The Web    Google
Plenty of IM Security Holes Left to Plug

Plenty of IM Security Holes Left to Plug
October 31, 2003

Instant Messaging can speed critical communications across the corporate network, saving time and giving an edge to team projects. The trouble is that IM also can speed viruses into the network, and shoot corporate secrets out to competitors without leaving any trail behind it.

IM technology, at this point in its maturity level, isn't the most secure of communication tools. And what's making it a real nightmare for IT and security managers is that a lot of employees are running wild and uncensored, downloading their favorite IM software and running under IT's radar. Without IT to keep an eye it, there's no way to put the brakes on what could be a huge security problem.

''IM is becoming as common as email, but firms cannot permit their staff to just sign up for AOL or Yahoo! Messenger and be done with it,'' says Damon Kovelsky, an analyst with Financial Insights, a research firm based in Framingham, Mass.

Not so long ago, Instant Messaging was the province of the teen and college population. In the last couple of years, however, it has made the transition from cool tool to business tool. According to IDC, a major analyst firm based in Framingham, Mass., more than 20 million businesspeople worldwide are using IM. That figure is expected to soar to 300 million by the end of 2005.

The problem is, however, that the adoption has been driven by the end user and not top management.

A study by Osterman Research, based in Black Diamond, Wash., reveals that while IM currently has a presence in 91 percent of enterprises, only about 26 percent are utilizing an enterprise-grade IM system That means 65 percent rely on consumer products.

''Consumer-grade IM clients and the use of public IM networks can create significant security problems for an enterprise by using unauthorized ports in the corporate firewall,'' says analyst Michael Osterman. ''This allows an entry point for viruses or rogue protocols to bypassing corporate authentication systems and so forth.''

Some companies try to fit consumer systems into the corporate security picture by adding on a series of third-party products.

According to Tod Turner, CEO of LINQware, an IM provider and maker of the Collabrix enterprise IM system, that strategy is inherently flawed.

Most IM systems on the market today are peer-to-peer (P2P), meaning that once conversations start, they are directly between the users' client machines, and do not pass through servers. This architecture eliminates administrator's ability to capture the history of the conversation.

''Applications like P2P and IM allow employees to communicate and share files covertly with outside parties,'' notes Mark Glowacki, HIPAA Compliance Manager of the HIPAA Academy. ''Because these applications can run without being detected by conventional security appliances, like firewalls, security violations are only discovered after the fact.''

All of this means that instant messaging carries a high potential for liability, particularly in heavily regulated industries, such as financial services and health care.

HIPAA, the Health Insurance Portability and Accountability Act, for example, sternly calls into the question the use of IM in the healthcare industry. Undocumented communications regarding a patient, for instance, could occur without management's knowledge leading to a breach of HIPAA's access requirements. Such violations could invoke heavy fines.

Public IM systems do not offer any mechanism for capturing conversation transcripts. Third-party tools exist which can capture the conversation at its conclusion. However, conversations that are dropped midstream are lost, unless the IM system is server based.

''With few exceptions, consumer-grade IM clients do not provide a means of recording content of IM conversations,'' says Osterman. ''This is a particularly significant shortcoming for firms that are required by statute or convention to retain a copy of communications with customers, business partners and others.''

Another issue is that most systems on the market today are open, meaning that if you know a person's IM address, you can message them directly. Anyone with an IM address, therefore, has the potential to share sensitive data and bypass any corporate audit capabilities.

The best approach to dealing with this issue is to deploy a closed system that can still be exposed to key outside customers and vendors.

And IT managers need to be aware that in generic IM products, transmissions between users utilize clear text that can be captured and analyzed by outsiders. Fortunately, there are fixes via third-party software that improve the security of messages sent over public pipelines.

''In a corporation of any size, it is essential to harness security standards, such as encoded XML and encrypted messages using SSL,'' says LINQware's Turner. ''Otherwise, you have no idea who might be reading your messages.''

And in an age when viruses and worms are causing billions of dollars in damage on a regular basis, that is always a key security concern. And as IM usage becomes more and more prevalent, virus writers will increasingly turn their attention to this new medium.

Virtually all IM systems allow for file transfers that bypass virus checking software. This exposes networks to serious threats, such as the Blaster worm which took down more than 1 million computers in its first 24 hours in the wild.

''No add-on will plug this gaping hole,'' says Turner. ''It requires an enterprise-class system with administrative privileges, which allows you to turn off file transfers between users.''

IM is here, whether IT managers are ready for it or not. The best approach, therefore, is to take control of its usage by establishing corporate policies and adopting an IM system that is designed for the corporate world.

  • Security Experts On Alert for Large-Scale Hacker Assault
  • FTC Seeks Court Order Against "Do Not Call" Web Site
  • 3/21: Sumon-C an IM and P2P Worm
  • Bush Seeks IT Security Advice
  • 11/23: BackDoor-CLK Trojan Copies Itself
  • 5/2: LegMir-DR a Password-Stealing Trojan
  • 3/25: Clunk-A a Password-Stealing Worm
  • 10/29: Singu-B Allows Remote Access
  • Virus Alert: Optix.Pro Trojan Rated Low Threat
  • Will Sobig Strike Again?
  • PGP: Extended Encryption For Compliance
  • Security Camera News