Skype in the Enterprise: Is Your Security Program Ready to Chat?

SecureState was recently asked if using Skype within a business environment for very specific cases was a good idea. The company asking the question was unsure of the security implications and what risk would be introduced by implementing the Skype application.

Concerns over security and privacy have existed ever since Skype was launched over eight years ago.  What is the consensus now regarding data protection when using Skype in the enterprise?

Multiple researchers have performed analysis on the Skype application.  It has proven to be difficult to analyze due to a number of deliberate measures put in place to prevent viewing the underlying actions of the software. These countermeasures include packing of the binary, polymorphic integrity checks, checks/traps for debuggers, and obfuscation of code and network traffic.  Multiple researchers have performed analysis on the Skype application. The main points from their research is that the cryptography employed is actually done well, but the application still is mostly a black box.

Putting Risk in Context – it’s useful to step back and evaluate the fuller picture in the context of your existing operations.

For example, how are you communicating today in your organization?  If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines.  Perhaps you think you’re safe because you’re purely digital, and you route VOIP calls across an MPLS VPN to your remote offices.

However, yet again trust has been placed in an unknown entity:  that service provider’s network, operations, and controls (or lack of).

Looking at another example, do you permit employees to dial in to conference bridges from their home phones or personal cell phones?  Do your employees ever use their cell phones in a public location such as a crowded bus on their way to work?  You may be laughing or scoffing, but such lax data security practices have occurred more times than you’d care to think about.

In terms of tightening data protection to reduce the risk of direct data leakage,  this boils down to establishing data classification and data handling procedures and policy, and indoctrinating employees in that policy.

Skype traffic should be treated as a public entity or third-party service provider.  Usage of the service and the type of data or information which passes through the Skype network should then map to your data handling procedures accordingly.

Another factor to consider is that you now have another piece of software deployed that needs to be managed and updated.  Many organizations already have a hard enough time keeping up with patch management for major components such as operating systems, browsers, and browser plug-ins. The introduction of additional software increases the operational burden as well as the surface area which can be attacked.

In fact, while much of Skype’s traffic is encrypted, traffic which contains advertisements is not, making it prone to injection of malicious data.  Before permitting Skype software to be installed, work with the team who manages desktop software to make sure they have an established process for the following activities:  deploying software in a preconfigured manner, tracking software updates, and pushing out updated versions upon release.

As with all risk decisions, there is no black and white answer that is universal to every organization regarding Skype.

Advertisements

About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: