Skype users recently suffered three days of service disruption with many users being effectively off air for that period. The problem appears to have started on August the 16th when users could no longer log into the service and make calls. Skype have denied the outage was due to any Denial of Service attacks or other hacker activity. Instead, if one is to go by Skype’s own explanation on their blog, the finger of blame is pointing towards our friends in Seattle. Yes folks it is all Microsoft’s fault !!
Apparently the release by Microsoft last Tuesday of a number of patches forced a large number of Skype users’ PCs to reboot, this event had a cascading impact on the Skype software and its peer to peer network resulting in the outage.
You may ask what has the above got to do with information security? Well if we look at the three common pillar stones of the infosec triad of Confidentiality, Integrity and Availability then the Skype network outage is clearly an infosec issue. Especially when you consider that there are many small companies, and indeed some larger ones, using Skype to communicate around the globe with colleagues, customers and suppliers. It would be interesting to see how many of those companies had business continuity plans in place for this, or indeed any, Skype outage.
The other item this issue highlights is how we need to take a holistic view when considering securing our systems and services. The fact that an update from Microsoft apparently triggered a reboot in numerous PCs at the same time which in turn forced a failure in Skype’s software causing the flood of log-in requests exhausting the resources of the peer to peer network, highlights how fragile our “electronic eco-systems” are.
We should not look at one application or service by itself but need to consider the overall system in its entirety and how all its components interact together and identify where the key dependencies are. We then need to consider the impact a problem, failure or bug in one component in that system will have on other components, how do we then make the system fail gracefully and securely and how do we recover?
With regards to blaming Microsoft for this outage, well I have to disagree with this sentiment. Some commentators have taken this as an opportunity to criticise the Microsoft update service reciting the mantra, if Microsoft wrote bug free software then this would not have happened. Sure Microsoft have had a bad reputation for security issues in the past and deservedly so, but to blame them for triggering a problem in a third party system is a bit of a stretch for me. Skype had a problem with a bug in THEIR software which when forced to accept a large number of log-ins exhausted resources in THEIR peer to peer network.
So lessons learnt;
- Ensure you have a business continuity plan in place for all services your company uses.
- Identify all dependencies within all your systems and try to determine how those dependencies could be used to deliberately or accidentally compromise your systems.
- Ensure that all systems fail gracefully and securely.
- If a problem exists in your system then accept the blame yourself and deal with rectifying the issue quickly.