SecureState was recently asked if using Skype within a business environment for very specific cases was a good idea. The company asking the question was unsure of the security implications and what risk would be introduced by implementing the Skype application.
Concerns over security and privacy have existed ever since Skype was launched over eight years ago. What is the consensus now regarding data protection when using Skype in the enterprise?
Multipleresearchers have performed analysis on the Skype application. It has proven to be difficult to analyze due to a number of deliberate measures put in place to prevent viewing the underlying actions of the software. These countermeasures include packing of the binary, polymorphic integrity checks, checks/traps for debuggers, and obfuscation of code and network traffic. This makes it difficult to fully determine if there are backdoors or hidden features as mentioned by security researchers Biondi and Desclaux. The main takeaway from their research is that the cryptography employed is actually done well, but the application still is mostly a black box.
Putting Risk in Context
Beside the fact that it’s possible to have a bit more confidence in how Skype traffic is encrypted, is there enough information now to make a fully-formed risk decision on whether or not to use Skype yet? It doesn’t really sound like it, but as in many decisions like this it’s useful to step back and evaluate the fuller picture in the context of your existing operations.
For example, how are you communicating today in your organization? If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines. Perhaps you think you’re safe because you’re purely digital, and you route VOIP calls across an MPLS VPN to your remote offices. However, yet again trust has been placed in an unknown entity: that service provider’s network, operations, and controls (or lack of).
Looking at another example, do you permit employees to dial in to conference bridges from their home phones or personal cell phones? Do your employees ever use their cell phones in a public location such as a crowded bus on their way to work? You may be laughing or scoffing, but such lax data security practices have occurred more times than you’d care to think about.
Risks of Data Leakage
In terms of tightening data protection to reduce the risk of direct data leakage, this boils down to establishing data classification and data handling procedures and policy, and indoctrinating employees in that policy. Skype traffic should be treated as a public entity or third-party service provider. Usage of the service and the type of data or information which passes through the Skype network should then map to your data handling procedures accordingly.
Because Skype traffic is heavily obfuscated and encrypted, it is an excellent method for data exfiltration. Without the option of a corporate key escrow solution bolted in to Skype, an organization is completely blind to data leaving its network via the Skype protocol. For employees who have access to certain classes of data, the decision to permit the use of Skype on their devices should be weighed in light of this important point.
Another factor to consider is that you now have another piece of software deployed that needs to be managed and updated. Many organizations already have a hard enough time keeping up with patch management for major components such as operating systems, browsers, and browser plug-ins. The introduction of additional software increases the operational burden as well as the surface area which can be attacked. In fact, while much of Skype’s traffic is encrypted, traffic which contains advertisements is not, making it prone to injection of malicious data. Before permitting Skype software to be installed, work with the team who manages desktop software to make sure they have an established process for the following activities: deploying software in a preconfigured manner, tracking software updates, and pushing out updated versions upon release.
As with all risk decisions, there is no black and white answer that is universal to every organization regarding Skype. SecureState’s best security advice for implementing Skype in the enterprise begins with classifying your data and establishing a policy on how to handle that data to protect it appropriately. Once that is in place, an organization needs to foster awareness of their data catalog, and provide specific guidance to employees for the areas of the data catalog they use in their daily operations.