Zoom attacks and more: first officer's blog - week 32

Zoom attacks, decreasing security budgets and more. Here are the top stories from the cyber risk world over the past week.

Mike Parkin | January 02, 2023

First Officer’s log, terrestrial date, 20230102. Officer of the Deck reporting.  

The security team has been working diligently to track down the origin of the transmission that had rendered our warp drive temporarily out of service. While it’s always a bit embarrassing to have to call in outside help, sometimes it’s necessary. In this case, it meant calling in Starfleet’s investigative security unit, specifically the sub-unit within that larger organization that was tasked with protecting computing resources.  

They were able to use the information we gave them to start their investigation into the unknown chess fan, and we were informed they would have an agent waiting for us at our next port of call, along with a team to sort out whatever evidence they found remaining in our systems. 

While the response manuals on the subject said the best practice was to leave everything in place until the forensics investigation could start, to preserve the most useful evidence, our reality was not going to allow that. If it had been a subsystem, or a fixed installation, where they could leave it to shut down until there was time to bring in the specialists, it would have been fine, but we didn’t have that luxury.  With a vital system down, and stuck in deep space, we had to go with the second-best alternative, which was to save snapshots of the affected systems and then get them back online. 

Since the Engineering team’s priority was to get the ship moving again, the best we’d have for the investigators was a communications log, images taken from the affected systems, and a quarantined copy of the file Professor [REDACTED]’s assistant opened against protocol. That last would probably be most useful, at least according to our own internal security team’s assessment.

Fortunately, with the warp drive back online, we were able to resume course for [REDACTED]. 

Coincidentally, the new year on Earth would happen while we were in warp. Another traditional period of celebration which, honestly, made little sense to some of our non-earth-born Human crew and many of our non-human crew as well.   

This was partially from the idea of a planetary date having such significance in a culture that spanned many light years, had worlds with years that varied widely, and consisted of species that had different perceptions of time, date, and the passing of seasons. And partly from the fact that earth’s recognized New Years’ day was entirely arbitrary, not following anything even as superficially significant as an equinox or solstice. Worse, there were multiple New Years on Earth, depending on which sub-culture you belonged to. 

Still, we were bound to do something when the ship’s chronometer indicated that it was midnight at Starfleet Headquarters on Earth*. 

And for those on other worlds, in other parts of the galaxy, Happy New Year from the crew of the Federation Support Ship USS [REDACTED]. 

*: Canonically, Starfleet Headquarters is in San Francisco, CA, USA, North America, Earth, where the local time zone is Pacific Standard Time, or Zulu –8 hours. 

So, wait, who IS that guy on our Zoom call? 

What happened 

A recent report has pointed to a rise in the range of attacks against various video conferencing platforms. This has been especially noticeable with small and medium business organizations which often do not have the resources to properly secure their environments, including their video conferencing applications. 

Why it matters 

Small and Medium Business (SMB) organizations are often under-resourced for cybersecurity, and video conferencing often has a lower priority than other parts of the environment. The challenge is that there are multiple aspects to teleconferencing that can go overlooked beyond the obvious zoom-bombing a call.  Remote work since the start of the pandemic has turned video conferencing services from a nice way to avoid travel for meetings, to the standard way people communicate. 

To deal with the increased risk, SMB organizations are going to have to put more effort into securing their teleconferencing systems. While the vendors have been making improvements, there are still things the users can do to improve the situation. 

What they said 

Meetings are pretty hit-and-miss, but this one’s got plenty of people talking

We can afford this, right? We need to afford this. 

What happened 

Recent reporting indicates that CISO budgets going into 2023 may lead to more tool consolidation to reduce costs and improve efficiency. While organizations are often looking to install the best tools and processes, the financial downturn heading into 2023 puts more pressure on them to do so than usual. In some cases, this will mean moving to integrated solutions, in others it will mean finding which of their existing solutions works best and adding some coordination to make them more efficient, while others will simply entail reducing the budget, eliminating tools and personnel, and hoping for the best. 

Why it matters 

Cyber security budgets can often fluctuate with a changing financial situation. Since it’s not always obvious how much value the teams deliver, since when they’re doing their job right, there’s really nothing to report. It’s only when there is an incident they get attention, and that’s usually because an attacker managed to get past the organization’s defenses. 

While there can be pressure to go with a “one-stop shop” that includes everything in one package from one vendor, it’s not always the best solution. While it might simplify the stack, comprehensive systems don’t always deliver the best-of-breed capability for everything they do or offer the best solution for the organization’s particular environment. They can also be more expensive overall, and require added training, and the commiserate learning curve, before they can be effective. 

That’s why solutions like the one from Vulcan Cyber can be effective. The platform provides consolidation, communication, and unified risk management, without requiring the organization to make massive changes to its existing security stack. So even with a tightening budget, an organization can improve its security posture. 

What they said 

This one certainly got some attention.

zoom attack


Will you  please  behave the way we expect! 

What happened 

Security teams are learning to adapt to get the most out of their User and Entity Behavior Analytics (UEBA) systems. While the basic concept of detecting anomalies is sound, in the real world it can be difficult to consistently and effectively identify variations in behavior that would indicate a breach. 

Why it matters 

UEBA systems are usually based on one of two main technologies. Either rules and patterns that define suspect behavior, or statistical methods based on averages and standard deviations of activities, such as emails, logins, or chat sessions. The challenge lies in having users with consistent behaviors so the UEBA system can get a good baseline and identify deltas that might be suspicious. 

With some roles, like call center operators, support personnel, or salespeople with fixed locations and schedules, it’s relatively easy to spot deviations.  But for others, not so much. Field people who may be at a different location every day, or people who work from home and keep odd hours to meet the needs of their life outside of work can both present difficulties for UEBA. Their routines are anything but and their behaviors can change substantially from day to day. 

Getting the most out of a UEBA requires recognizing its strengths and weaknesses and making sure the rest of the stack can compensate. 

What they said 

It’s no surprise to see this story get some coverage.


Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy