In my organization, users are allowed to install the instant messaging (IM) program of their choice (each group seems to have their own preference), and each program comes with different plug-ins, encryption options, etc. Could you provide an overview of the most common instant messaging security risks that enterprises face? Should companies limit users to one IM program with certain security options?
Ask the Expert
Application security expert Michael Cobb is ready to answer your top questions. Submit them now via email. (All questions are anonymous)
Probably the biggest instant messaging security risk companies face today is allowing employees to install the IM program of their choice. By permitting the use of any public IM service, you're essentially outsourcing IM security to a third-party system with which your organization has no contract, no guarantee of service, and no real control over. A standard port-blocking firewall provides little protection, as IM clients use port crawling and can automatically adjust their settings to connect to the IM server even if direct access to it is blocked. This makes it very difficult to protect against threats such as IM-borne viruses, worms, IM spam, malware and phishing attacks, accidental or deliberate data leakage, inappropriate use and regulatory non-compliance.
IM-based attacks usually spread quickly by using social engineering techniques to trigger execution of the payload. For example, the IM-Worm.Win32.Zeroll can send messages in 13 different languages, and the Dorkbot worm can spread via multiprotocol IM applications, such as Digsby, and capture usernames and passwords by monitoring network communications and even blocking sites related to security updates.
Because controlling IM is not an easy task, there's a strong case for using an enterprise IM system that provides traffic analysis, reporting, keyword searches and message archiving.
Many products are able to integrate access control into an operating system's authentication mechanism like Active Directory to control the use of collaboration features such as integrated live voice, video and data. Administrators can also implement and enforce end-to-end encryption and user authentication, as well as configure content and URL filters.
Alternately, enterprises can use a cloud-based service and avoid the need to install additional hardware or software altogether. All IM messages sent to or from the network are routed through the cloud service where they are scanned for viruses, worms and malicious URL links. Messages are also matched against content control and acceptable IM use policies, and any messages that are deemed malicious, suspicious or violate policies are automatically blocked. All messages are also logged and can be sent to an existing archiving tool to satisfy legal discovery requirements and other relevant regulations.
As IM-based attacks need some form of user interaction to execute their malicious code, a robust acceptable use policy (AUP) must be paired with employee awareness training. Training should cover social engineering techniques used by attackers so users understand how to respond and won't be tempted to break security procedures or ignore commonsense. An IM AUP should be similar to an email AUP, although there will be additional areas that need addressing, such as naming conventions for accounts so employees can't impersonate other staff members and how file transfers are initiated. Of paramount importance, of course, is clearly stating what type or classification of information can be communicated via IM. Equally as critical is ensuring enterprise policies include the company's right to monitor IM usage.
Instant messaging is still the preferred communication channel for collaborating with colleagues and partners in different locations. It offers presence awareness and file exchange, and conversations don't have a limitless audience. The business benefits of IM more than offset the potential risks, as long as its use is controlled and monitored. While it's no longer the latest technology, an IM system still requires careful management to be a productive tool and not an attacker's weapon.
This was first published in January 2014