Plenty of IM Security Holes Left to Plug

Instant Messaging can speed critical communications across the corporate network, saving

time and giving an edge to team projects. The trouble is that IM also can speed viruses into

the network, and shoot corporate secrets out to competitors without leaving any trail behind

it.

IM technology, at this point in its maturity level, isn’t the most secure of communication

tools. And what’s making it a real nightmare for IT and security managers is that a lot of

employees are running wild and uncensored, downloading their favorite IM software and

running under IT’s radar. Without IT to keep an eye it, there’s no way to put the brakes on

what could be a huge security problem.

”IM is becoming as common as email, but firms cannot permit their staff to just sign up for

AOL or Yahoo! Messenger and be done with it,” says Damon Kovelsky, an analyst with

Financial Insights, a research firm based in Framingham, Mass.

Not so long ago, Instant Messaging was the province of the teen and college population. In

the last couple of years, however, it has made the transition from cool tool to business

tool. According to IDC, a major analyst firm based in Framingham, Mass., more than 20

million businesspeople worldwide are using IM. That figure is expected to soar to 300

million by the end of 2005.

The problem is, however, that the adoption has been driven by the end user and not top

management.

A study by Osterman Research, based in Black Diamond, Wash., reveals that while IM currently

has a presence in 91 percent of enterprises, only about 26 percent are utilizing an

enterprise-grade IM system That means 65 percent rely on consumer products.

”Consumer-grade IM clients and the use of public IM networks can create significant

security problems for an enterprise by using unauthorized ports in the corporate firewall,”

says analyst Michael Osterman. ”This allows an entry point for viruses or rogue protocols

to bypassing corporate authentication systems and so forth.”

Some companies try to fit consumer systems into the corporate security picture by adding on

a series of third-party products.

According to Tod Turner, CEO of LINQware, an IM provider and maker of the Collabrix

enterprise IM system, that strategy is inherently flawed.

Most IM systems on the market today are peer-to-peer (P2P), meaning that once conversations

start, they are directly between the users’ client machines, and do not pass through

servers. This architecture eliminates administrator’s ability to capture the history of the

conversation.

”Applications like P2P and IM allow employees to communicate and share files covertly with

outside parties,” notes Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy.

”Because these applications can run without being detected by conventional security

appliances, like firewalls, security violations are only discovered after the fact.”

All of this means that instant messaging carries a high potential for liability,

particularly in heavily regulated industries, such as financial services and health care.

HIPAA, the Health Insurance Portability and Accountability Act, for example, sternly calls

into the question the use of IM in the healthcare industry. Undocumented communications

regarding a patient, for instance, could occur without management’s knowledge leading to a

breach of HIPAA’s access requirements. Such violations could invoke heavy fines.

Public IM systems do not offer any mechanism for capturing conversation transcripts.

Third-party tools exist which can capture the conversation at its conclusion. However,

conversations that are dropped midstream are lost, unless the IM system is server based.

”With few exceptions, consumer-grade IM clients do not provide a means of recording content

of IM conversations,” says Osterman. ”This is a particularly significant shortcoming for

firms that are required by statute or convention to retain a copy of communications with

customers, business partners and others.”

Another issue is that most systems on the market today are open, meaning that if you know a

person’s IM address, you can message them directly. Anyone with an IM address, therefore,

has the potential to share sensitive data and bypass any corporate audit capabilities.

The best approach to dealing with this issue is to deploy a closed system that can still be

exposed to key outside customers and vendors.

And IT managers need to be aware that in generic IM products, transmissions between users

utilize clear text that can be captured and analyzed by outsiders. Fortunately, there are

fixes via third-party software that improve the security of messages sent over public

pipelines.

”In a corporation of any size, it is essential to harness security standards, such as

encoded XML and encrypted messages using SSL,” says LINQware’s Turner. ”Otherwise, you

have no idea who might be reading your messages.”

And in an age when viruses and worms are causing billions of dollars in damage on a regular

basis, that is always a key security concern. And as IM usage becomes more and more

prevalent, virus writers will increasingly turn their attention to this new medium.

Virtually all IM systems allow for file transfers that bypass virus checking software. This

exposes networks to serious threats, such as the Blaster worm which took down more than 1

million computers in its first 24 hours in the wild.

”No add-on will plug this gaping hole,” says Turner. ”It requires an enterprise-class

system with administrative privileges, which allows you to turn off file transfers between

users.”

IM is here, whether IT managers are ready for it or not. The best approach, therefore, is to

take control of its usage by establishing corporate policies and adopting an IM system that

is designed for the corporate world.