About Us | Contact Us
View Cart

To Skype or Not to Skype: that shouldn’t be the question!

By Dan Hadaway | Friday, January 14, 2011 - One Comment

Instead, as always, the question should be:

Is Risk Mitigation < ROI?

Put another way:  “what risk is there in using Skype, and does the cost of mitigation outweigh the projected ROI of the technology.”   Put mathematically, ROI = Benefits minus Cost.  But what we need to do is factor risk mitigation into the cost.

In other words, are all the policies, procedures, configuration changes, enforcement controls, and misunderstandings-over-all-of-the-above going to add up to less than the savings we get by using Skype instead of some other video conferencing solution?

Is Risk Mitigation < ROI?

Skype is like Facebook.  We security professionals start out frowning on its use.  But this time, darn it, I want to get out ahead of it.  So look for me to dive further into the controls that we can put into place in order to mitigate the risk of using Skype.

First, let’s just review the benefits.  And before we review the benefits, let’s talk a bit about need.  That’s the real question:  do you need the benefits?  See, with Skype, we can all video conference without spending a lot of money.   The Jetsons have landed.

And we already have the prerequisites.  Most of what we need for Skype is already available to us on our laptops, including the little circle at the top of the display that we call “the webcam.”  Heck, those of us with Smart Phones don’t even need a laptop to Skype.  Instead of placing a cell call to a client, for example, I could Skype with that client.  That way the client can see me, and I the client.  I guess the benefit in that is my good looks, and the body language of the client when I tell the client how much the next phase of the gizmo project is going to cost.

Remember, the quality of Skype is a bit shaky, especially if you’re running it on a slower broadband connection.  In my brief experience with it (see below), I was running it on a T-1 at my house.   And the other end wasn’t too shabby a connection either.  But the picture was still “a bit choppy.”  So I’m proposing that a given parameter in your pending “Skype Program” is that you will only use it for internal communications, and not for communicating with your customers.

I know, I have a bad attitude about the benefits of seeing people.  That could be due to the fact that my company has successfully implemented a true virtual office for seven years now, and not once did we use the webcams we all thought about buying in 2003.  Even now, when we all have the webcams built into our laptops and cellphones, I simply don’t need to see the look on somebody’s face when I tell them that good or bad piece of news.

So what are those risks?  Well, off the top of my head, I see the Skype risk-profile as a blend of e-mail and chat rooms.  In other words, all the vulnerabilities inherent with e-mail (malware, spoofing, links-out-to-bad-places, etc.) coupled with the security vulnerabilities of chat (the ports you have to leave open on your firewall, man-in-the-middle-attacks, illegitimate uses, etc.) apply.   When my daughter visited Japan for a summer two years ago, we found Skype to be a miracle.  Since she had the world-renown Japanese broadband connection, and we had a T-1, and we didn’t want to purchase a cell phone we couldn’t read, Skype was a no-brainer.  As I wrote above, the quality was a bit choppy, but it was great to see our daughter every day!

And there was a true need!  Was she okay?  Was she healthy?  Was she hung over???  These are questions that only a visual check would completely answer.  So though the video was choppy, the pictures were indeed worth a thousand words.  (Especially when she was half-awake!)

We set it up on my wife’s home computer (because we didn’t want to introduce risk into my laptop).  And sure enough, soon after installation my wife (Stacey) was being “hit on” by Skypers all over the world.  Skype-spammers, skype-lurkers, and skype-seximos came out of the woodwork.

However, take heart!  Stacey simply ignored all requests, except our daughter’s.  And every night at six o’clock we got to see what our daughter looked like at 7:00am in Japan.  It was cool!

So how do you mitigate those Skype risks?  Probably the same way you mitigate risks inherent in e-mail and chat.  I say probably because I haven’t had time to put too much thought into this, and I want to get this article out today, so that you all know I’m working on it.

But think about e-mail.  How do we mitigate risks associated with e-mail?  We have spam filters, anti-virus systems that scan incoming e-mails, content filters on outgoing e-mails (so people won’t send sensitive information outside the domain).  We have policies about the use of e-mail, and our awareness training spends a lot of time on e-mail vulnerabilities and those policies (and just ignore the spam and don’t believe the scams).  We tell people to “just delete it” on spam.  We spend money executing phishing tests to make sure our employees get it on the warnings about spoofing.  And we accept that there is a certain amount of risk we simply can’t mitigate.  And we clean viruses off of workstations.  And we deal with upset employees because their email didn’t go through to that Hotmail account.

How do we mitigate risk with chat rooms?  Well, most of us prohibit them.  But if we do allow them for certain purposes, we make sure that the clients are configured to send chat messages encrypted.  Then we develop policies, spend time training, and ultimately we accept that there is a certain amount of risk we simply are not going to be able to mitigate.

But with Skype, there are some other considerations.   For one, Skype software generates continuous background traffic once users have signed in to the application.  This traffic is easily confused with malicious patterns and thus interferes with some Intrusion Detection Systems, generating that many more “false positives” that may need to be investigated.  Meanwhile, whenever a security investigation is necessary, the investigator will need to wade through the Skype noise.

So you do the math.  Do you want to add all that risk-mitigation overhead to use Skype?  Is the advantage of being able to see the person you’re talking to worth all the new policies, procedures, configurations, and headaches?  Body language is a good part of our communication.  So though I have knocked it, that’s just me.  And again, when I used it we really DID need to see.  So the real question is, do you want to see your co-workers on a snowy day?

And . . . . if your answer is yes, please contact me.  I want to talk to you about a policy development engagement!

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

One Response to “To Skype or Not to Skype: that shouldn’t be the question!”

Comment from Fannie
Time 02/04/2013 at 11:23 pm

It’s actually a nice and helpful piece of information. I am happy that you just shared this helpful info with us. Please keep us informed like this. Thank you for sharing.

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]