Posted on Sep 17, 2020 5:00:00 AM
As businesses and users have shifted to remote work environments, Zoom has experienced unprecedented growth in their user base – from 10M daily meeting participants in December 2019 to 300M in April 2020. Not only did they grow their user base, but they also reported equally significant customer growth – approximately 265,400 customers with more than 10 employees, a number that’s grown 354% year-over-year. To protect these new users, Zoom sought out continuous security testing to add to their robust security program.
Zoom allows each new business customer to create their own subdomains for their employees and contractors. Recognizing that they now needed to protect approximately 250K new subdomains that would become part of their overall attack surface, Zoom proactively sought out a solution that could scale. After talking with Bishop Fox security experts, Zoom realized they needed security testing that was more comprehensive and agile than a standard point-in-time assessment to protect their rapidly expanding attack surface.
As businesses grow their user bases, they add complexity to their attack surface – each piece of infrastructure (subdomains, domains, applications, software, etc.) becomes a potential target that an attacker can exploit. To lock down those assets, companies must not only have comprehensive visibility into their attack surface, but they must be able to continuously track emerging threats, new assets, and then prioritize those potential risks to secure their clients and their data.
BISHOP FOX PROVIDES CONTINUOUS ATTACK SURFACE TESTING
Continuous monitoring and tracking sounds daunting, as it often leaves security teams with a lot of noise and heaps of data, but no clear path on where to act first to make the biggest security impact for their business. What Zoom needed was human expertise to weed through this data and analyze them as an attacker would.
Bishop Fox partnered with Zoom in May 2020 to map their attack surface, which was growing rapidly not just in size, but in complexity, so that we could find any unknown assets and locate security risks for the company. With the Continuous Attack Surface Testing (CAST) managed service, Zoom could rely on Bishop Fox security experts to work through the potential security issues that existed on Zoom’s 500K targets and create proof-of-concept exploits to prioritize which risks required immediate attention.
As a result, Zoom was able to remediate the risks before attackers could exploit them in order to proactively protect their clients.
AUGMENTING ZOOM’S SECURITY TEAM TO PROVIDE ACTIONABLE RISK INSIGHTS
Zoom worked alongside the Bishop Fox CAST team, who helped to find, validate, and essentially act as a red team for every asset Zoom owned on the internet. What Zoom needed was to complement their full-scale security program with a deeper, continuous view of their attack surface. The challenge was to get the deep security insights they needed on a broad scale and in real time in a way that was both manageable and actionable for their team.
The CAST team became an extension of Zoom’s expert security group, helping them discover unknown infrastructure and new technologies within their attack surface to give them a full view of their assets. With Zoom’s thorough bug bounty program in place, Bishop Fox was able to take input from those findings to validate and prioritize those issues for the security team to remediate.
In addition, the Bishop Fox team was able to add that information to the CAST platform to quickly search for other areas within Zoom’s attack surface that may have issues related to the vulnerabilities reported within the bug bounty program. The CAST team was able to help Zoom find misconfigurations to prevent them from becoming part of the public attack surface. With this information, Zoom was also able to learn from and prevent future misconfigurations from putting them at unnecessary risk.
ZOOM IMMEDIATELY FIXES SECURITY ISSUES TO PROTECT THEIR CUSTOMERS
Armed with a highly curated, prioritized list of security issues, Zoom was able to jump into action and proactively mitigate vulnerabilities before attackers could actively exploit them. The company immediately fixed five critical or high-risk issues within hours of Bishop Fox's CAST team finding and validating those issues. After we demonstrated the attack vectors and how our proof-of-concept exploits would work, the Zoom team escalated the mitigations internally to get the resources they needed to take immediate action.
Bishop Fox will continue to work alongside Zoom to help prioritize and validate new risks as they emerge and work toward remediating those issues. By continuously mapping their changing attack surface and discovering new issues, Zoom ensures that their clients, their application, and all stored data is secured – no matter when they’re targeted.