Skype Security Risks

What are the risks of Skype in an enterprise environment? Is it good or bad? To me there is no definite answer. Let's consider different factors and see why:

• Skype uses peer-to-peer (P2P) architecture. Many companies are very cautious about P2P, but is it really a problem in case of Skype? Not quite. It doesn't have information sharing capabilities, which is major contribution to the level of risk. And in most corporate environment it will not work as P2P due to the presence of firewall.
  
• Data confidentiality matters - Skype encrypts all the traffic, and although the encryption scheme is not open (hence no public analysis has been performed), it uses standard encryption algorithms as AES, not proprietary ones.
  
• There is definitely a risk of data leakage. This is always the case with any new data transmission channel. It can be controlled to some degree - for example by using Skype for Business and disabling file transfer feature.
  
• Skype can be used by malware (through its API) as a covert data transmission or control channel. Again, API can be disabled in business version.
  
• There is a risk of overloading Internet link. What can contribute to this - usage of video capabilities and super nodes (if one of your clients becomes a super node). Later is unlikely in an enterprise (firewalled) environment and in any case can be avoided again by using a proper configured business version. Voice traffic uses about 5 KB/sec, which is about 25 simultaneous calls for 1M line.
  
• Usage of Skype is most likely undesirable in regulated environments (like financial institutions), where communication recording (logs, contents) is required.
  
• Not really a risk, but support costs may contribute to the picture.

My opinion is that risks of using Skype are sometimes exaggerated. In fact in many environments usage of Skype can bring more benefits than drawbacks, provided that it is used in a controlled manner. So before  about high risks and banning Skype I would suggest a following analysis process:

• Identify, what are the business objectives of using Skype?
  
• Analyze, which of those objectives can and which can not be achieved using already available corporate tools.
• Analyze and present what are other options to solve those business objectives and do a high-level comparison if feasible.
• Present a list of risks of using Skype, but do it in business terms. I.e. not "Skype is risky because it utilizes P2P architecture", but "Skype increases a risk of data leakage that can not be detected". Also, information about impact on Internet bandwidth and maintenance costs would be useful here.
• Given all this information it would be possible to come to an optimal decision. One more thing that needs to be stressed is that if you are going to implement new technology (Skype or whatever), it should be done in a controlled manner - like disabling functions that are not part of initial business requirements (for Skype think about things file transfer and API) and meeting any other existing corporate IT/IT security policies and standards.
• If business decides to go with Skype, insist on business version and formation of a technical working group to implement proper settings/policy before going live.

One more important point I wanted to raise here is if you go with prohibiting Skype, don't just do it declaratively. Utilize combination of detection and blocking to actually enforce the policy: Possible options would be:

• Detection of Skype software update traffic. Skype uses distinguishable UserAgent header in such requests ("User-Agent: Skype 1.3", for example) and connects to ui.skype.com.
  
• Skype generates TCP probes as part of normal work.
• Skype can be blocked by blocking CONNECT on the proxy server. This is not feasible in most environments, however.
• Skype can be detected by searching for "skype.exe" process running on users' workstations.
• Skype installations can be detected with software inventory tool, like Microsoft SMS.
• In some cases Skype can be detected by analyzing amount of https (CONNECT) Internet traffic.
• Skype generates UDP and TCP packets to port 33033 during login process.

As a conclusion: every environment is different, but issues presented in this article can be used to conduct a risk assessment that is applicable in your case. Use the process outlined above, or Schneier's five-step risk assessment process, or any other method relative to your company. It is important that in many cases Skype can provide a cheap and secure option for VoIP and IM.

Useful links:

• Skype for Business features: http://www.skype.com/business/features/
• Skype for Business security: http://www.skype.com/business/security/
• Skype Network Administrator's Guide: http://skype.com/security/network-admin-guide-version2.2.pdf
• Skype security evaluation: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf
• Information about Skype: http://www1.cs.columbia.edu/~salman/skype/index.html
• Analysis of Skype protocol: http://www1.cs.columbia.edu/~salman/publications/skype1_4.pdf
• "Skype Trojan" (see page 22): http://www.csnc.ch/static/download/misc/2006_skype_trojaner_v1.1.pdf
• Skype plugins (may pose more threats): https://extras.skype.com/categories/all/good
• "Skype, hidden threat" (in Russian): http://www.xakep.ru/post/38543/default.asp