Large businesses can’t run without electronic communications anymore. Despite the fact that e-mail, as a staple of corporate communication, is often undersecured, many businesses have begun adopting newer methods of exchange that speed the decision-making process even further, often without much thought about the security ramifications. In fact, many businesses are using these products without even knowing it.
E-mail has been a popular outlet for online mischief-makers. In fact, most organizations have experienced the most common e-mail threats—viruses, worms and malicious content. Denial-of-service attacks, pharming, phishing and directory harvest attacks can also jeopardize your network or your business. Even pictures within e-mail messages, also known as Web beacons, can have harmful code embedded in them and can secretly send messages back to the sender, providing spammers with information regarding active e-mail addresses. The hijacking of e-mail for malicious use isn’t likely to slow.
In the future, according to Joel Smith, CTO of AppRiver, a provider of e-mail security solutions, “Online scammers will continue their use of malicious code to take advantage of application and operating system vulnerabilities to build larger networks of compromised PCs. ISPs will respond by locking down their outbound SMTP traffic to offer greater protection. Scammers then will design worms and viruses that hack e-mail passwords on infected systems to send their e-mail using authenticated accounts. Compromised machines will also begin to use these password-hacking techniques to gain entry to other critical resources for identity theft and also to hack into secure facilities.”
In addition to commonly recognized e-mail attacks, spam presents its own kind of threat to the business: a financial one. Spam, or “dark traffic,” a term coined by Tumbleweed to refer to e-mail that is not legitimate business communication, accounts for a large proportion of e-mail sent. Dark traffic results in over-resourcing the e-mail infrastructure to handle traffic that doesn’t belong on the network, and this can be very costly.
Companies spend plenty of money each year on basic e-mail security, but few implement advanced security features like image analysis and outbound e-mail content filtering. Additionally, because of high labor expenditures, organizations frequently fail to employ and deploy necessary manpower to address e-mail security.
IM: Business Tool or Time Waster?
Corporations also have to deal with “greynet,” a term coined by FaceTime Communications to describe network-enabled applications that are installed on a corporate user’s system without permission from IT and that avoid detection and blocking. Described as fertile ground for hackers, instant messaging has in the past fallen into the greynet category, though some businesses have begun sanctioning its use.
IM lets geographically dispersed individuals exchange data instantly. It initially gained popularity among home users because it allowed casual, interactive conversations with friends, which in many cases could significantly lower phone bills. Because IM programs, such as MSN Messenger from Microsoft, AIM from AOL, and Yahoo! Messenger, are free for download, IM users would often load them onto their PDAs and computers at work as well. Some used IM for strictly personal communications, and some realized its real-time application qualified it as a useful business tool. Still, most employees used IM at work without making their supervisors aware of it.
In the face of this onslaught of unauthorized use, different businesses have taken different routes. Some ignore the problem entirely. Some attempt to block IM usage by identifying and blocking the ports used by IM applications and protocols. If done correctly, this is quite effective, but it can also be expensive.
Other businesses have said, If you can’t beat them, join them. They have begun using IM—or allowing IM use—as a legitimate work tool. After all, it lets employees, clients and businesses communicate more quickly, which should increase efficiency if employed correctly. The problem with IM’s increasing popularity in business is that its security is not as well developed as that of e-mail, and some businesses aren’t even aware of the security threats it poses.
Viruses, Worms and Spim
The SANS Institute’s 2004 Top 20 Internet Security Vulnerabilities list ranked IM at number 10. Unsecured IM client installations place enterprise systems at risk to hackers, Trojans, viruses and worms. IM spam, known as spim, also increases as IM gains popularity.
Since January 2005, according to security vendor IMLogic, there has been a regular increase in IM security incidents each month, with 30 newly detected threats including the Kelvir, Bropia, Gabby, Fatso, Sumom and Serflog worms. Frank Costello, CTO of Akonix, refers to 2005 as the year of “professionalism of IM attacks.”
Since client applications were initially built for home users and not business, they emphasize functionality over security. Files transferred through IM rely totally on desktop rather than server-based anti-virus tools, and desktop tools do not provide sufficient security. Major IM applications are left active, constantly running in the background and ready to pop up a window with a message. They reside on users’ computers and communicate outside the corporate network over the Internet, making it difficult to differentiate IM messages from normal Web traffic.
You’ve Got Liability
IM also places the enterprise at risk for legal liability and violation of privacy laws. IM conversations and content are not automatically stored and therefore are not traceable, retrievable or auditable. So the very feature that makes IM instant violates regulatory and legislative requirements. Adding complex archiving facilities is possible, but it takes the “instant” out of IM. Messages transmitted in plaintext over IM can be easily intercepted and read.
The privacy issue presents a sticky problem as well. We know from existing court rulings that companies have the right to monitor, open, read and retain employees’ e-mail if the message is on an e-mail system owned by the company or organization. However, since popular IM clients are provided free to companies and employees, companies may not have the same monitoring rights they have with e-mail.
While it seems reasonable for companies to decide upon and write a policy declaring that IM may only be used for business purposes, defining which files may be transferred using IM, and declaring what punishment will be imposed if the policy is violated, employees and legal advocates may interpret such a policy as a violation of privacy and civil rights. There is a real possibility that the legality of using, monitoring, and archiving IM within the corporate structure will be tried in the courts, and the outcome will have an impact on both IM products and related software.
This list of vulnerabilities may deter many businesses from allowing IM on their computers. In this case, there are ways to stop employees from using IM at work.
Eliminate the Threat
Companies can take proactive steps to block IM if they choose not to permit its use within the enterprise.
• Audit all network and standalone PCs regularly and remove IM software.
• Block the IP addresses associated with IM traffic. Since these addresses change periodically, regular monitoring is necessary.
• Provide false DNS resolution for IM domain servers.
• Combine the three techniques listed with strong desktop management policies.
• Configure corporate firewalls to block unapproved messages and file attachments.
Configuring company firewalls to block IM is difficult and time consuming. Fortunately, some vendors already have IM blocking devices and software for sale. Among the best known are St.Bernard Software’s iPrism, Barracuda Networks’ IM Firewall Device, IMLogic’s IM Detector Pro, Akonix’s L7 500, Facetime’s RTG5000, Blue Coat Systems’ Proxy SG and Webwasher’s Instant Message Filter.
Manage Solutions Appropriately
The layered approach to security is very important to effective e-mail and IM security. The following steps should be taken for both.
• Prevent users from installing unauthorized software on client workstations.
• Deploy anti-virus, IDS and firewall software (through server or desktop).
• Patch workstations and PCs to run the most current service packs and security updates.
• Enforce client-side settings.
• Encrypt information being transmitted.
• Use an enterprise platform for e-mail and IM naming schemes.
The development of security products for e-mail is already robust. Virus-scanning software, firewalls, spam blockers and operating system updates and patches abound. Vendors McAfee, Symantec, Trend Micro, Panda, Sigaba, Authetica, MailFrontier and ZoneAlarm have provided security solutions for years and are now incorporating IM security solutions. Other vendors like IMLogic, Viack, and IM-Age developed IM security software to meet the needs of organizations that do decide to use IM on their company computers.
Only 11% of the companies employ IM gateway/management software. Paul Johns, senior vice president of global marketing at Orchestria Corporation, says that “until now technologies used to monitor and manage policy were not intelligent enough to accurately identify and prevent damaging events from taking place within electronic communications. Alternate solutions identify policy breaches after the event has taken place while some solutions block suspect messages from being sent and redirect them for review by the compliance department.”
Orchestria claims to offer the only technology that enables companies to “stop violations from occurring in electronic communications; deter future violations from occurring; build a trusted source of compliant data and demonstrate the highest levels of good corporate behavior.” Orchestria appears to be the front-runner in the IM policy management software industry that is expected to grow to accommodate the rapidly growing IM space.
What will the future hold? Marty Tacktill, senior director of worldwide public relations at Postini, an integrated message management provider, said, “IM management and protection will become a large market in 2006. Companies have gone through the phases of realizing that IM was being used by employees … and now realizing that they need technology to help them come to grips with the challenges of IM. We are right now seeing the transition of the market from early adopters to mainstream.”
D.E. Levine, CISSP, CFE, FBCI, CPS, a contributing editor to ST&D and co-author of several security books, can be can be reached at firstname.lastname@example.org.