Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Ext] Re: [SECURITY] Utilizing zoom

From: "Leber, Dennis E" <dleber () UTHSC EDU>
Date: Thu, 2 Apr 2020 20:01:30 +0000
I appreciate all the feedback, and want to expand on my posting. At no time was this meant to appear as placing fault 
to anyone. I was simply sharing in the event others may have similar architecture. We all have our organizations best 
interest in mind and never do things careless or without large amounts of consideration.

Nor is what we do a competition or an attempt to demonstrate who is better or wrong; we all have the same goal in mind; 
helping our orgs stay safe, and each other make sound security choices.

My intention is to share a risk assessment approach to deciding how to best protect your organization. I am glad it 
enabled discussion, I welcome all information that aids in making decisions, I am not too proud to take information and 
observations and include that in my decisions and change my recommendation if that data warrants it.

I am glad that I have this source available, and this collected brain trust to rely on.

Thanks to all of you, and I apologize that I did not fully author my posting in a better, more thought out manner.

Respectfully,

[https://uthsc.edu/brand/images/email-signature/shortsig-green-horizontal.png]
Dennis E. Leber

Chief Information Security Officer (CISO)

The University of Tennessee Health Science Center
Office of Cybersecurity
877 Madison Ave
6th Floor
Memphis, TN 38163

dleber () uthsc edu
t: 901.448.5848
c: 270.307.1609
https://www.uthsc.edu/its/cybersecurity/



________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Hagan, Sean 
<sean.hagan () YC EDU>
Sent: Thursday, April 2, 2020 2:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom

Not trying to pick out either your or Dennis' responses, but just generally I have to say I'm a little surprised at the 
sudden and seemingly significant blowback that Zoom is getting.

If we stopped using every SaaS application or piece of technology that had a security vulnerability or that didn't 
behave in the manner we expected, or that was at risk of attack due to its popularity, we'd be left with 
etch-a-sketches (actually, I could never get those to work right, so I'd be left with nothing).

I certainly appreciate all the information and opinions being shared and am constantly evaluating them against my own 
experiences, but so far I feel like Zoom has been a pretty good partner - providing useful technology at a critical 
time and actively responding to issues and concerns raised.

So many of the recently reported issues seem to be more user training/knowledge or enterprise management/configuration 
issues than they are Zoom product failures.  Certainly we can argue that some default settings should be modified by 
the vendor (and in fact it appears they are now for K-12 environments, as an example), but this is not unique to Zoom.  
Admittedly, the encryption issue may indeed be a major deal for some organizations.

Anyway, I don't own any stock in Zoom (or the competition), don't know anyone who works there, and will continue to 
look forward to opinions and knowledge on either side of the issue.  For my own organization, I don't see us swearing 
it off - just continuing to impress upon our user base the importance of proper configuration, hygiene, and general 
computing best practices.

Good luck to everyone in your decisions and in your online and remote teaching/learning/working efforts!

Sean


________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Kimmitt, Jonathan 
<jonathan-kimmitt () UTULSA EDU>
Sent: Thursday, April 2, 2020 12:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom


And just to be clear… I’m not opposed to using a product that has had problems in the past… as long as they have 
responded correctly and fixed the problems…



I would rather work with a software partner that has been tested and responded well, then a new/unknown product that 
hasn’t been tested…



So while I am looking at all options to protect my campus, I don’t want to kneejerk away from zoom, if they are working 
to fix the problems….  I only want to move if it’s the correct decision.



-Jonathan







From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan
Sent: Thursday, April 2, 2020 2:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom



We were in the process of purchasing Zoom for our telehealth….



With the recent information I am more inclined to reverse that decision…..



However, while we can get a BAA with Microsoft Teams (and we already do), what steps do we need to do to make sure that 
Teams meets the requirements for telehealth?



Is there any published checklists that will help in the process?



-Jonathan





~

Jonathan Kimmitt

CISSP, PCIP, CEH, CIPM,

GPEN, CIPT, CIPP/E, GSNA

Chief Information Security Officer

Information Technology

The University of Tulsa

918.631.2743







From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Leber, Dennis E
Sent: Thursday, April 2, 2020 1:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom



Our team conducted a risk analysis of Zoom; attached is our summary. NASA, Tesla, and others have immediately stopped 
the use of Zoom.



[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2futhsc.edu%2fbrand%2fimages%2femail-signature%2fshortsig-green-horizontal.png&c=E,1,qNpHiBCwSBUxXZUVP8LSKErh4eFk-ha8vQu2I-JTJasWHza0ijlWlfKLh0eMWW_IXa8okK8UVtOSYRmH2BHOUJ2jOCyBjtyRQEAmyfOAVC1ZuDFYBpovDjJ-Ds0,&typo=1]

Dennis E. Leber

Chief Information Security Officer (CISO)

The University of Tennessee Health Science Center
Office of Cybersecurity
877 Madison Ave
6th Floor
Memphis, TN 38163

dleber () uthsc edu<mailto:dleber () uthsc edu>
t: 901.448.5848
c: 270.307.1609
https://www.uthsc.edu/its/cybersecurity/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.uthsc.edu%2Fits%2Fcybersecurity%2F&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666509206&sdata=O2Wu0ewUN4%2FmMGvaIaAkdI%2BUZ3zr2zajgMIlG67lveA%3D&reserved=0>







________________________________

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Menne, Michael S <michael.menne () MNSU EDU<mailto:michael.menne () MNSU EDU>>
Sent: Thursday, April 2, 2020 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [Ext] Re: [SECURITY] Utilizing zoom



We are using Zoom for telehealth. Zoom has a Healthcare option that disables recording capability and encrypts chat 
messages. There may be other things as well that I'm not aware of.

 I've seen several local providers (including Mayo Clinic) use Zoom for Telehealth.



On 4/2/20, 1:21 PM, "The EDUCAUSE Security Community Group Listserv on behalf of Rick DeCaro" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of Rick.Decaro () LOGAN EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU%20on%20behalf%20of%20Rick.Decaro () LOGAN EDU>> wrote:

    +1 for piloting Doxy.me.   We also considered Zoom, Spruce and Teams.


    Rick DeCaro
    Director of Information Technology | Logan University
    1851 Schoettler Road | Chesterfield, MO 63017
    Phone: (636) 230-1760 | 
Logan.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fLogan.edu&c=E,1,SN1yuJKwj4Lh9FZqEC2PnbAASly9DE59IKqcaUjNxYUdU0i_jKpBQ5rAGJ1uGrS1uwKjBbFPXa3mKxWNtWcUazHqxpChtvbQ724yvHKZEAlxMMMd9Q,,&typo=1>




    -----Original Message-----
    From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Bill Thompson
    Sent: Thursday, April 02, 2020 1:18 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: Re: [SECURITY] Utilizing zoom

    This e-mail was received from an external source. Please be cautious when replying, clicking links or opening 
attachments.



    Our counseling center looked at Zoom for Healthcare and decided to pilot 
doxy.me<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdoxy.me&c=E,1,qNrUwGtP2y7VkMMLwGAboArOH1RS-O8SVFvL07A1BZmLftUIRwDmXb9GmsGuyDRUnf_yZsE1GlnGtQVJAY9SXAwd08GMjZbe0fPKOlduNDHhR3g,&typo=1>
 instead primarily for the integrated teleconsent feature.

    Best,
    Bill

    On Thu, Apr 2, 2020 at 2:14 PM Mark Reboli <mreboli () misericordia edu<mailto:mreboli () misericordia edu>> wrote:
    >
    > Question:  Like most of you we have multiple options for telehealth and addressing clinical hour needs for our 
students.  I am looking at the different options and any concerns with utilizing Zoom over some other solutions.  Any 
guidance would be appreciated.
    >
    >
    >
    > Thank you
    >
    >
    >
    > M
    >
    >
    >
    > Mark Reboli
    >
    > Network/Telecom Manager
    >
    > Misericordia University
    >
    > (570) 674-6753
    >
    >
    >
    > This e-mail and accompanying attachments are confidential.  The information is intended solely for the use of the 
individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication 
by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this 
message to the sender and delete all copies. Thank you for your cooperation.
    >
    >
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire
    > community list. If you want to reply only to the person who sent the
    > message, copy and paste their email address and forward the email
    > reply. Additional participation and subscription information can be
    > found at
    > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
    > educause.edu%2Fcommunity&amp;data=02%7C01%7Crick.decaro%40LOGAN.EDU%7C
    > ab6aa00ac3f346dd35f208d7d7323272%7C12b0502287ae4711b25c041c20615f0a%7C
    > 0%7C0%7C637214482910331728&amp;sdata=nOY6jM%2BU6xGn%2B3e42wLgOo866US6B
    > Omk3K%2B32mCvfCM%3D&amp;reserved=0

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C8e3e5a15bc7e4f1dc95808d7d7329f0f%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637214484734119332&amp;sdata=8ptcXQxkkSwMEFiafRymKmeisbezmBP9O4zx2IYng7k%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666519205&sdata=XBvhkBBLhvAuyZceFRc%2BT5OeyCcvO8rwYAvkUwaUPKg%3D&reserved=0>

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C8e3e5a15bc7e4f1dc95808d7d7329f0f%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637214484734129328&amp;sdata=rfaRxNdsecHlDGiAUr9DSWNMPXquGGgu4lSmlFSawzE%3D&amp;reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666529199&sdata=ODgBAP031qpn2HbOW%2Bf4jaZJ1DrwHKo5woEmUy%2F3txU%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666529199&sdata=ODgBAP031qpn2HbOW%2Bf4jaZJ1DrwHKo5woEmUy%2F3txU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666539194&sdata=DlO94T4QCxkWuyukLwIsM0vBfwVXhuKZI8X6aEfVJzI%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666549191&sdata=TMzO0xnWpyjOd3rjuv02%2BlL4pHAbunW1wysjxp%2Ffy80%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,g9F71mwU3CBxTo3LTjoksxvO2O2CFVHbxNU0YQPlPzMGdlQ4NtuU7DOiT226i-0iK3Ux35fp-g7bnPgWjzaqeyuC--SOPVLziDGM2vJmMxU4eFwMDFGpFQ,,&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: