Like it or not, instant messaging (IM) technology is infiltrating

most companies. Its effects on the security of confidential data

are potentially explosive.

The market for corporate instant messaging systems in

Western Europe will treble from $29 million to $109 million in

the next four years, says the Radicatti Group, a market analysis

firm that specialises in the messaging and collaboration industry.

Radicati expect the European market to overtake the present

leader, North America, in 2006 as vendors seek to expand the

market.

The giant awakesOnce described as the sleeping giant of the internet by analyst firm

Gartner, the IM market is waking up. First in the US and now in

Europe, the number of messages sent via IM is set to outstrip

email.

Growth has been hampered by ad-hoc deployment in many

enterprises. In addition, AOL and Yahoo recently withdrew from

the enterprise market because they found it hard to make money

there. Nonetheless, uptake from smaller firms and by individuals

has been steady.

Adrian Davis, senior project manager at Information Security

Forum (ISF), believes many reasons companies are adopting IM

because of the ease of use and because many users are already

familiar with the technology.

Online betting company Betfair uses IM for 300 users who send

and receive some 20,000 messages sent per day. Rorie Devine,

Betfair’s infrastructure director, says "IM provides real-time

collaborative communication, which is vital in a fast-moving

business like ours. It's less formal than email, and more cost-

effective than phone conferencing."

From mutt to Crufts Betfair has deployed IMlogic's IM Manager, a fully-featured EIM

product, but employees at many companies have installed IM

software from free downloads after finding the technology useful

at home.

While instant messaging is the primary application, security

features available from the different client servers vary wildly, and

improvements in the enterprise offerings are ongoing.

FaceTime, an IM vendor, found in July this year that more than

50% of financial institutions questioned use IM, but 46% didn't

know which staff are using it, who they are corresponding with, or

what they are saying. Nearly two-thirds allow employees to use free

consumer IM services such as those provided by MSN and ICQ.

This mixture of EIM and free IM is tricky to manage. While

security breaches from using IM are not headline news and the

profile remains low, some firms are turning a blind eye to potential

problems.

Davis says it is hard to tell how many companies have a default

policy. "Our research indicates that one [I1] in five organisations

has unofficial IM use," he says. "People are using services such as

AOL Instant Messenger either because their organisation does not

allow or provide an IM system or in addition to company-provided

IM systems."

Risks vary with use A policy for IM use is essential, Davis says. The critical factors to

consider are:

• Limitations in security functionality, such as weak

authentication, limited encryption, inadequate logging facilities

te

ch

no

lo

gy

30In

fosecu

rity Tod

ayN

ovember/D

ecember 2004

Brace yourselvesfor the IM-plosionWilliam Knight

As Instant Messaging technology threatens to explode into the corporation, security managers need to bracethemselves with stronger policies, better user training and greater alertness.

Radicatti’s Coham:SPIM the new spam

Betfair’s Devine: IMvital

31In

fosecu

rity Tod

ayN

ovember/D

ecember 2004

• Inherent weaknesses in IM infrastructure, such as by-pass of

gateway controls, new routes for malware, reductions in

bandwidth

• Poor management and user awareness of the type and extent of

IM use, including unauthorised transfer of information

"This is a frightening list and companies must tailor their IM

policy depending on the features they wish to use,” says Davis.

Many analysts suggest firms restrict the use of IM to within the

enterprise, enable local message routing, and forbid links to

external IM providers. This strategy keeps the IM product behind

the corporate firewall and maintains the perimeter defences.

Unfortunately this approach is hard to police. Carly Stevenson,

Unipalm’s eBusiness product manager, suggests that where staff

access the internet they will also use IM. "The chances are they are

using IM," she says, "as it can travel across port 80 undetected into

your network. Files may be transferred without any surveillance,

URLs and sensitive content may be sent via IM, there is no logging

or archiving, no content filtering and there are no communication

boundaries."

Davis provides a clue for one of the routes IM takes when

colonising the enterprise. "Students are often a big driver of IM

use, both during vacation jobs and when they join after

graduation."

The answer is to recognise the risks, and manage them. At

Betfair, security is driven by policy. Although the company uses

internet chat, conferencing and even links to external providers

when required, it disables file transfers. This closes the route most

malware will take when invading a network.

An IM usage policy, Devine says, "is as important as any use of

company infrastructure such as Internet access and telephones."

Betfair's policy mandates no file transfers allowed, IMs routed

internally for purely internal conversations, active directory

authentication, and an audit trail of all IMs, he says.

ISF suggests a process for defining and implementing an IM

policy. It starts with an initial risk assessment based on intended

use. "Risks will vary from enterprise to enterprise," Davis says.

"All enterprises should draw up a list of risks as the enterprise

perceives them." (See Box: Generic risks of IM.)

Policy in a SPIM Where email has been before, so goes IM. SPIM is the IM

equivalent of email's spam. It is a problem in the US and set to

grow in Europe. Jonathan Coham, analyst and UK manager at

Radicatti, is resigned to it. "It is an inevitable source of revenue for

advertising companies," he says. “It’s part and parcel of the

increased use of IM.”

But SPIM is another vehicle to exploit vulnerabilities.

Microsoft’s MSN Chat-Control contained an unchecked buffer;

this could allow remote code execution until it was patched in May

2002. A similar buffer overflow was discovered in Yahoo's product

in December 2003.

As with any other software, coding faults beset IM clients, and

regular upgrades are essential. But SPIM is just one of a number of

risks for which companies must take extra security steps. IM is not

safe to use straight out of the box, as ISF explains. "There are

limitations in the security functionality provided by most Instant

Messaging applications. These include poor identity management,

weak user authentication, inadequate logging facilities and limited

encryption."

The idea that IM is a tool for managing social engagements

rather than a serious business application is fading. The immediate

future promises to be interesting as the security implications are

better understood and battle commences with malware writers,

time wasters and regulation. Geoff Haggart, vice president of

Europe at Websense, an IM management software vendor,

illustrates the balance to be found. "While IM may increase

productivity, it's important also to recognise and manage

effectively the inherent risks that accompany this rapidly growing

form of employee communications."

Links: http://www.securityforum.org

William Knight is a technology writer with 18 years experience

in Software Development and IT consulting. He writes for titles

that include: Computing, JavaPro and Gantthead.com

Generic risks of IM Commercial The possibility of release of confidential or sensitive data,

entering into contracts unwittingly, time wasted through gossip.

Reputation The possibility of release or transfer of illegal, immoral oroffensive material.

Technological The possibility of SPIM (unsolicited advertising messages),virus attack or network unavailability.

Legal/Compliance The breach of regulatory or legal requirements.

te

ch

no

lo

gy