*>>I submit, however, that another animal is a powerful and relevant metaphor here - the black swan.*
Metaphors are nice, but we have limited time to focus on them to the distraction of actually *doing* things. Fact: The internet is a rough and tumble environment, with lots of threats about, and the number grows steadily. Fact: There is significant business benefit to be had by way of the internet, so the existence of threats is not the end of the story. *>>For web browsing I do use as many mitigating technologies as I am allowed to use for web browsing as I can, but we've basically lost the battle on that front. This doesn't mean that we shouldn't keep fighting.* No, but it does mean that your organization is willing to take on some risk in conducting its business. It also means, more importantly for this discussion, that even without the ability to suitably (to your satisfaction) mitigate all threats, you have not succumbed to every threat. This is likely to be true with other technologies beyond browsers. I'm not asking you to forgo security entirely. I'm saying, "Articulate some key risks that pertain to your environment and are PROBABLE, rather than HYPOTHETICAL, and we'll seek to help you find ways to mitigate them." If you'd rather focus on waxing philosophical about potential risks in general, then there is little we can do to help you, and your ability to effectively prevent your organization from deploying this technology widely will approach zero. *>>For instance, I've proposed... I've gotten funny looks and a denial.* And they are likely to continue looking at you like that if you are unable to show why the cost and complexity you propose is worth risks you cannot otherwise articulate. *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * On Fri, Dec 31, 2010 at 1:58 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > It's good you don't equate ubiquity with safety - the apocryphal > lemmings are a poor example. > > I submit, however, that another animal is a powerful and relevant > metaphor here - the black swan. > > We simply don't know what the threats are, and the downside is huge. > That alone should be warning enough. If you haven't read them, the > works of Nicholas Nassim Taleb are worth the read. > > You ask about "practical" concerns - they are the usual, which are > dismissed: Subversion of the client, intrusion of the network thereby, > in a very hard to detect fashion - much harder to detect than a > subverted web browser. The risk is much larger with skype because of > the nature of the task and the software. Lots of traffic to and from > the world, with no way to understand or filter it. > > For web browsing I do use as many mitigating technologies as I am > allowed to use for web browsing as I can, but we've basically lost the > battle on that front. This doesn't mean that we shouldn't keep > fighting. > > For instance, I've proposed that those who "need" skype should receive > a second, less-capable PC, with an internet connection that that > doesn't touch the production network - perhaps a separate layer 2 VLAN > that doesn't touch the production network, and which could also be > used for other purposes as well - like web browsing. I've gotten funny > looks and a denial. > > Corporate culture is fundamentally insane on this issue, AFAICT. > > On Thu, Dec 30, 2010 at 21:26, Andrew S. Baker <asbz...@gmail.com> wrote: > >>> Ah, but I believe you're mistaking or minimizing the > differences between > >>> web browsing and skype. > > No, Kurt, I am not minimizing them. I pointing out that we routinely > hear > > about people who experience infosec-related problems in the corporate > realm > > due to what would otherwise be deemed as simple web browsing. Recent > tech > > news is replete with such examples. > > Whether or not there is technology available to mitigate these is > secondary > > (unless, of course, you are currently making use of all such technology). > > It is safe to say that your organization is already assuming some risk > > related to technologies for which there are ready and active exploits on > a > > regular basis. > > > > I'm simply asking you to articulate *practical* problems that you expect > to > > encounter in your employees' use of Skype, so that we can discuss > > appropriate mitigation strategies, or come to the conclusion that it is > not > > worth the effort to do so. > > There are all sorts of possibilities and probabilities with technologies, > > but rather than wax poetic about things that are possible, let us > evaluate > > that which is probable and deal with it. > > While I am not quite willing to suggest that ubiquity is equivalent to > > safety, I will ask: Given the not-insubstantial adoption of Skype in the > > corporate realm -- from which you should be able to draw ample examples > -- > > what are the types of real-world issues you anticipate happening when > your > > employees start using Skype? > > > > ASB (My XeeSM Profile) > > Exploiting Technology for Business Advantage... > > > > > > > > On Thu, Dec 30, 2010 at 11:28 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> > >> Ah, but I believe you're mistaking or minimizing the differences > >> between web browsing and skype. They are nothing alike. For the > >> largest difference, http is a well understood protocol, and there are > >> many ways to mitigate issues with it and the software that consumes > >> it, including web filters with white/black lists, proxies that > >> understand the protocols involved (html, xml, javascript, java and > >> flash, mostly), plus browser addons that filter or block > >> javascript/flash/java and ads. > >> > >> There is *nothing* equivalent available for skype. You are given a > >> client that consumes an encrypted data stream over which you have no > >> control and into which you have no visibility. You cannot > >> whitelist/blacklist any ip address on ports 443 (tcp and udp!) or port > >> 80, and there is no proxy of which I'm aware that understands the > >> protocol to monitor it for buffer overflows or other malicious > >> content. > >> > >> Even with SSL, if I want to spend the money and/or time, I can MITM > >> and proxy SSL. Not possible with skype. > >> > >> Kurt > >> > >> On Thu, Dec 30, 2010 at 14:48, Andrew S. Baker <asbz...@gmail.com> > wrote: > >> >>>Does this > >> >>> > >> >>> ( > http://en.wikipedia.org/wiki/Skype_security#Flaws_and_potential_flaws) not > >> >>> give plenty for a reasonable person to worry about? > >> > > >> > Some pause, sure. > >> > > >> > Plenty to worry about? No, unless you also prohibit internet access > for > >> > the > >> > folks in your organization, since some of these are generic to > internet > >> > connectivity and standard web services use (xss flaws, etc) > >> > > >> > More importantly, none of the flaws outlined in the article are newer > >> > than > >> > 2008. Not to say there aren't any new ones, but they've updated the > >> > list at > >> > least 3 times this year, but with flaws from 2008 or earlier. > >> > > >> > There are ways to mitigate supernode access, and some of the other > >> > functionality of Skype in an environment. > >> > > >> > Define the threat and determine if there is sufficient mitigation or > >> > workarounds available to handle it vs the benefits that might be > derived > >> > from the tools usage. > >> > > >> > Back in 2006, we voted against its usage within our organization based > >> > on > >> > the proposed use case. Today, the technology is far more robust (the > >> > recent > >> > meltdown notwithstanding) and the tools for mitigating VoIP risks in > >> > general > >> > are more prevalent and mature. > >> > > >> > ASB (My XeeSM Profile) > >> > Exploiting Technology for Business Advantage... > >> > > >> > > >> > > >> > On Thu, Dec 30, 2010 at 4:53 PM, Kurt Buff <kurt.b...@gmail.com> > wrote: > >> >> > >> >> Among my concerns is that skype is a P2P technology - in itself not > >> >> such a big deal, normally - and that skype data transits all manner > of > >> >> end-user machines not under anyone's control (certainly in many cases > >> >> not in the control of the putative owner). It also is intrusive in > >> >> that according to the EULA it basically owns your machine for its own > >> >> purposes, including auditing your hardware configuration and allowing > >> >> inbound network traffic that you don't control. > >> >> > >> >> All aspects of computer and network security for our company is my > >> >> focus, though it's not my full time job - or is that not the question > >> >> you were asking? > >> >> > >> >> Does this > >> >> ( > http://en.wikipedia.org/wiki/Skype_security#Flaws_and_potential_flaws) > >> >> not give plenty for a reasonable person to worry about? > >> >> > >> >> Kurt > >> >> > >> >> On Thu, Dec 30, 2010 at 12:25, Andrew S. Baker <asbz...@gmail.com> > >> >> wrote: > >> >> > What's your main concern with Skype? > >> >> > What aspect of security is your focus? > >> >> > > >> >> > ASB (My XeeSM Profile) > >> >> > Exploiting Technology for Business Advantage... > >> >> > > >> >> > > >> >> > > >> >> > On Thu, Dec 30, 2010 at 3:15 PM, Kurt Buff <kurt.b...@gmail.com> > >> >> > wrote: > >> >> >> > >> >> >> This is pretty old, but I'm now being forced to allow skype on our > >> >> >> network, and I'm pretty unhappy about it.. > >> >> >> > >> >> >> Ken, is your firm still allowing skype, and if so, can you speak > to > >> >> >> what your security folks did to make themselves happy about > allowing > >> >> >> skype? > >> >> >> > >> >> >> Has anyone else here done a security review that gave them a > >> >> >> decision > >> >> >> one way or the other about allowing it? > >> >> >> > >> >> >> Kurt > >> >> >> > >> >> >> On Thu, Jan 15, 2009 at 08:12, Ken Cornetet > >> >> >> <ken.corne...@kimball.com> > >> >> >> wrote: > >> >> >> > We are deploying it here to a few users. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > I’m using group policy to turn off being a supernode, downloads, > >> >> >> > listening > >> >> >> > on tcp ports, and 3rd party access to the Skype API. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Our security folks reviewed it and are happy. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > From: Tim Evans [mailto:tev...@sparling.com] > >> >> >> > Sent: Thursday, January 15, 2009 11:01 AM > >> >> >> > To: NT System Admin Issues > >> >> >> > Subject: Skype > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > Has anyone looked at Skype recently? We’ve got a client that > >> >> >> > wants > >> >> >> > us > >> >> >> > to > >> >> >> > use Skype for communications with them. I’ve always been a > little > >> >> >> > leery > >> >> >> > of > >> >> >> > using them in a business environment, but looking at it now, I > see > >> >> >> > they > >> >> >> > have > >> >> >> > a MSI download for easy deployment and a group policy template > for > >> >> >> > central > >> >> >> > administration of settings. It all looks pretty cool. While the > >> >> >> > security > >> >> >> > guy > >> >> >> > in me wants to say no, I’m having a hard time finding a reason > not > >> >> >> > to > >> >> >> > say > >> >> >> > OK. > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > I’m curious what the members of this esteemed group think about > it > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > …Tim > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
