Under the Radar: IM Emerging as a Stealth Threat

The other underlying threat posed by IM is the speed with which viruses can travel once released into enough IM clients. Instead of days for a virus to infect computers world-wide via email (it used to be months), IM can propagate a virus in a matter of hours.

This creates a major challenge for network security administrators tasked with ensuring it doesn’t happen. And if they are unaware IM is being commonly used within their companies, it could be a major headache too, said deSouza.

Currently, there are about 200 IM-specific viruses in circulation. But, as IM usage continues to grow, so will the number of attacks, said Burton’s Cohen. Today, there just aren’t enough IM users to get any headlines from writing IM viruses, which is the good news.

“So, working for IM is the fact that the user base isn’t as big as email, so it’s not as attractive for virus writers,” said IM Logic’s deSouza. “But, working against it is it’s actually a very efficient medium to propagate stuff, so if it hits it can hit really, really fast.”

IM Ignorance Isn’t Bliss

Aside from actual network threats there are compliance issues to think of as well. Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) both call for controls and tracking of the electronic transfer of information. If employees are using IM to make deals (SOX) or discuss patients (HIPAA), there could be problems, said deSouza.

In March, the New York Stock Exchange (NYSE) and the NASD, for example, sent out memos specifically stating IM is covered under the electronic communication clauses of their guidelines and regulations, he said.

Perhaps the biggest threat from IM, however, isn’t so much regulatory or even virus-born, but the one that comes from ignorance. If you don’t know you are threatened, then there isn’t much you can do about it. And, for now, that is the main risk posed by IM.

“It’s the combination of threats, vulnerabilities and consequences that leads to risk,” Cohen said. “And, in IM, we have a big vulnerability, but the threats haven’t become so big that they’re causing the corporate people to respond in a harsh way. The consequences so far with IM have not been so severe that they’ve caused anything like the harm associated with email.”