Whether companies like it or not, instant messaging has entered the enterprise.
Companies often tolerate IM, especially if executives enjoy keeping in touch with their kids using it. But allowing commercial instant messaging programs through the gateway may be putting enterprise systems at risk to virus infestation or outside attack.
IM's mission is getting messages to people, and often, that conflicts with security. For example, some IM clients transmit messages as Web traffic. This allows these products to work around firewall, but also negates firewall protection..
This week, a security advisory group, w00w00, issued a warning about a buffer overflow vulnerability in AOL's Instant Messenger that could allow an attacker to run code on a system by sending a long "add external application" command to a user.
Companies that wish to use IM should be prompted by these advisories, examine all their options and be familiar with the security issues affecting their choice, said Chris Rouland, director of Atlanta-based Internet Security Systems' X-Force security research team. Rouland said there are a few general security concerns about IM that users should think about:
Exposing IM address
IM clients can expose a user's IP (Internet Protocol) address to outsiders. This could be potentially damning information, especially if it identifies an individual, Rouland said.
Attackers are beginning to target corporate users who remotely access systems from home. Often it's easier to attack a company that way rather than through the front door of the company. An attacker can use a remote user's home VPN connection to access systems.
Most IM clients allow users to exchange files. Such functionality may be handy but it completely circumvents a company's defenses. Most companies have e-mail based antivirus software scanning e-mails but such protection doesn't extend to IM file transfers.
A virus, W32/Hello, spread through Microsoft's .NET messenger clients in this fashion. It didn't spread much and did little damage. A user needed to accept the download of a file (Hello.exe) and manually open the file. The virus then spread itself to names in the user's Messenger contact list.
Rouland predicts that someday IM providers may include virus scanners much as e-mail providers such as Yahoo and Hotmail.
Hackers' innovative use of IM
Users need to be aware that attackers often use IM as a means to communicate among each other. They also use it to control systems they have included backdoors in.
Additionally, messages sent via most IM clients are clear text, so they can be intercepted and read, Rouland said. Such a lapse may play into corporate espionage or other misuse of that information.
Mitigating the risks
If a company still decides they want to use IM from a particular vendor then there are some things that can be done to minimize the risks associated with the activity.
Setting the client to only accept messages from users selected is one thing that reduces the risks. However, attacks can be mounted from friend's IM names (much as one is more likely to open an unknown e-mail if it comes from a known address.)
Another step is disabling file transfer capabilities on the IM client. This protects the system from potential viruses. It also insulates a user from social engineering that an IM attack may use. A busy or distracted user may accidentally allow a transfer.
There are alternatives to the free, widely distributed IM clients such as AOL's Instant Messenger, MSN and ICQ.
For example, Sametime is the enterprise instant messaging product from IBM's Lotus Software division. Sametime, which includes client software, a server and developer tools, permits secure intracompany communications via text messaging or audio and video conferencing.
These solutions provide IM functionality on internal networks, said Hitesh Seth, chief technology evangelist at Silverline Technologies, a Piscataway, N.J.-based e-business and integration services firm.
These products offer the ability to log transmission, which is valuable in a business setting. Messages can be encrypted. Additionally, companies could curtail non work-related use of IM but only allowing users to communicate with co-workers. However, securely bridging the gap between internal and external IM still isn't quite there, Seth said.
Echoing those sentiments, Rouland recommends companies set up IM for work groups that use internal networks rather than relying on the Internet. Yet he concedes the value of more major commercial IM program "is that everybody uses them."
If using internal IM isn't possible then there are ways to make IM less risky. Installing personal firewalls and IDS on each desktop using IM is a way to minimize many of the security risks associated with it.
Seth doesn't see as the use of IM in the enterprise as particularly a problem. The technology is following the same path as e-mail. Originally, users used free e-mail providers such as Hotmail. Over time, companies realized the utility of e-mail and provided accounts to employees. Corporate e-mail accounts meant more security as will corporate adoption of IM solutions.