Instant Messaging Opens New Security Holes

Instant messaging has become the latest employee productivity tool. A customer-service representative can use it as a quick and easy way to answer an inquiry, whereas a salesperson can inform a busy vice president about a new account. In fact, research firm Gartner estimates 70 percent of corporate employees rely on instant messaging while at work.

However, while it delivers noteworthy benefits, including ease of use and instantaneous communication, instant messaging also represents a significant security risk. “Proper security checks are usually the last item added to a new technology, and that has been the case with instant messaging,” noted Pete Lindstrom, research director at Spire Security, a security consulting company.

Companies are having trouble securing instant messaging systems for several reasons, starting with the ease with which employees can deploy this software. Suppliers, including America Online, Microsoft and Yahoo, originally developed instant-messaging software to expand their consumer services, and teenagers, who liked the convenience it offered, quickly adopted it. As business executives started to understand IM’s advantages, they also began downloading vendors’ free instant-messaging software.

“Since the IT department does not have control over each employee’s desktop, it often dramatically underestimates the number of workers who are using instant messaging — sometimes by 100 percent or more,” said David Ferris, president of Ferris Research, which focuses on messaging issues.

Don’t Panic

Panic is often the typical response to full disclosure of IM penetration in the enterprise. Once it understands how many people are using instant messaging, the IT department often tries to cut off IM use throughout the corporation. This is not only technically challenging, but also counterproductive. Such a move robs users of instant messaging’s benefits and can create friction between business and IT departments.

Instead, the IT department should try to deal with the technical challenges of instant messaging, which stem from the technology’s design and simplicity. Indeed, because instant-messaging client programs are small and easy to use, IT departments may dismiss them as incapable of causing noteworthy damage. However, these products are capable of carrying malicious code. Virus activation can be quite simple, with users serving as the weak link in the security chain. By automatically clicking on links sent by acquaintances, they can inadvertently install rogue programs.

In February, for example, an instant message dubbed “Osama Found” started making the rounds among networked computers. Since the message appeared to come from friends on their buddy lists, users clicked on the URL for more information. The message was not from their friends and instead whisked them away to an advertisement for a computer game. Although it was not malicious code (it didn’t destroy anything), “Osama Found” demonstrated that instant messaging can be used to download viruses.

Not Like E-Mail

Also, while some security personnel may view instant messaging simply as an extension of electronic mail systems, it is a distinct product with an antithetical design. E-mail systems were built in a consistent manner, allowing IT managers to select certain locations (usually the firewall) on their networks, identify all incoming e-mail messages and then determine how to process them, sometimes blocking those that might be malicious or inappropriate. These network clearing points also allow companies to monitor when information is sent, create a record of its journey and retrace the steps of each transaction.

Instant messaging systems have a Web services, or peer-to-peer, system design. Transactions are established in a dynamic manner, so there is no central location that can stop all traffic and make sure it is not carrying any malicious code.

Encryption is another area in which instant-messaging systems can be weak. When any connection is made, two things need to be encrypted: authentication credentials, such as a password system, and the data to be transported. Because instant messaging systems are proprietary, there are no universal encryption standards for it. As a result, if two different systems are connected, they default to the lowest common denominator, which usually is no encryption.

Although there is no quick and easy cure-all for these problems, companies can take a few steps to lessen the likelihood that their instant-messaging systems will create security problems. “A good first step to plugging instant messaging security holes is conducting an internal audit and deducing how many employees are working with these systems,” Ferris told TechNewsWorld. Then, IT departments should work with end-user departments to develop policies that outline the benefits of instant messaging systems as well as the potential risks, with the end goal of educating employees about the technology. Whenever employees are working with sensitive information, instant messaging use should be limited to internal employees and third parties who have the same instant-messaging system, so the data can be encrypted.

Startup firms also can offer some help. Companies like Akonix Systems, Cordant, Facetime Communications and WiredRed Software have developed specialized instant-messaging security tools. These products can help companies deduce instant-messaging activity and log such transactions so companies have a better idea of what information is passing over their instant-messaging links.

Although such tools are helpful, they are not as comprehensive as companies would like. “Securing instant messaging transactions represents a noteworthy challenge to IT departments today,” Spire Security’s Lindstrom said. “Many are just now beginning to recognize the depth of the problem and pressure vendors to deliver better security tools. While the products that are currently available represent a good first step, complete, robust solutions are at least another 12 to 24 months away.”

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels