brace yourselves for the im-plosion
TRANSCRIPT
Like it or not, instant messaging (IM) technology is infiltrating
most companies. Its effects on the security of confidential data
are potentially explosive.
The market for corporate instant messaging systems in
Western Europe will treble from $29 million to $109 million in
the next four years, says the Radicatti Group, a market analysis
firm that specialises in the messaging and collaboration industry.
Radicati expect the European market to overtake the present
leader, North America, in 2006 as vendors seek to expand the
market.
The giant awakesOnce described as the sleeping giant of the internet by analyst firm
Gartner, the IM market is waking up. First in the US and now in
Europe, the number of messages sent via IM is set to outstrip
email.
Growth has been hampered by ad-hoc deployment in many
enterprises. In addition, AOL and Yahoo recently withdrew from
the enterprise market because they found it hard to make money
there. Nonetheless, uptake from smaller firms and by individuals
has been steady.
Adrian Davis, senior project manager at Information Security
Forum (ISF), believes many reasons companies are adopting IM
because of the ease of use and because many users are already
familiar with the technology.
Online betting company Betfair uses IM for 300 users who send
and receive some 20,000 messages sent per day. Rorie Devine,
Betfair’s infrastructure director, says "IM provides real-time
collaborative communication, which is vital in a fast-moving
business like ours. It's less formal than email, and more cost-
effective than phone conferencing."
From mutt to Crufts Betfair has deployed IMlogic's IM Manager, a fully-featured EIM
product, but employees at many companies have installed IM
software from free downloads after finding the technology useful
at home.
While instant messaging is the primary application, security
features available from the different client servers vary wildly, and
improvements in the enterprise offerings are ongoing.
FaceTime, an IM vendor, found in July this year that more than
50% of financial institutions questioned use IM, but 46% didn't
know which staff are using it, who they are corresponding with, or
what they are saying. Nearly two-thirds allow employees to use free
consumer IM services such as those provided by MSN and ICQ.
This mixture of EIM and free IM is tricky to manage. While
security breaches from using IM are not headline news and the
profile remains low, some firms are turning a blind eye to potential
problems.
Davis says it is hard to tell how many companies have a default
policy. "Our research indicates that one [I1] in five organisations
has unofficial IM use," he says. "People are using services such as
AOL Instant Messenger either because their organisation does not
allow or provide an IM system or in addition to company-provided
IM systems."
Risks vary with use A policy for IM use is essential, Davis says. The critical factors to
consider are:
• Limitations in security functionality, such as weak
authentication, limited encryption, inadequate logging facilities
te
ch
no
lo
gy
30In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
Brace yourselvesfor the IM-plosionWilliam Knight
As Instant Messaging technology threatens to explode into the corporation, security managers need to bracethemselves with stronger policies, better user training and greater alertness.
Radicatti’s Coham:SPIM the new spam
Betfair’s Devine: IMvital
31In
fosecu
rity Tod
ayN
ovember/D
ecember 2004
• Inherent weaknesses in IM infrastructure, such as by-pass of
gateway controls, new routes for malware, reductions in
bandwidth
• Poor management and user awareness of the type and extent of
IM use, including unauthorised transfer of information
"This is a frightening list and companies must tailor their IM
policy depending on the features they wish to use,” says Davis.
Many analysts suggest firms restrict the use of IM to within the
enterprise, enable local message routing, and forbid links to
external IM providers. This strategy keeps the IM product behind
the corporate firewall and maintains the perimeter defences.
Unfortunately this approach is hard to police. Carly Stevenson,
Unipalm’s eBusiness product manager, suggests that where staff
access the internet they will also use IM. "The chances are they are
using IM," she says, "as it can travel across port 80 undetected into
your network. Files may be transferred without any surveillance,
URLs and sensitive content may be sent via IM, there is no logging
or archiving, no content filtering and there are no communication
boundaries."
Davis provides a clue for one of the routes IM takes when
colonising the enterprise. "Students are often a big driver of IM
use, both during vacation jobs and when they join after
graduation."
The answer is to recognise the risks, and manage them. At
Betfair, security is driven by policy. Although the company uses
internet chat, conferencing and even links to external providers
when required, it disables file transfers. This closes the route most
malware will take when invading a network.
An IM usage policy, Devine says, "is as important as any use of
company infrastructure such as Internet access and telephones."
Betfair's policy mandates no file transfers allowed, IMs routed
internally for purely internal conversations, active directory
authentication, and an audit trail of all IMs, he says.
ISF suggests a process for defining and implementing an IM
policy. It starts with an initial risk assessment based on intended
use. "Risks will vary from enterprise to enterprise," Davis says.
"All enterprises should draw up a list of risks as the enterprise
perceives them." (See Box: Generic risks of IM.)
Policy in a SPIM Where email has been before, so goes IM. SPIM is the IM
equivalent of email's spam. It is a problem in the US and set to
grow in Europe. Jonathan Coham, analyst and UK manager at
Radicatti, is resigned to it. "It is an inevitable source of revenue for
advertising companies," he says. “It’s part and parcel of the
increased use of IM.”
But SPIM is another vehicle to exploit vulnerabilities.
Microsoft’s MSN Chat-Control contained an unchecked buffer;
this could allow remote code execution until it was patched in May
2002. A similar buffer overflow was discovered in Yahoo's product
in December 2003.
As with any other software, coding faults beset IM clients, and
regular upgrades are essential. But SPIM is just one of a number of
risks for which companies must take extra security steps. IM is not
safe to use straight out of the box, as ISF explains. "There are
limitations in the security functionality provided by most Instant
Messaging applications. These include poor identity management,
weak user authentication, inadequate logging facilities and limited
encryption."
The idea that IM is a tool for managing social engagements
rather than a serious business application is fading. The immediate
future promises to be interesting as the security implications are
better understood and battle commences with malware writers,
time wasters and regulation. Geoff Haggart, vice president of
Europe at Websense, an IM management software vendor,
illustrates the balance to be found. "While IM may increase
productivity, it's important also to recognise and manage
effectively the inherent risks that accompany this rapidly growing
form of employee communications."
Links: http://www.securityforum.org
William Knight is a technology writer with 18 years experience
in Software Development and IT consulting. He writes for titles
that include: Computing, JavaPro and Gantthead.com
Generic risks of IM Commercial The possibility of release of confidential or sensitive data,
entering into contracts unwittingly, time wasted through gossip.
Reputation The possibility of release or transfer of illegal, immoral oroffensive material.
Technological The possibility of SPIM (unsolicited advertising messages),virus attack or network unavailability.
Legal/Compliance The breach of regulatory or legal requirements.
te
ch
no
lo
gy