Skype in the Enterprise - Revisiting Reality
Skype came out with a business initiative a while back. I'm not sure what their perspective is, but I'm putting on my "Network Security Architect" hat for this post and trying to take an objective look from the corporate/enterprise view. I'm confidetn this post will upest or offend some people, so get ready.
Caveat #1 - I'm a big fan of Sype and use it all the time. All you have to do is click a link in the sidebar and you can Skype me.
Caveat #2 - I am a network security architect in the enterprise environment involved in both policy and operations
Prediction - I haven't seen it documented yet, but before 2006 is done, someone in a major corporate business enterprise will get fired for using Skype.
Yes, that's a bold prediction. Now I'll explain why I feel this way.
Skype is a peer-to-peer technology. It's brought to us by the folks who gave us Kazaa. If you think corporate enterprise ever looked favorably on Kazaa, you better look again. In the corporate/enterprise world, peer-to-peer technologies are viewed as a threat. The reasoning is simple. Once a peer-to-peer session is established, corporate security mechanisms are commonmly bypassed. File transfers don't go through anti-virus gateways. Bots, trojans and remote control of the corporate computer, connected to the corporate network might be achieved. Note that I didn't say is achieved. It might be. Corporate security is about managing risk and peer-to-peer technologies in today's environment increase the risk to the corporate network.
First we'll start with the obvious. Two weeks ago I posted this for reader's benefit -
Gartner's taken some flack from the security community of late for their amazing grasp of the obvious. They've said some things that just raise questions as to their fundamental understanding for some folks, but they do carry a reputation that we're familiar with. I tend to step quickly away from groups like Gartner and go to trusted security specalists. One of the best summatiions I've seen comes from Dancho Danchev in Skype as the Attack Vector. Dancho's key point that applies here is this -Gartner: Firms must act now to fight Skype security threat I get a lot of news items from different sources and follow a lot of web sites pertaining to security issues in addition to all the VoIP and unified communications topics of interest. This was of particular interest because it appears that in addition to widespread concern about Skype security in corporate networks, Gartner has come out posing Skye as a security threat.
May 30, VNUNet — Gartner: Firms must act now to fight Skype security threat. Companies should "act now" to combat the growing security threat posed by Skype and other voice over IP telephony services, industry experts warned Tuesday, May 30. Analyst firm Gartner said that the latest vulnerability in the Skype for Windows client highlights the risk of using the application in enterprises. Lawrence Orans, a research director at Gartner, warned that, because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems nor how much Skype traffic passes through their networks. According to Gartner, businesses must assess the risks of using Skype for enterprise telephony and "take appropriate action."
Referenced Skype vulnerability: http://www.skype.com/security/skype?sb?2006?001.html
Source: http://www.vnunet.com/vnunet/news/2157124/firms?act?fight?sk ype?security
There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :I think reality is slightly different. I think most enterprises block Skype by policy, with few implementing technology blocking that actually blocks Skype. The key, the risk is the covet channel possibility. Again, managing security ni the corporate enterprise is about managing risk.
- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities
We absolutely see techology solutions like this -
Product blocks Skype at the Carrier and Enterprise levelIn my experience, some solutions are more effective than others. Some make bold claims. In reality, blocking Skype with technology remains problematic no matter what vendors say.
NetSpective First to Market with Skype-blocking capabilities
Quote “…………………….The three NetSpective products target and block peer to peer applications such as Skype which enable users to utilize the Internet to place un-detected and un-monitored voice calls. These peer to peer applications present several critical and well documented problems for carriers, including:
* Increased congestion on networks
* Interrupted or degraded service for mission critical applications
* Violation of legal intercept requirements
* Security vulnerabilities, including the distribution of viruses
* Vulnerability to distributed denial of service attacks
* Vulnerability to remote access control
According to other independent sources, Skype causes several critical security issues for networks. Info-Tech (www.infotech.com), a Canada-based technology industry analyst firm, suggested that enterprises ban Skype for security reasons in a November 10 announcement……….. more
Skype itself on the Skype Security Blog provided some guidance on Admin Control of Skype features. Read the article for yourself to see how appropriate it is for your enterprise, but here's a snippet -
Under the registry key [HKLM\SOFTWARE\Policies\Phone], you can set either or both of the following registry keys:
"DisableApi"=dword:00000001
"DisableFileTransfer"=dword:00000001
I'm sorry. Registry hacks are not suitable security mechanisms for managing a corporate enterprise netowrk's security. Period. Find me a CIO who thinks hacking the registry on machines spread around the network is an effective approach. Then load a Windows system update or critical patch and try again. This is just not acceptable for corporate enterprise business.
In my testing, I specifically went to a series of machines that didn't have admin rights. In every case, Skype worked just fine, through a security layer that arguably prevents it. The corporate enterprise security permiter can easily be circumvented by a user.The user needn't be technical or understand security. They don't even have to know they're breaching the perimter and creating a threat vector. They can blithely just do this for convenience and not recognize that corporate policy might disallow this.
The Skype user community is a very helpful lot. One resource I read is the Skype Journal. Phil Wolff is the executive editor. Here's an example of a recent thread -
"My company has blocked the use of Skype"
A letter from a concerned reader:
Hi. My company has blocked the use of Skype on our company computer network (becuase of pressure from the national phone company here). When I try to launch Skype, a message pop-us saying "This application has been blocked!" Is it possible to avoid this block? Can Skype be used through a website or does the application actually need to be launched? Are there other VOIP or telephony programs which work from websites or otherwise don't need a separate application to be launched on the PC?One at a time:
Is it possible to avoid this block?
Your employer is locking down your computer, so you are in a tough spot. It's not likely that you can get around it without creating problems for yourself.
If USB ports aren't locked down, it is possible to get a version of Skype configured to run on some USB sticks. Since none of the data lives on your company PC's hard drive, it may be able to run.
That's not the same, of course, as being authorized or permitted to use Skype.
Can Skype be used through a website or does the application actually need to be launched?
Are there other VOIP or telephony programs which work from websites or otherwise don't need a separate application to be launched on the PC?
Your must run Skype locally.
Some companies are working on browser-only apps, but we haven't reviewed them and we're not ready to recommend one to you. This could change.What is your company's Skype employee policy? Skype me if you'd like help walking through the process.
Weariing my corporate security hat, here's what I read as Phil's response. He acknowledges that the user doesn't have permission to use Skype, then explains how that user might successful violate company policy. A more measured approach might have been to encourage complying with employers policies and not suggesting ways to violate them. As a security manager, Phil has encouraged someone's employee to dig further into violating a company policy. And suggested they Skype him for more details. The user said that Skype is disallowed because of some pressure from the phone company, but there may be other reasons that the user doesn't understand, like security of the network. How many enterprises deploy a blocking technology like what was described at the request of their telco?
Clearly peer-to-peer technologies are a future tool we'll embrace in corporate enterprise networks. But that's the future. Today they're a threat vector to possible covert channels into our proprietary and sensitive corporate data. Skype isn't a direct threat, but it's a tool, that used improperly, or directly attacked, could be leveraged as ingress to the corporate network.
Some companies have mature and stringent policies around technologies like this. Many do not. Some enterprises have established a corporate culture wherein the stewardship of protecting corporate resources is deeply ingrained in all staff. Many do not. Many security policies are written with an eye on today, but not rewritten regularly as technologies advance, hence weak in language.
Technology alone is not sufficient protection. Policy alone is not sufficient protection. A combination of technology, policy and socilazation acrss the enterprise of doing the right, smart thing within the scope of corporate policies is the only solution. The universe of corporate enterprise covers a broad spectrum. Employees all over are violating the spirit of the policy in countless organizations because it isn't a clear, well-understood part of the corporate culture. And somewhere, someone's going to get fired for violating policy by simply doing something they think makes their life easier. I personally know of several environments where it could happen today. And by several, I mean more than a dozen enteprise organizations where I know this probem exists right now.
Fortunately, to date, Skype hasn't been the prime attack vector for bots and such. That's today. Given that on an given business day there are easily over six million users online on Skype, I suspect that could change with little warning. Are you willing to bet the security of your enterprise on it?
As an active Skype user and security architect all rolled in one, this is one of myriad issues I lose sleep over. And Skype is simply what we face today. Peer-to-peer technologies overall must come together with enterprise security designers in order to find a secure and acceptable method for embracing P2P technologies in the future.
Technorati Tags: VoIP, Skype, VoIP security, VoIPsec, attack vector, security policy, corporate culture, peer-to-peer, P2P
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine