topic Re: Free version of Skype use on Corporate Network. Thoughts or Concerns in Industry News

Free version of Skype use on Corporate Network. Thoughts or Concerns

bspicer — Fri, 30 Mar 2018 16:12:36 GMT

Hello everyone, I wanted to see what members thought about companies allowing the free version of Skype on their corporate network. I have been asked about this many times and have seen this as well. There seems to be many different opinions on this.

After reviewing a couple of studies and reading many security articles related to free Skype on a corporate network, there have been vulnerabilities and there will be more in the future but many of these are no different than the vulnerabilities we have with our browsers, Adobe, Flash and Java. As long as versions are kept current those risks should be low.

The main disadvantage of allowing free Skype our network is lack of control and loss of information. Then again is this really any different than allowing users to access social media or personal webmail?

I usually suggest free Skype is a bad idea on a corporate network but my latest research has me questioning myself.

Thoughts?

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

Baechle — Fri, 30 Mar 2018 18:38:04 GMT

Bill,

I think that you need to go through the motions of a risk assessment. The way that you referred to using other Internet applications on organization resources makes me think that this was trivialized in the past.

Allowing each individual application in a vacuum may seem insignificant. As you permit access you are making actual changes to your security posture that may be imperceptible to you, but not necessarily to an adversary (inside or outside). The aggregate of all vulnerabilities in your enterprise may make you considerably more at risk than you think.

Sincerely,

Eric B.

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

mgoblue93 — Fri, 30 Mar 2018 19:42:21 GMT

Software development is how I got into IT so I'll put that hat on...

Always the #1 question to ask -- what are your requirements? If there is a business need to use a Skype-like product, then explore that some more in the context of requirements, drivers, enablers,etc. If not, then there is your answer.

You have concerns about Skype on your systems but the post didn't cover why someone wants to load Skype on your systems.

If you have a need for a Skype-like product, then have you done any internal trade studies on what meets the org's requirements best? Skype isn't the only provider out there. How does your org know Skype is what it wants?

Implementation before design is rarely a good thing.

Here's the fun technical part. How have you prototyped/tested any of the potential/candidate solutions? Have you monitored network traffic while testing it to see all the things which are hitting your infrastructure? If you're worried about vulnerabilities, have you researched that? Like going out to something like exploit-db and others and seeing what can be done to Skype?

If you've done this work, great. If not, how does one make a recommendation one way or another? Wouldn't someone along the way in the decision making process eventually look for facts?

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

Shannon — Sun, 01 Apr 2018 07:50:40 GMT

@bspicer, as @Baechle & @mgoblue93 have already stated, the risk varies with the environment --- and will be calculated using many factors, including but not limited to: -

Business requirements
Available solutions
Security controls

To use your example of Skype, it may be worth implementing in an organization that doesn't prioritize security but has a need for continuous easy communication between users' systems, but not in an organization where communication is to be tightly controlled & security is a major concern.

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

CISOScott — Mon, 02 Apr 2018 13:12:57 GMT

Nothing is free, remember that. What are you giving up by using this "free" tool? Does it send info about your network out, etc.

Also make sure to read the EULA (End User License Agreement) to make sure it can legally be used on a corporate network. It used to be that free software was designed to be used by non-business customers and the EULA's clearly stated that it was not for use on corporate, business, or government networks. That may have changed, but I always like to check. You may want to have your legal department (if you have one) take a look at it. Look to see what data it collects and transmits.

Maintenance has already been mentioned but make sure you have the people to support it.

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

Baechle — Mon, 02 Apr 2018 17:30:39 GMT

Ken (@CISOScott),

That's a good point. I assumed Bill (@bspicer) was talking about letting folks just have access to their personal Skype accounts so they can coordinate their grocery shopping and the like with their spouse. But, if it's for commercial use there's a liability there for unauthorized use.

Sincerely,

Eric B.

Re: Free version of Skype use on Corporate Network. Thoughts or Concerns

bspicer — Tue, 03 Apr 2018 14:42:07 GMT

Thank you everyone for your responses. All very good points. Much to consider with apps like these.