5/31/2006
Gartner: Firms must act now to fight Skype security threat
I get a lot of news items from different sources and follow a lot of web sites pertaining to security issues in addition to all the VoIP and unified communications topics of interest. This was of particular interest because it appears that in addition to widespread concern about Skype security in corporate networks, Gartner has come out posing Skye as a security threat.
May 30, VNUNet — Gartner: Firms must act now to fight Skype security threat. Companies should “act now” to combat the growing security threat posed by Skype and other voice over IP telephony services, industry experts warned Tuesday, May 30. Analyst firm Gartner said that the latest vulnerability in the Skype for Windows client highlights the risk of using the application in enterprises. Lawrence Orans, a research director at Gartner, warned that, because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems nor how much Skype traffic passes through their networks. According to Gartner, businesses must assess the risks of using Skype for enterprise telephony and “take appropriate action.”
Referenced Skype vulnerability: http://www.skype.com/security/skype−sb−2006−001.html
Source: http://www.vnunet.com/vnunet/news/2157124/firms−act−fight−sk ype−security
Technorati Tags: Skype, Gartner, Infosec, VoIPSec, VoIP Security
Filed by Ken at 9:04 am under InfoSec, Unified Communications
Well they have a point but competent IT staff set up their networks and workstations so that non IT staff do not have install privledges.
Doug,
While I agree in principal, I can think of two scenarios where even this may not be a solution. Many organizations, and I’m thinking of large entities, operate in an environment where the IT security staff may not have that level of control. A federated environment made up of autonomous IT shops is pretty common in government. Protecting the larger network, where user groups that are much like ISP “customers” is far more challenging.
My favored reaction to this problem is to implement some sort of network admission control that doesn’t allow users network access if “Program X” is installed. Skype on a stick has recently raised what appears to be a work-around that would still let users run the program. I found a Skype wrapper that doesn’t require install privileges for the end user and allows Skype to run from the workstation from a USB drive anyway.
You’re absolutely right in that a well run IT shop can eliminate many or the types of hazards, but sometimes I wonder just how effective we can be when the software/service vendor provides tools that enable any use to easily circomvent policy and network security mechanisms. And they do so in a fashion the doesn’t ever make users aware they might be doing so.
I think the biggest single factor to controlling this sort of activity is still user training and socialization. It take tmie to build a corporate culture that actively promotes thoughtful security mechanisms.