Plenty of IM Security Holes Left to Plug

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Instant Messaging can speed critical communications across the corporate network, savingtime and giving an edge to team projects. The trouble is that IM also can speed viruses intothe network, and shoot corporate secrets out to competitors without leaving any trail behindit.

IM technology, at this point in its maturity level, isn't the most secure of communicationtools. And what's making it a real nightmare for IT and security managers is that a lot ofemployees are running wild and uncensored, downloading their favorite IM software andrunning under IT's radar. Without IT to keep an eye it, there's no way to put the brakes onwhat could be a huge security problem.

''IM is becoming as common as email, but firms cannot permit their staff to just sign up forAOL or Yahoo! Messenger and be done with it,'' says Damon Kovelsky, an analyst withFinancial Insights, a research firm based in Framingham, Mass.

Not so long ago, Instant Messaging was the province of the teen and college population. Inthe last couple of years, however, it has made the transition from cool tool to businesstool. According to IDC, a major analyst firm based in Framingham, Mass., more than 20million businesspeople worldwide are using IM. That figure is expected to soar to 300million by the end of 2005.

The problem is, however, that the adoption has been driven by the end user and not topmanagement.

A study by Osterman Research, based in Black Diamond, Wash., reveals that while IM currentlyhas a presence in 91 percent of enterprises, only about 26 percent are utilizing anenterprise-grade IM system That means 65 percent rely on consumer products.

''Consumer-grade IM clients and the use of public IM networks can create significantsecurity problems for an enterprise by using unauthorized ports in the corporate firewall,''says analyst Michael Osterman. ''This allows an entry point for viruses or rogue protocolsto bypassing corporate authentication systems and so forth.''

Some companies try to fit consumer systems into the corporate security picture by adding ona series of third-party products.

According to Tod Turner, CEO of LINQware, an IM provider and maker of the Collabrixenterprise IM system, that strategy is inherently flawed.

Most IM systems on the market today are peer-to-peer (P2P), meaning that once conversationsstart, they are directly between the users' client machines, and do not pass throughservers. This architecture eliminates administrator's ability to capture the history of theconversation.

''Applications like P2P and IM allow employees to communicate and share files covertly withoutside parties,'' notes Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy.''Because these applications can run without being detected by conventional securityappliances, like firewalls, security violations are only discovered after the fact.''

All of this means that instant messaging carries a high potential for liability,particularly in heavily regulated industries, such as financial services and health care.

HIPAA, the Health Insurance Portability and Accountability Act, for example, sternly callsinto the question the use of IM in the healthcare industry. Undocumented communicationsregarding a patient, for instance, could occur without management's knowledge leading to abreach of HIPAA's access requirements. Such violations could invoke heavy fines.

Public IM systems do not offer any mechanism for capturing conversation transcripts.Third-party tools exist which can capture the conversation at its conclusion. However,conversations that are dropped midstream are lost, unless the IM system is server based.

''With few exceptions, consumer-grade IM clients do not provide a means of recording contentof IM conversations,'' says Osterman. ''This is a particularly significant shortcoming forfirms that are required by statute or convention to retain a copy of communications withcustomers, business partners and others.''

Another issue is that most systems on the market today are open, meaning that if you know aperson's IM address, you can message them directly. Anyone with an IM address, therefore,has the potential to share sensitive data and bypass any corporate audit capabilities.

The best approach to dealing with this issue is to deploy a closed system that can still beexposed to key outside customers and vendors.

And IT managers need to be aware that in generic IM products, transmissions between usersutilize clear text that can be captured and analyzed by outsiders. Fortunately, there arefixes via third-party software that improve the security of messages sent over publicpipelines.

''In a corporation of any size, it is essential to harness security standards, such asencoded XML and encrypted messages using SSL,'' says LINQware's Turner. ''Otherwise, youhave no idea who might be reading your messages.''

And in an age when viruses and worms are causing billions of dollars in damage on a regularbasis, that is always a key security concern. And as IM usage becomes more and moreprevalent, virus writers will increasingly turn their attention to this new medium.

Virtually all IM systems allow for file transfers that bypass virus checking software. Thisexposes networks to serious threats, such as the Blaster worm which took down more than 1million computers in its first 24 hours in the wild.

''No add-on will plug this gaping hole,'' says Turner. ''It requires an enterprise-classsystem with administrative privileges, which allows you to turn off file transfers betweenusers.''

IM is here, whether IT managers are ready for it or not. The best approach, therefore, is totake control of its usage by establishing corporate policies and adopting an IM system thatis designed for the corporate world.

Submit a Comment

Loading Comments...