Viruses, Worms and Spim
The SANS Institute’s 2004 Top 20 Internet Security Vulnerabilities list ranked IM at number 10. Unsecured IM client installations place enterprise systems at risk to hackers, Trojans, viruses and worms. IM spam, known as spim, also increases as IM gains popularity.
Since January 2005, according to security vendor IMLogic, there has been a regular increase in IM security incidents each month, with 30 newly detected threats including the Kelvir, Bropia, Gabby, Fatso, Sumom and Serflog worms. Frank Costello, CTO of Akonix, refers to 2005 as the year of “professionalism of IM attacks.”
Since client applications were initially built for home users and not business, they emphasize functionality over security. Files transferred through IM rely totally on desktop rather than server-based anti-virus tools, and desktop tools do not provide sufficient security. Major IM applications are left active, constantly running in the background and ready to pop up a window with a message. They reside on users’ computers and communicate outside the corporate network over the Internet, making it difficult to differentiate IM messages from normal Web traffic.
You’ve Got Liability
IM also places the enterprise at risk for legal liability and violation of privacy laws. IM conversations and content are not automatically stored and therefore are not traceable, retrievable or auditable. So the very feature that makes IM instant violates regulatory and legislative requirements. Adding complex archiving facilities is possible, but it takes the “instant” out of IM. Messages transmitted in plaintext over IM can be easily intercepted and read.
The privacy issue presents a sticky problem as well. We know from existing court rulings that companies have the right to monitor, open, read and retain employees’ e-mail if the message is on an e-mail system owned by the company or organization. However, since popular IM clients are provided free to companies and employees, companies may not have the same monitoring rights they have with e-mail.
While it seems reasonable for companies to decide upon and write a policy declaring that IM may only be used for business purposes, defining which files may be transferred using IM, and declaring what punishment will be imposed if the policy is violated, employees and legal advocates may interpret such a policy as a violation of privacy and civil rights. There is a real possibility that the legality of using, monitoring, and archiving IM within the corporate structure will be tried in the courts, and the outcome will have an impact on both IM products and related software.
This list of vulnerabilities may deter many businesses from allowing IM on their computers. In this case, there are ways to stop employees from using IM at work.
Eliminate the Threat
Companies can take proactive steps to block IM if they choose not to permit its use within the enterprise.
• Audit all network and standalone PCs regularly and remove IM software.
• Block the IP addresses associated with IM traffic. Since these addresses change periodically, regular monitoring is necessary.
• Provide false DNS resolution for IM domain servers.
• Combine the three techniques listed with strong desktop management policies.
• Configure corporate firewalls to block unapproved messages and file attachments.
Configuring company firewalls to block IM is difficult and time consuming. Fortunately, some vendors already have IM blocking devices and software for sale. Among the best known are St.Bernard Software’s iPrism, Barracuda Networks’ IM Firewall Device, IMLogic’s IM Detector Pro, Akonix’s L7 500, Facetime’s RTG5000, Blue Coat Systems’ Proxy SG and Webwasher’s Instant Message Filter.
Manage Solutions Appropriately
The layered approach to security is very important to effective e-mail and IM security. The following steps should be taken for both.
• Prevent users from installing unauthorized software on client workstations.
• Deploy anti-virus, IDS and firewall software (through server or desktop).
• Patch workstations and PCs to run the most current service packs and security updates.
• Enforce client-side settings.
• Encrypt information being transmitted.
• Use an enterprise platform for e-mail and IM naming schemes.
The development of security products for e-mail is already robust. Virus-scanning software, firewalls, spam blockers and operating system updates and patches abound. Vendors McAfee, Symantec, Trend Micro, Panda, Sigaba, Authetica, MailFrontier and ZoneAlarm have provided security solutions for years and are now incorporating IM security solutions. Other vendors like IMLogic, Viack, and IM-Age developed IM security software to meet the needs of organizations that do decide to use IM on their company computers.