As the majority of our courses are still online, we wanted to have a refresh on best practices for Zoom, you can see our main Zoom help page here. This post will focus on how to ensure your Zoom virtual classroom sessions remain secure.
The overwhelming majority of Zoom courses in the fall semester were conducted online with no significant security issues. However, there were a few unfortunate incidents of “Zoom bombing” where an unauthorized user gained access to and disrupted classes in progress.
This tech tip will review the best security practices to ensure that your course stays as secure as possible and you experience no interruption. Please also review the CUNY Zoom security protocol.
Enable security features
Require users to authenticate
In every case of Zoom bombing that was reported in the fall semester, the Zoom host did not enable the feature requiring users to login with a Zoom account. This feature requires that users authenticate with Zoom prior to requesting access to a meeting. Otherwise, a “bad actor” could simply enter different names and continually request/gain access to a meeting. Requiring someone to authenticate with Zoom both makes it easier to prevent bad actors from crashing a meeting and makes it significantly easier to track them down if they do try to interrupt. It is for this reason that we highly recommend enabling this feature in your account right now.
How to require users to authenticate
Passwords, Waiting Room, and Locking the Room
Zoom requires users to enable at least one security feature: “Password” and/or “Waiting Room.” These security features can be set in the web interface or while scheduling the meeting itself.
A password is an additional security feature that prevents a bad actor from gaining access to your Zoom session by having a computer “guess” the randomly generated Zoom link. However, if this information is shared with a bad actor by a student, this will not prevent Zoom bombing by itself. Passwords are an important security feature, but cannot be relied on as the sole means of protection.
The Waiting Room is a feature that allows you to see who is requesting access to the meeting before granting them access. It has several advantages and disadvantages as a security feature. While the waiting room can stop a bad actor from accessing the meeting, it requires you to continuously monitor it throughout the class which can be distracting and makes it difficult to concentrate on conducting your class. Further, Zoom bombers in the past have duplicated legitimate students’ names to illicitly gain access to the meeting. [/toggle_item]
Enable the Waiting Room and Passcode in the Web Interface
Enable Passcode and Waiting Room in the Desktop App
The Zoom session can be locked while in progress, preventing any additional users from accessing the class. After the “lock” is enabled, any additional attempts to access the session will automatically be rejected. This can prevent bad actors, but it also means legitimate students who have technical difficulties in the middle of the session or lose connection will be unable to rejoin. It is for this reason we don’t recommend enabling this feature unless you have significant issues with Zoom bombing. This feature can only be enabled once the Zoom class is in progress.
As none of these features in isolation will prevent Zoom issues in their entirety, please use a combination of the above security measures. Bear in mind, however, no matter how secure you aim to be, there will be people who try to circumvent your efforts. These security measures, especially requiring users to authenticate through zoom will significantly reduce Zoom issues, and if they do occur, make it easier to identify the responsible party.
For that reason, please see below for the procedures of reporting a Zoom incident.
Reporting Zoom bombing
If you encounter a Zoom bomber during your class, you can remove them from the session and “lock” the room so they are unable to reenter. Be aware that if a student has an issue and needs to get back in the lock will prevent them from doing so. Make sure a reentry protocol is established (ie: you will have your email open if a student needs to contact you for class issues) prior to the session.
How to report Zoom bombing
Document the time, name, and whatever other information you have on the bad actor including the disruptive nature of their actions. You can retrieve detailed information on all users in your session in your cuny.zoom.us site.
1.1 Click on Reports in the left side menu
1.2. Click on Usage under Usage Reports->Usage.
2. Adjust the date range settings so that the date the incident occurred is shown. Click on the number in the Participants column. This brings up a list of participants with their start time, email address, and username.
3. Meeting Participants will show the CUNY login of the user in question if you have enabled “Require users to authenticate.”
4. Take a screenshot of the Zoom bomber’s information (including which user it was and when the incident occurred), or select “Export with Meeting data” then click “Export” to download the report as a CSV file.
5. Report this information to Office of Public Safety at firstname.lastname@example.org or 718-997-5912 and the Office of Vice President for Student Affairs at VPSA@qc.cuny.edu or 718-997-5500. Be sure to include the documentation of the log of the incident, specifying the user and the time the Zoom bombing occurred.
If you have any questions, please feel to contact CTLOnline@qc.cuny.edu