Instant messaging is not just for teen-age gossiping anymore. Businesses are finding the ease of use and immediacy of IM very intriguing. Yet, the security risks of instant messaging are something every enterprise should consider.
Earlier this year, a vulnerability was found in America Online's Instant Messenger product that could potentially allow an attacker to gain control of systems running AIM. IM poses several risks, from letting viruses in, to leaving computers open to attackers. Mitigating such risks requires both the tweaking of technology and responsible behavior on the part of users, said Chris Rouland, director of Internet Security Systems (ISS) research team.
For some, the "need to track, record or backup communications as well as e-mail them becomes a logistical nightmare and costs well beyond what small benefits it may or may not create," said Dale Jackaman, director of information technology systems at Vancouver-based BC Research Inc.
Yet, it's not hard to see the business benefits of IM. It's more immediate than e-mail, but not as intrusive as telephoning. Other features, like support for videoconferencing and collaboration, help bring workers in different locations together.
"Since more than half of our work is away from our primary work location, either because we are on a client location or traveling/working at another site, we rely on it (IM) to keep in touch," said Don Baldwin, managing director at Auldenfire Sweden in Stockholm.
What are the risks of allowing IM?
Many of the security risks of IM can be traced back to its origins as a consumer product. The focus of the product was on rich features and ease-of-use rather than on security and privacy.
For example, a few of the IM clients have experienced buffer overflow vulnerabilities, a common fault in network-attached software, said Rouland, director of Atlanta-based Internet Security Systems' X-Force security research team. Buffer overflow flaws could allow someone to gain control of a computer, he said.
Another IM danger is that every time a message is sent, the sender's IP address is exposed. Showing such information can be particularly dangerous for people accessing their business systems using a VPN. With the IP address, an attacker then may use a person's home PC to attack their company's systems, Rouland said.
Perhaps the most apparent security risk to IM is the file transfer utility. Unless a business's firewall is configured correctly, users could receive worms and viruses without being detected by the gateway firewall, intrusion-detection system (IDS) or antivirus systems.
The integrity of messages sent should be another concern for companies. On one hand, users can write whatever they want because IM software doesn't provide logs like e-mail. Yet, it's not hard for a attacker to intercept messages being sent, Rouland said.
How can they be addressed?
Perhaps the surest way to address security concerns is banning IM outright. Some companies block the necessary ports for IM in the firewall. In addition to blocking IM at the firewall, companies can disable IM capabilities at the particularly sensitive workstations and desktops.
At a minimum, companies need to block file transfers and gaming capabilities at the firewall, Rouland said. Other features such as videoconferencing and online collaboration on such things as PowerPoint should also be curtailed. Users should also be instructed to deny messages from people they don't know.
Not publishing corporate e-mail addresses is another worthwhile strategy, Rouland said. Some IM services allow users to search for IM names by e-mail address. Users should also limit their messaging to only people they know.
Rouland also suggests looking into some freeware IM clients that encrypt messages. Ironically, some of the IM providers have blocked such systems, he said.
Installing personal IDS and firewalls at desktops is another method of improving the security of instant messaging. "If you do these things then you'd be more secure than 99% of the people out there," Rouland said.
IT managers may think of IM as a nuisance but eventually the technology will probably become as ubiquitous as e-mail, said Hitesh Seth, chief technology evangelist at Silverline Technologies, a Piscataway, N.J.-based e-business and integration services firm. One will likely see a similar evolution for IM as one saw for e-mail, he said.
Initially, e-mail was popular with users. Then, IT infrastructure caught up with Microsoft Exchange, Eudora and other company-wide e-mail systems, Seth said.
Seth suggests security conscious companies should look into IM products that can run on their private networks. Microsoft offers one as an add-on to Exchange 2000. There are similar offerings for Sun Microsystems's iPlanet product and there is Jabber, an open source IM system.
Installing such products provides the benefits of IM while minimizing the exposure to the Internet. Such products also limit with whom users can communicate and can provide logs of usage. This helps with security but also keeps users from messaging their friends all day.