Here are some security vulnerabilities arising from external access to Skype for business that organizations should pay attention to:
Network account can be locked by an attacker simply sending authentication attempt while only knowing user name and not password (DDoS attack). Attack can be on multiple protocols (SIP/HTTPS), Multiple channels (sign in, Exchange, web api..) and multiple methods (basic, NTLM, SOAP) services.
Device Security Control
User can download SfB (Skype For Business) on a personal device which is not under MDM control and is not aligned with company security policy (Jail broken for example) and bypass all MDM security layers by connecting to SfB server.
- Compliance and security require controlling modalities between communication participants
- No ability to define what is allowed to do and see – IM, file sharing, audio etc. between federated users and internally
- Privacy issues related to presence
- Server info exposure
Attacker can get access to SfB & Exchange by only knowing user name and password
Control which devices can connect to company infrastructure
Allowing external guests required unauthenticated and anonymous requests to enter the network without inspection. Topology allow malicious traffic to get to internal servers and to overload internal servers with fictitious meeting requests
Domain credentials required by SfB can hacked while stored and used on device out of network control.
Sensitive Data Leaking
- Prevent sensitive information from being passed through Skype for Business to devices outside of company control.
- Require solution for all type of SfB client