Challenges related to mobile security for organizations include:
- Staff using their own devices
- Mobile friendly secure chat for distributed teams
- Staff communications while traveling to low internet access locations
Why is this a problem?
- Lack of IT support on own devices
- Many different setups that complicates support and sometimes workflow
- It is used by other people that observe different security practices
- More difficult to impose security changes for privately owned devices
- There is less separation between private information/communication and professional
- Information ends up on not secure devices
- There is no way to completely restrict people use their own devices for work
- It is mostly awareness and behavioral element - there is just limited technical solutions here
- Phones are an acute example of this problem
What are some solutions for organizations?
- Embrace that people will use own devices, or it is a part of the contract (staff needs to have their own laptop, phone, etc.)
- Every new staff member receives security briefing (installation of tools on their devices, training on how to use them, awareness of risk and threats), there is one briefing when person starts (101) and then after each 6 months with all staff
- Clear, internalized policy of information & communication management (specifying e.g. caring info out of the office, use own devices, accounts, etc.) part of the contract
- Provide the device for all staff (onboard the person on using the laptop only if the person read/understood SiaB - check!)
- Spectrogram what information org is managing and which is public, internal, confidential - use this taging later, set separate policy rules for each type:
- public: just backup
- internal: list of allowed services
- confidential: e2e encrypt
- create support mechanism - people can come and ask for help with something, bring device and get it checked, reinstalled, tools installed, etc.
- Google Apps (could be a good solution for an organisation because it has two step authentication)
- Chat for mobile:
¶ Secure VoIP and chat
Many organizations rely on Skype. Why?
- It's free.
- Skype provides both mobile and desktop clients. They are easy to use and run in the background.
- It offers features such as: video conference, screen share, connects to telephones, chat and voice.
- For the most part, it is reliable: high quality sound and good performance even on low bandwidth connections.
- Many people already use Skype so it saves time to not have to teach the person you're communicating with, how to use the tool.
But in many cases, Skype is not a good option for organizations. Here are some reasons why replacing Skype may be a security priority for an organization:
- Users don't realize they are storing their chat history on their computers.
- Skype does not offer two step verification, which leaves accounts vulnerable to hacking.
- Skype, as a company, is not necessarily trustworthy. Their source code is closed to the public, so while they say information sent over Skype is encrypted, it's impossible for the community to verify its veracity and quality.
- Furthermore, Skype is collecting metadata on its users. What is it doing with this information?
- Skype does not offer end to end encryption that Microsoft cannot decrypt. (more information on this on the EFF website)
- There is a propagation of spam and phishing attacks on Skype, and is currently a popular channel for FinFisher.
- There are more secure solutions available that offer security features like: "Off the record", deniability, and verification
So, what are the alternatives?
Ideally an organization would use multiple of these options.
- Video conference calls (webrtc)
- Pidgin – chat client
- offers the feature: "Off the record"
- can be self-hosted
- hard to have archived history (which could be good or bad, depending on situation)
- Tor messenger
- Mattermost – an alternative to Slack
You should be prepared to address some common challenges that organizations have when moving away from Skype, such as:
- When communicating with teams that don't prioritize security, they are often brought down to the lowest common communication channel, which is often Skype.
- It takes extra time and effort to get those outside of your organization on-board with your team's preferred communication channel.
- It's just so easy to go back to Skype because it's what they know. And sometimes workflow efficiency trumps security.
So, what has helped convince organizations that moving away from Skype is worth it, despite the challenges above?
Well, there's the "scare approach":
- With the team, you could demonstrate how far back history goes in a Skype chat so users understand how much information about their communications could be collected.
- You could share examples of how Skype, the company, has partnered with governments to surveil their citizens: the United States National Security Agency, China, and others).
But you might prefer to take a most positive approach:
- Skype isn't all that great anyway, right? You have to pay to have more than 2 people on a video call, and the updates rely on the user to initiate.
- You'll love the alternatives! Look at the great tools built on WebRTC (Web Real-Time Communication) – cross-platform, browser-based, and so very easy to use!
The organization may agree that moving away from Skype is a good idea. Now what are your options to move forward? Here are some options for how to move the organization away from Skype, in order from slow and practical to ideal:
- Multiple phases: get staff away from Skype but still us roprietary tool, moving in the direction of more secure options:
- Change to Google Apps and Google Hangouts, if you are already using Google as an organization .
- Ensure 2-step is on and train on other security features
- ISSUES: Dependency on Google, doesn't address metadata/e2e encryption issue
- Move to Jitsi or Pidgin with OTR
- Do you continue using gmail accounts? Or do you get a more trusted XMPP acco unts?
Once you've figured out your plan for how to move the organization away from Skype and onto something more secure, you'll want to help create some policies to guide staff on how to use VoIP safely:
- If it is a scheduled meeting, send a link to a webrtc
If the organization decides to continue using Skype (and if it's likely that staff will continue to use Skype) you may want to also include policies such as:
- Don't send files over Skype
- Decide on history retention
- Hardline approach to skype use :
- Use local group policy
- Use centralized policies
- Set rules in anti-virus to delete file
- ISSUES: Controversial. Relies on org owning computer. May not work in many scenarios where structure doesn't allow this level of control
Make a policy of options for communication considering sensitivity types of info and local context. Below is an example:
- unsecure: phone call
- better: skype voice
- better: google hangouts
- secure: signal (voice chat)
- secure meet.jit.si (available also on the phone) or jitsi client program
- unsecure: SMS
- unsecure: facebook
- unsecure: twitter
- unsecure: viber
- better: whatsup
- better: skype
- better: telegram (secure chat)
- secure: crypto.cat
- secure: jitsi
- secure: signal text
- unsecure: yahoo, hotmail, outlook, ...
- better: gmail
- better: hushmail
- even better: riseup
- even better: tutanota
- secure: pgp and org. email service