was less important than the 
attitude, how serious and willing the vendor is to work with you to alleviate your security concerns.  You must ask to 
see their books because often, the compliance documentation is good enough, particularly documented policies, to show 
if they are managing risk well.  Due diligence is good but you can also go too far. Pen testing a vendor definitely 
falls in that category in my book, especially if you are not doing it for your own systems.

 

Regards,

 

Anurag

 

---

Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nicholas 
Garigliano <ngarigl8 () NAZ EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, September 26, 2016 at 10:47 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Zoom - Penetration Test

 

Hi Sean, 

 

A "Pen Test" can mean different things to different people.  There are no hard and fast rules as to what constitutes a 
penetration test.  It depends on what your expectations are, the expertise and reputation of the 3rd party vendor 
performing the test, and the thoroughness of the test.  As far has having someone do a test of Zoom I would be 
extremely cautious.  It would depend on Zoom's SLA (you should not do any testing without prior written documentation 
from Zoom highlighting what is allowed and not allowed and have this vetted by your legal department) and how much you 
are willing to spend.  And remember, a pen test is just a point in time measurement.   I am sure that Zoom's 
architecture is evolving and very dynamic, like most.  What is "secure" today may not be "secure" tomorrow.

 

I would be more concerned about their written policies and procedures and whether or not they have any of the 
appropriate ISO certifications (use AWS as a benchmark?).  Do they have dedicated Security and/or Risk management 
staff?  At what level does security get involved in upper management, i.e. do they have a CISO?  Do they have dedicated 
security staff?  What monitoring do they have in place? How much info are they actually willing to share? 

 

And of course, if you are putting data in the cloud, the onus is on you to store and transmit that data securely, with 
the realization that if you do not control the hardware, you do not really control the data.  

 

Hope this helps!  


Nick Garigliano, CISSP, GCIH, GPEN 

Network Security Engineer

Enterprise & Network Solutions

Nazareth College

585 389-2109

 

On Fri, Sep 23, 2016 at 2:01 PM, Clark, Sean (OIT) <Sean.Clark () ucdenver edu> wrote:

We are looking to use Zoom for highly confidential data and are asking them, per our usual process for evaluating cloud 
services for security and complaince, to provide us with evidence of a third party penetration test, and appropriate 
remediation.  Zoom has refused to perform a pen test or provide evidence that a pen test (and remediation) has been 
performed, but they have said that some of the organizations that use their product have performed pen tests of their 
app.

 

Have any of you performed a pen test of the Zoom app, or seen evidence of such? 

 

Sean Clark

Information Security Officer

Director of IT Security and Compliance

Office of Information Technology

CU Denver | CU Anschutz

Sean.Clark () UCDenver edu

303-724-0486

Attachment: smime.p7s
Description: