原始出处:
http://www.viruslist.com/en/analysis?pubid=204791933
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
Introduction
Key conclusions
Research methodology and survey participant profile
VoIP use options
Skype threats
The source of threats
Security and Skype
Conclusion
Introduction
VoIP (Voice over Internet Protocol) technology is developing rapidly, and Skype is the most popular VoIP product on the market. Skype allows users to reduce telephone charges significantly compared to traditional telephone networks, with no loss of connection quality. A second advantage is ease of use. Users worldwide are up and running in seconds: Simply install Skype and plug in a microphone. That done, one can talk, exchange files, text messages and so on.
However, Skype take-up has gone beyond domestic users – it is also used on corporate networks. This is not surprising when one considers how it significantly reduces the cost of long-distance and international calls and simplifies inter-office and person-to-person communications. On top of that, the utility requires no administrator privileges to set up and use. Employees can download Skype from the Internet for free and simply install it on their corporate workstations. This gives rise to a new problem: The increased Information Security (IS) risk of Skype use in the corporate environment.
The issue of Skype and network security is pressing. It is a widespread program which attracts the attention of both insiders and hackers alike. For example, internal information thieves can steal vital data using Skype. Meanwhile, there is no shortage of examples of hackers probing Skype for vulnerabilities.
The present research is the first Russian study into risk-free Skype use on corporate networks. It had as its object:
To assess anxiety among IT and IS specialists regarding the use of Skype on company intranets.
To identify additional IS threats which add to such fears.
To pinpoint the source of these risks.
Key conclusions
Skype is the clear leader among VoIP products. Almost half of those surveyed (46.8%) use Skype. If one removes those without any form of VoIP, then Skype takes 64.9%.
The risk of a leak of confidential information is the greatest threat (55.6%) for a corporate network which has Skype. That is, the survey’s participants fully understand what channels for additional leakage the program presents to insiders.
Skype itself can not seriously be blamed for these additional risks. The core problem is with the human factor (44.6%) rather than with faults in the program.
Despite this, almost two-thirds of those surveyed (66.4%) incline to the view that the threats which attend the introduction of Skype into the corporate environment are a serious obstacle to the program’s wider acceptance. Only one-third of specialists (33.7%) felt that IS problems would not prevent the program’s wider acceptance among companies.
Research methodology and survey participant profile
This research was conducted by InfoWatch’s analysis center between 15th and 30th of January, 2007. Survey participants submitted their answers via an online form with 1242 people taking part. Statistical processing and results analysis were carried out by InfoWatch’s analysis center. Percentages are rounded off to the nearest one-tenth of one percent. In the case of some answers, the total percentages exceed 100% due to the use of multiple choice questions.
The target participants for this research break down as:
IS specialists: 37.1%
System administrators: 34.3%
Users: 28.6%
This means that around 71.1% of those surveyed are IT professionals.
VoIP use options
In fig. 2 we see the survey participants’ preferences regarding the VoIP programs available. That Skype is in first place (46.8%) comes as no surprise to anyone. It is the first – and some would say the most convenient – program for voice transmission over the Internet. All its competitors together only garnered a quarter of the votes (25.3%). We should mention that slightly over a third of specialists surveyed (27.9%) had no VoIP service on their intranets at all. It is probable that this is a result of the threats associated with using Skype.
Denis Zenkin, InfoWatch’s Marketing Director says, “Skype’s security problem is very real. Firstly, the program uses its own protocol which is not supported by traditional inter-network screens. Secondly, voice traffic is difficult for electronic systems to filter, and to do it manually is not cost-efficient. The simplest solution is to forbid the use of Skype altogether. But this is no solution since the program is convenient and beneficial.”
Skype threats
The research concentrates for the most part on identifying the risks inherent in using Skype and on their causes. It found that a clear majority of those surveyed sees a whole range of threats connected with the use of Skype (see fig. 3). A mere 5.3% of specialists felt that the use of Skype on a corporate network represented no threat whatsoever.
The greatest risk – according to 55.6% of those surveyed – is the leakage of confidential information. In other words, more than half the specialists felt that as a result of using Skype, confidential corporate information could leak out. The research concludes that the threat of a leak of confidential information is twice as likely (55.6% as opposed to 29%) than a hacker attack on intranet resources.
The center ground was occupied by the following risks:
Unsanctioned access to information: 37.2%
Data loss risk: 33.2%
Threat of malignant program getting to workstations: 31.7%
Other risks: 7.4%
VoIP solutions – and this concerns not only Skype – clearly present companies with a whole range of IS threats. Programs for voice or video communications are sufficiently simple and accessible for insiders to use. Controlling Skype is no easy task since voice traffic is hard to filter automatically. At the same time, the use of attached files presents no difficulty to even inexperienced users. On top of this, as with the majority of software products, VoIP client programs have vulnerabilities which, theoretically, may be exploited.
What is more, in the opinion of InfoWatch’s analysis center, the risk of hacker attack is somewhat less than commonly thought. The most likely explanation is that fear has its roots in past dangers from hacker break-in. Realistically, at the present time, the threat from hackers is not so great. The threat from malware is also exaggerated. Only one instance of a Trojan penetrating a breach in Skype has been established. We remind readers that a virus cannot spread by itself but has to be physically downloaded by the user.
The source of threats
Having established that use of Skype leads to additional IS risks, the InfoWatch analysis center went on to ask its survey participants to indicate the sources of new IS threats (fig. 4). Clearly, apart from factors connected with the Skype program itself, vulnerabilities can arise due to other causes, such as faults in a given piece of software or malignant intent or lack of discipline among users, etc. The findings indicate that the majority of survey participants (44.6%) regards the workforce itself as the greatest source of threat. In other words, it is the human factor which is most likely to result in an IS incident connected with Skype.
The second-highest rating (26.7%) was accorded to faults in Skype’s software environment. Here we mean either vulnerabilities in the operating system, or the means of defence used and any other software application which might lead to an IS threat when run in combination with Skype. At the same time, only 23.4% of those surveyed thought that such issues were the responsibility of Skype’s developers. And only one in twelve specialists (5.4%) thought that Skype represented no IS threat whatsoever.
Thus, VoIP programs may hardly be said to be the root cause of risk. In almost half the cases, either a company’s employees themselves who did not know how to use their tools properly, or those who expressly wanted to steal information were at fault. To summarize, one may say that to stop using Skype is like trying to ban the Internet or e-mail. VoIP is beneficial and convenient, but to prevent the occurrence of the nightmare scenario – the loss of confidential information – companies need to protect their data in the same way as they protect against theft via e-mail, the Internet, printers or USB data-storage devices.
Denis Zenkin says, “Skype represents a unique opportunity to save money on long-distance calls. This means companies have an interest in the use of VoIP. To say that using Skype exposes corporate networks to unacceptable risk is not correct. But there is also no point in denying the risk altogether. However, other network applications (such as e-mail, browsers, and even the operation systems themselves) frequently present more of a threat than does Skype. To deny oneself promising and economically beneficial forms of technology is plain wrong. One needs only to use them correctly and create the right environment.”
Security and Skype
From participants’ feedback (fig. 5) we see that the factor of security is very high up the list of concerns when deciding whether to bring Skype onto a corporate network. Two-thirds of specialists surveyed (66.4%) either felt strongly or tended toward the view that IS threats make the implementation of Skype within a company more problematical. This is a significant number. In addition, as was already noted, the root cause of the problem does not lie with Skype’s technology, but rather with the its incorrect or malignant use. Naturally, any new technology which increases the risk of confidential information leaks will be given a hostile reception. This brings us to a dangerous pass. Without the implementation of advanced, modern technology companies cannot compete. But at the same time, the use of new solutions is complicated by the additional IS threats they may cause.
