About Us | Contact Us
View Cart

To Skype or Not to Skype: that shouldn’t be the question!

By Dan Hadaway | Friday, January 14, 2011 - One Comment

Instead, as always, the question should be:

Is Risk Mitigation < ROI?

Put another way:  “what risk is there in using Skype, and does the cost of mitigation outweigh the projected ROI of the technology.”   Put mathematically, ROI = Benefits minus Cost.  But what we need to do is factor risk mitigation into the cost.

In other words, are all the policies, procedures, configuration changes, enforcement controls, and misunderstandings-over-all-of-the-above going to add up to less than the savings we get by using Skype instead of some other video conferencing solution?

Is Risk Mitigation < ROI?

Skype is like Facebook.  We security professionals start out frowning on its use.  But this time, darn it, I want to get out ahead of it.  So look for me to dive further into the controls that we can put into place in order to mitigate the risk of using Skype.

First, let’s just review the benefits.  And before we review the benefits, let’s talk a bit about need.  That’s the real question:  do you need the benefits?  See, with Skype, we can all video conference without spending a lot of money.   The Jetsons have landed.

And we already have the prerequisites.  Most of what we need for Skype is already available to us on our laptops, including the little circle at the top of the display that we call “the webcam.”  Heck, those of us with Smart Phones don’t even need a laptop to Skype.  Instead of placing a cell call to a client, for example, I could Skype with that client.  That way the client can see me, and I the client.  I guess the benefit in that is my good looks, and the body language of the client when I tell the client how much the next phase of the gizmo project is going to cost.

Remember, the quality of Skype is a bit shaky, especially if you’re running it on a slower broadband connection.  In my brief experience with it (see below), I was running it on a T-1 at my house.   And the other end wasn’t too shabby a connection either.  But the picture was still “a bit choppy.”  So I’m proposing that a given parameter in your pending “Skype Program” is that you will only use it for internal communications, and not for communicating with your customers.

I know, I have a bad attitude about the benefits of seeing people.  That could be due to the fact that my company has successfully implemented a true virtual office for seven years now, and not once did we use the webcams we all thought about buying in 2003.  Even now, when we all have the webcams built into our laptops and cellphones, I simply don’t need to see the look on somebody’s face when I tell them that good or bad piece of news.

So what are those risks?  Well, off the top of my head, I see the Skype risk-profile as a blend of e-mail and chat rooms.  In other words, all the vulnerabilities inherent with e-mail (malware, spoofing, links-out-to-bad-places, etc.) coupled with the security vulnerabilities of chat (the ports you have to leave open on your firewall, man-in-the-middle-attacks, illegitimate uses, etc.) apply.   When my daughter visited Japan for a summer two years ago, we found Skype to be a miracle.  Since she had the world-renown Japanese broadband connection, and we had a T-1, and we didn’t want to purchase a cell phone we couldn’t read, Skype was a no-brainer.  As I wrote above, the quality was a bit choppy, but it was great to see our daughter every day!

And there was a true need!  Was she okay?  Was she healthy?  Was she hung over???  These are questions that only a visual check would completely answer.  So though the video was choppy, the pictures were indeed worth a thousand words.  (Especially when she was half-awake!)

We set it up on my wife’s home computer (because we didn’t want to introduce risk into my laptop).  And sure enough, soon after installation my wife (Stacey) was being “hit on” by Skypers all over the world.  Skype-spammers, skype-lurkers, and skype-seximos came out of the woodwork.

However, take heart!  Stacey simply ignored all requests, except our daughter’s.  And every night at six o’clock we got to see what our daughter looked like at 7:00am in Japan.  It was cool!

So how do you mitigate those Skype risks?  Probably the same way you mitigate risks inherent in e-mail and chat.  I say probably because I haven’t had time to put too much thought into this, and I want to get this article out today, so that you all know I’m working on it.

But think about e-mail.  How do we mitigate risks associated with e-mail?  We have spam filters, anti-virus systems that scan incoming e-mails, content filters on outgoing e-mails (so people won’t send sensitive information outside the domain).  We have policies about the use of e-mail, and our awareness training spends a lot of time on e-mail vulnerabilities and those policies (and just ignore the spam and don’t believe the scams).  We tell people to “just delete it” on spam.  We spend money executing phishing tests to make sure our employees get it on the warnings about spoofing.  And we accept that there is a certain amount of risk we simply can’t mitigate.  And we clean viruses off of workstations.  And we deal with upset employees because their email didn’t go through to that Hotmail account.

How do we mitigate risk with chat rooms?  Well, most of us prohibit them.  But if we do allow them for certain purposes, we make sure that the clients are configured to send chat messages encrypted.  Then we develop policies, spend time training, and ultimately we accept that there is a certain amount of risk we simply are not going to be able to mitigate.

But with Skype, there are some other considerations.   For one, Skype software generates continuous background traffic once users have signed in to the application.  This traffic is easily confused with malicious patterns and thus interferes with some Intrusion Detection Systems, generating that many more “false positives” that may need to be investigated.  Meanwhile, whenever a security investigation is necessary, the investigator will need to wade through the Skype noise.

So you do the math.  Do you want to add all that risk-mitigation overhead to use Skype?  Is the advantage of being able to see the person you’re talking to worth all the new policies, procedures, configurations, and headaches?  Body language is a good part of our communication.  So though I have knocked it, that’s just me.  And again, when I used it we really DID need to see.  So the real question is, do you want to see your co-workers on a snowy day?

And . . . . if your answer is yes, please contact me.  I want to talk to you about a policy development engagement!

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

One Response to “To Skype or Not to Skype: that shouldn’t be the question!”

Comment from Fannie
Time 02/04/2013 at 11:23 pm

It’s actually a nice and helpful piece of information. I am happy that you just shared this helpful info with us. Please keep us informed like this. Thank you for sharing.

Latest News
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    If Zero days need Zero clicks, are there any secure devices in the mix? Tanvee Dhir explores the Pegasus spyware. Another technical post, meant to inspire thought about IT Governance . . . . Introduction Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold […]
    Our Lead Non-Technical Auditor takes a look at the new AIO Guidance… Architecture, Infrastructure, and Operations (AIO) is the latest booklet released by the Federal Financial Institutions Examination Council (FFIEC) in their line of  IT Examination Handbooks. It is an update to their 2004 Operations booklet and, as the name implies, expands into the areas […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Many organizations still fail to consider the unique risks posed by cloud computing… An article review. Last month thousands of Western Digital MyCloud device owners learned about the risks of cloud-based solutions the hard way: their data had been wiped remotely due to a flaw in the internet-facing component of their external hard drives. While […]
    infotex does not use Kaseya… We are protecting our Clients! Another blog post meant to inspire thought about IT Governance . . . . To all infotex managed security service Clients: As you may be aware there was a large ransomware attack recently that leveraged a remote management tool called Kaseya that is used by many […]