Educause Security Discussion mailing list archives

Re: Zoom - Penetration Test

From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Mon, 26 Sep 2016 10:47:52 -0400

Hi Sean,

A "Pen Test" can mean different things to different people.  There are no
hard and fast rules as to what constitutes a penetration test.  It depends
on what your expectations are, the expertise and reputation of the 3rd
party vendor performing the test, and the thoroughness of the test.  As far
has having someone do a test of Zoom I would be extremely cautious.  It
would depend on Zoom's SLA (you should not do any testing without prior
written documentation from Zoom highlighting what is allowed and not
allowed and have this vetted by your legal department) and how much you are
willing to spend.  And remember, a pen test is just a point in time
measurement.   I am sure that Zoom's architecture is evolving and very
dynamic, like most.  What is "secure" today may not be "secure" tomorrow.

I would be more concerned about their written policies and procedures and
whether or not they have any of the appropriate ISO certifications (use AWS
as a benchmark?).  Do they have dedicated Security and/or Risk management
staff?  At what level does security get involved in upper management, i.e.
do they have a CISO?  Do they have dedicated security staff?  What
monitoring do they have in place? How much info are they actually willing
to share?

And of course, if you are putting data in the cloud, the onus is on you to
store and transmit that data securely, with the realization that if you do
not control the hardware, you do not really control the data.

Hope this helps!

Nick Garigliano, CISSP, GCIH, GPEN
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Fri, Sep 23, 2016 at 2:01 PM, Clark, Sean (OIT) <Sean.Clark () ucdenver edu>
wrote:

We are looking to use Zoom for highly confidential data and are asking
them, per our usual process for evaluating cloud services for security and
complaince, to provide us with evidence of a third party penetration test,
and appropriate remediation.  Zoom has refused to perform a pen test or
provide evidence that a pen test (and remediation) has been performed, but
they have said that some of the organizations that use their product have
performed pen tests of their app.



Have any of you performed a pen test of the Zoom app, or seen evidence of
such?



Sean Clark

Information Security Officer

Director of IT Security and Compliance

Office of Information Technology

CU Denver | CU Anschutz

Sean.Clark () UCDenver edu

303-724-0486

Current thread:

Zoom - Penetration Test Clark, Sean (OIT) (Sep 23)
- Re: Zoom - Penetration Test Paul B. Henson (Sep 24)
- Re: Zoom - Penetration Test Nicholas Garigliano (Sep 26)
  - Re: Zoom - Penetration Test Shankar, Anurag (Sep 26)
- <Possible follow-ups>
- Re: Zoom - Penetration Test Shankar, Anurag (Sep 23)