So I’m a happy Skype user. I can answer my “phone” anywhere in the Internet-connected world. I can get a phone number in New York City, Chicago, Los Angeles, or a foreign country. There is call forwarding, video calls, voicemail, instant messaging, SMS messaging, file transfers, conference calls, and for a limited time I can call traditional phones in the US and Canada for free. It can be integrated into my web browser and email reader for a more seamless workflow. I can buy the amount of credit I need instead of being shocked when a big bill arrives. What’s not to like about that?

There’s this ugly black office phone on the desk and I can’t remember when I used it last. I believe my organization pays more than $50 a month (not counting long distance) for the privilege of having a phone that I don’t use that much. Glad I don’t pay that bill. What a waste of money!

I know a few businesses and organizations that have switched from traditional land line phones to VoIP solutions. They save a ton of money on telecommunications. Cool. (Now, if only I could only talk my wife into disconnecting our home phone in favor of Skype or Vonage).

Businesses Have Significant Telephony Investment

So, who’s not happy about Skype? Well, most established businesses are not. Why not? Well to start, most have made a significant investment in their telecommunication infrastructure. Remember this includes private branch exchange systems (PBX), voicemail systems, conference room audio systems, proprietary video conference equipment, telephone wiring, telephones, headsets, speakerphones, telephone operators, call center equipment, printed and online telephone directories, local and long distance contracts, conference calling contracts, and long-term support contracts. That’s a huge investment to just throw out and replace with a new technology. It will happen, just not overnight.

Let’s take my employer, Purdue University, as an example of an organization with a large telecommunications system. We have approximately 11,000 telephones for faculty and staff members, maybe 5,200 phones for students in campus housing, 200 emergency call boxes, perhaps 300 public telephones for campus and local calls, and an entire telecommunications building full of wiring and PBX and voicemail systems that is less than ten years old. What’s something like that cost? According to the FY2007 budget (PDF), it’s over ten million dollars. That’s just the operating budget. It doesn’t represent the total amount invested.

Skype Causes Concern For Security Professionals

Technology obsolescence issues aside, the most interesting discussions are in the information security community. To most security managers and executives, Skype is a tool to bypass established security controls, compromise the integrity of the network, impact availability, and violate security policy. The Skype service operates without the central control of the organization. Any employee can download and use the software, even on protected corporate networks. Skype uses network protocols and ports that are normally allowed through corporate firewalls (i.e HTTP and HTTPS). While blocking Skype usage at the firewall is possible, not all products have this capability. File transfers are particularly troublesome. Users can receive files from outside the organization. These files could be malware, and when launched or opened could attack and compromise systems inside the organization. Employees could also use Skype to transfer sensitive information outside the organization to unauthorized individuals. There is no way to monitor these transfer activities because the Skype sessions are encrypted. Also, the network bandwidth required to support voice conversations is significant and costly. The amount of traffic generated in Skype sessions can decrease network performance and possibly impact availability. Finally, in the U.S. we have several laws and regulations that require recording and logging of communications. While there is potential for third-party solutions using Skype’s API, there is nothing in this space yet. All of these aspects of Skype can impact an organization in negative ways.

Skype Seems To Be Serious About Security

There have been several independent reviews of Skype and its protocols. Tom Berson of Anagram Laboratories was invited by Skype to take an internal look at the design, code, encryption, and protocols used by Skype. His report (PDF) pointed out a few minor issues that most likely have been corrected by now. On the whole though, he did not find any significant issues or backdoors and praised the designers. The primary issue I have with the report is that it seems a bit biased as Dr. Berson is also a happy Skype user. His enthusiasm shows in the report. Other reviews have examined the Skype network protocols and the executable code. Vulnerabilities in Skype have and will be discovered. The company seems to be quick in evaluation and response to these issues as they arise. In response to customer concerns about security, Skype has produced a guide (PDF) for network administrators which I encourage everyone to read.

So, What’s An Organization To Do?

Here I’ll present two, black-or-white options. One is block Skype. The other is allow Skype. There are obviously levels of gray here that smart organizations need to use in transition from one point to another. In either case, the key is to plan ahead. Neither solution will be successful without planning.

Option A: Block Skype

Some organizations need to prevent Skype usage. There could be several stated reasons for such an action. However, the right is answer is that Skype poses a significant risk to organization and its use must be prevented to mitigate that risk. An organization should update its policy or policies to state this, inform and educate its IT users, and use appropriate technologies to monitor for and to block Skype usage.

Here are some excerpts from a sample Skype policy:

“Users must not download, install, or use the Skype Program on any Corporation XYZ Computing Systems or Portable Storage Devices. Violations of this policy can result in revocation or limitation of access to IT Resources, disciplinary action, or dismissal.”

“Network and Security Administrators must configure all border Firewalls, Routers, and/or Gateways to block Skype network traffic. All Skype connection attempts must be logged.”

“The IT Security Director will review and evaluate all Skype connection attempt log entries and submit a summary report to the Chief Security Officer at the monthly IT Security Review meeting.”

“The Chief Security Officer and the Human Resources Director will determine the appropriate disciplinary action that must be taken.”

What’s not included here in the excerpts is the reasoning behind the policy. If the organization has the right culture of understanding the need to protect information and resources, then this is an easier task. The “Reason for Policy” section should be a simple statement of the risks inherent in the application. If the organizational culture can see the risks, then there is no big deal. Sure, there will be push back. That happens anytime policies are created.

If, however, the organizational culture does not share the same interest in protecting information and resources, then there is gonna be trouble. Users will most likely attempt to use Skype anyway and will find ways around the blocks. If this sounds like your organization, then might I suggest you pull out those plans for a information security awareness and training program you’ve been saving for a rainy day and get to work. (That’s a joke since I know how hard that job is.)

In terms of methods and technologies to block Skype usage, here are some resources with good information:

• Block Skype, Tom Keating
• Blocking Skype Using Squid and OpenBSD, rootn0de

Option B: Allow Skype

Some organizations may want or need to allow Skype usage within their organization. It may be a cost-cutting measure, it could be a way to collaborate with distance colleagues, or it’s just too cool to pass up. Whatever the reason, it must be done in the right way to limit the risks. Even though Skype is to be allowed, a policy is needed to outline the ways in which it must be used. Guidelines are needed to help administrators and users configure it correctly to be in compliance with the policy. Finally, some additional network equipment may be needed to address network capacity and performance issues.

Here are some excerpts from a sample Skype policy:

“Users can install, configure, and use the Skype Program and Service only for business-related purposes. The Skype Program must be configured according to the established security standard, the Skype Configuration Guideline. Use of the Skype Service must be in compliance with Corporation XYZ’s established policies. No personal uses are allowed.”

–or–

“A designated network or system administrator must install and configure the Skype Program according to the established security standard, the Skype Configuration Guideline. Use of the Skype Service must be in compliance with Corporation XYZ’s established policies. No personal uses are allowed.”

“Users must not accept file transfers from unknown parties. The Computing System must be configured to scan all received files for viruses.”

“Users must not send Corporation XYZ sensitive files to unauthorized parties.”

“Should an excessive amount of network resources be consumed by Skype on a particular Computing System, the user will asked to discontinue use and remove Skype from the system. If the user is unavailable, the system will be disconnected from the network.”

Here the statements allow the users to use Skype, but some restrictions and reminders are made to protect information and resources. Personally, I feel this is the best approach in writing policies like this. Allow use and establish parameters for that use.

A configuration guideline should also be written for users and administrators. The user guideline should be tailored for the user installation and configuration and reference the Skype policy as justification for the settings. Ideally, it should also cover issues of privacy, sharing contact information, preventing SPAM and SPIT (SPAM over IP telephony), and protecting passwords. The network and system administrator guideline should delve into the technical details of configuration options, setting Group Policy in Active Directory, Skype SuperNode prevention, and quality of service issues. The Skype Guide for Network Administrators (PDF) is a good document for determining what needs to be in the administrator configuration guideline.

…That Is The Question…

So, can an organization use Skype without jeopardizing its information and resources? For each organization the answer is different. Proper risk management is needed. Some organizations may determine that the service provides a benefit and will mitigate some amount risk and tolerate the rest. Others may decide that the costs are too high for a low benefit and avoid the risk completely. Either way, successful security programs require the right balance of people, process, and technology.

When pondering these issues and trying to come to a decision, think about this: Is allowing Skype more risky than allowing the use of web browsers? Has your organization developed a risk management plan for web browsing? Instant messaging? Collaboration tools? Web-based applications? If not, the foundation for adequate risk management is not part of your corporate culture. Perhaps, the fundamental issues must be addressed first before tackling Skype usage.

Enter your email address to get Hack Report news via email:

9 Comments

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website