If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Instant Messaging has proved to be a useful business tool but many organizations
have been put off using it either by the high cost and complexity of implementing an in-house IM solution
or by the lack of control and security of public IM clients."
Source : MessageLabs | Now part of Symantec
Bullet-proofing Instant Messaging
Instant Messaging is also known as :
Instant Messaging Accounts,
Instant Messaging Acronyms,
Instant Messaging Application,
Instant Messaging Client,
Instant Messaging Code,
Instant Messaging Communication,
Instant Messaging Definition,
Instant Messaging Device,
Instant Messaging Download,
Instant Messaging Everywhere,
Instant Messaging Features,
Instant Messaging Free,
Instant Messaging Help,
Instant Messaging History,
Instant Messaging Management,
Instant Messaging Market,
Instant Messaging Platform,
Instant Messaging Policy,
Instant Messaging Programs,
Instant Messaging Protocols,
Instant Messaging Providers,
Instant Messaging Reviews,
Instant Messaging Security,
Instant Messaging Server,
Instant Messaging Services,
Instant Messaging Software,
Instant Messaging Solution,
Instant Messaging Statistics,
Instant Messaging System,
Instant Messaging Technology,
Instant Messaging Terms,
Instant Messaging Tools,
Instant Messaging Users,
Instant Messaging Website,
about Instant Messaging,
All Instant Messaging,
Best Instant Messaging,
Browser Instant Messaging,
Business Instant Messaging,
Control Instant Messaging,
Corporate Instant Messaging,
Define Instant Messaging,
Encrypted Instant Messaging,
Enterprise Instant Messaging.
IM in the Enterprise
Instant Messaging (IM) is expanding in the Enterprise market, having already conquered
the consumer segment. By the end of 2008, statistics indicated that as many as 80 percent of corporate or Enterprise
users ran some form of IM on their desktops. In dollars and people, Enterprise IM is a sizable market, with over 350
million users running IM and over $600 million spent on IM solutions in 2008.
By the end of 2008, statistics indicated that as many as
80 percent of corporate or Enterprise users ran some form of IM on their
desktops.
IM's workplace appeal isn't hard to understand. Users like IM's near real-time chat facility, and it makes file
and information transfer among peers quick and easy. With a majority of corporations now using IM, many
Chief Information Officers (CIOs) and
Information Technology (IT) managers are horrified to learn that IM is a serious source
of liability and security exposure. Many users are blissfully unaware of the losses and exposures that can result from
incautious or incorrect use of this popular and convenient tool.
Before we dig into the kinds of risks and exposures that IM can enable, let's look at current IM software offerings
and how these tools function in the workplace.
Leading purveyors of IM software
Whether at home or in the workplace, users gravitate toward tools they already know or to well-known and popular
offerings they are likely to encounter. The best-known IM packages include
AOL Instant Messenger (AIM), Yahoo! Messenger, Google Talk and Windows Messenger. (The
latter has been bundled with Windows XP since Service Pack 2 and comes with all versions of Windows Vista; it's now
available at the Windows Live Web site for all current Windows versions, including Windows 7.) There are many other
options also available, including open source or free multiservice clients such as Trillian, plus integrated IM/chat
facilities in packages such as Skype, OpenZoep, ICQ, Tpad and countless other multi-purpose communications clients.
Although details differ, all IM packages offer the following capabilities:
- Easy IM download, install and setup
- Easy integration with e-mail clients for contact information, with automatic
generation of "buddy" or "friend" lists to facilitate messaging with frequent communication partners
- Integrated file transfer
- Automatic capture and storage of IM conversations and other content
Typical usage scenarios
In the workplace IM often replaces e-mail and phone calls for user-to-user or group conversations. This includes
frequent exchanges of files, records and other data, plus regular back-and-forth texting between coworkers or collaborators
busy getting their jobs done. Though much IM traffic involves pairs of users, it's neither difficult nor unusual for
multiparty IM sessions to replace conference calls.
Business uses for IM might involve ongoing and miscellaneous exchanges of document drafts, rapid back-and-forth
comments, a back channel for a conference call, changes to specific Web pages, database snapshots, images, video or
other multimedia. In fact, IM is preferred for quick, unstructured, unformatted conversations with friends and family
or coworkers and colleagues. Boundaries between work and personal use can easily become blurred, because the technology
that works so well for quick-and-easy transfer of files and documents also works for personal photos, music and video files.
Why is IM security such a critical concern?
Alas, many IM security problems can expose organizations directly to serious security risks and potentially
devastating legal liabilities or financial losses. Because most consumer-grade IM technology is not encrypted,
that makes a good place to start exploring how and why this claim holds water. Many IM packages also lack strong
proofs of user identity, perform neither file nor content screening on transmissions and directly expose users to
malicious software and behavior.
No limits or blocks to malware exposure
IM makes it extremely easy for malicious users to attach infected files or active content
to messages, and far too many users do not apply sufficient checks to block infected files from taking up residence
on their computers
The SysAdmin, Audit, Network, Security (SANS) Institute offers security news, information,
training and certification programs. Since the mid-1990s, SANS has been a leader on the information security scene, and
helped formulate significant standards and activities to promote security in both the private and public sectors. From
2003 to the present, SANS lists IM as a primary and leading conduit for malware infection. Simply put, IM makes it far
too easy for malicious users to attach infected files or active content to messages. Because many users apply insufficient
checks to block infected files from taking up residence on their computers, this gives malicious IM a straight path into
unprotected systems.
An open door for content to cross boundaries
Though many users and organizations routinely scan e-mail and Web pages they visit to screen out unwanted or
unsolicited content, controls and executable files or objects, far too much IM traffic goes unscreened and is directly
delivered to user desktops without prior scanning or checks. Along with potential exposure to malware, IM allows users
exchange copyrighted materials such as images, music or video files. Legally speaking IM messages and related content
represent business records, which makes organizations potentially liable for copyright infringement related to IM
activity in the workplace (or through an organization's systems, even outside normal working hours or activities).
Consumer IM is inherently insecure
Basic IM software packages include little or no security controls. This poses a litany of potential problems and
issues. To begin with, the Internet protocols that IM software uses are transparent, making intercepted message traffic
visible to anyone who knows how to extract and view IM message content. Because these protocols include no built-in
encryption, even sensitive or confidential information sent via IM is completely readable. Likewise, the lack of content
filtering, scanning or policy checks creates a veritable free-for-all, where users can exchange any kind of information
they like using IM software.
Such exchanges can (and far too often do) include:
- Infected files
- Copyrighted material belonging to third parties
- Private, sensitive or confidential information that should never be disclosed to third parties but only
shared with users with a legitimate "need to know"
Consumer IM provides no built-in compliance support
Many legal standards that apply to digital information, such as the
Health Insurance Portability and Accountability Act (HIPAA),
Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security
Standard (PCIDSS) stipulate that all access to and exchange of private or confidential information be logged,
and all such information be retained to meet specific requirements. Consumer-grade IM does not comply with these
stipulations and thereby exposes organizations to potential penalties and liability for failure, should formal
outside audits ever be conducted.
Users are exposed to identity spoofing and theft
Once an IM address is added to a user's buddy or friend list, instant access and information exchange becomes
absurdly easy. On the plus side, it is fast and convenient; on the minus side, IM lets malefactors use fake or stolen
user credentials to gain high-level access to many users' computers. Poisoned IMs may contain URLs for malicious Web
sites as well as infected attachments, and create multiple vectors for compromise and attack. Because consumer IM doesn't
enforce strong proofs of identity nor strong access or content controls, it's easy for unsuspecting users to fall prey to
identity theft. Others on their friends or buddy lists can likewise fall prey to such attacks as owing to ongoing compromise
of user accounts, domino-fashion.
Easy ingress for unwanted IM or SPIM
The same things that enable identity spoofing and identify theft-namely, easy creation of new IM identities or
impersonation of known and trusted IM identities-also opens an avenue for delivery of unsolicited and usually unwanted
IM traffic. Such messages are often called
spam instant message (SPIM). Users who aren't careful about who gets onto their buddy or
friend lists may accept all incoming messages from anyone on those lists, opening their PCs to malicious attachments
or links and all kinds of social engineering scams and attacks. Examples of the latter include the 419 or Nigerian scam,
phishing, pharming, IM-based advertisements and other forms of unwanted IM content.
Given the serious security issues that consumer IM invites, this paints a grim picture of what's wrong with using
it in a business setting. Does this mean that IM is inherently unsuited for business use? Numerous tools that can secure
IM are available to effectively counter vulnerabilities and exposures. In particular,
Software as a Service (SaaS) implementations used to filter and screen IM traffic can be
incredibly effective-they not only secure consumer-grade IM software in the Enterprise, they also route all IM traffic
through filtering and policy control mechanisms designed to meet compliance requirements, avoid exposure and counter
specific vulnerabilities.
Corporate IM security benefits
By installing the right IM services, and securing consumer-grade IM clients, savvy organizations can avoid, forestall
or mitigate vulnerabilities and exposures. They can also impose the same content controls and policy constraints on IM
traffic they already impose on e-mail and Web access. This helps fend off unwanted or malicious content or software
seeking ingress, prevents insecure transmission of sensitive or confidential information and avoids copyright infringement
coming and going.
Taking control over data crossing organizational boundaries
Most corporate IM filtering and screening services permit
organizations to impose policy controls over what kinds of content may cross the
boundary, and to impose a variety of checks and filters against file or message content, including URL s.
Corporate-grade IM screening and filtering services perform detailed content checks as IM traffic crosses
organizational boundaries. Information can be restricted on the basis of file extension, URLs and actual file
content. This prevents accidental infringement of copyright and protects users against incoming or outgoing
malware and SPIM. Most corporate IM screening and filtering services permit organizations to impose policy controls
over what kinds of content may cross the boundary, and to enact a variety of checks and filters against file or
message content, including URLs. By itself, this capability helps avoid egregious forms of vulnerability from malware
and other potentially hostile content.
Without such capabilities, organizations risk copyright infringement as images, music and video move across the
network periphery. Likewise, they risk compliance violations whenever sensitive data, customer account data or other
private records and content crosses the boundary, coming or going.
Ensuring proper security measures are active and enforced
Corporate-grade IM filtering and screening services address all security issues already aired in this white paper.
Here's how:
- Built-in encryption hides plain text and file content: Encryption ensures that no files or message content crosses
the organization boundary in transparent, easily readable form. Most corporate IM solutions impose 128-bit
Secure Sockets Layer (SSL) or other reasonably strong encryption sufficient to protect
all but the most sensitive of data (keys, passwords, other security information) as it transits the network periphery.
Other, stronger mechanisms are also supported for secure exchange of security information itself.
- All content is screened as it crosses the boundary: Malware and content scans block malicious content,
attachments (files) and links (URLs) from entering or leaving the network, and other types of content screening
prevent copyright infringement from occurring or SPIM from crossing the periphery. Organizations must educate
users about acceptable and unacceptable forms of content, and train them neither to send nor receive copyrighted
materials without permission. Conditions where transfers are permissible should be clearly spelled out and all
other transfers expressly forbidden.
- Security policy is strictly enforced: This involves some or all of the following:
- Use of strong passwords
- Use of multi-factor authentication
- Use of specific types of authentication services
- Compliance with the organization's acceptable use policy (AUP) for appropriate
use of or reference to content, Web sites and IM activity
- Logging of all sensitive data access and transferºº
- Use of encryption
- Installation and use of consumer-grade IM software
Where corporate solutions are available, users are typically forbidden to bypass corporate screening
and filtering services when using IM on the job. Instead they must route IM traffic through required pathways and services
for work-related purposes and content. (See also the following compliance and authentication items, as all three are
inextricably intertwined in corporate IM.)
- Compliance is assured: By flagging specific applications or data repositories, corporate IM solutions can log
and capture any traffic involving sensitive, private or confidential information to comply with prevailing best
industry practices and regulatory mandates.
- Strong and appropriate authentication and access controls prevail: Although this might be considered part of
enforcing security policy, it warrants a separate item because it touches on multiple security issues. Strong and
appropriate authentication and access controls ensure that users cannot obtain, attach or reference sensitive,
private or confidential data unless both sender and receiver have sufficient "need to know" to access
that information. Also, appropriate use of authentication and access control stymies account spoofing (impersonation)
and improper use of friend or buddy list data. Finally, strong authentication coupled with content screening and
security policy enforcement prevents identity theft.
Across the board, corporate-grade IM screening and filtering helps establish a secure and compliant messaging
environment where risk is greatly reduced, exposures to vulnerability severely mitigated and regulatory compliance
is automatic and effective. This raises the question: "What happens when organizations don't secure their IM
traffic?" As you'll see in the section that follows, outcomes can range from expensive to dire.
IM security breaches and their aftermath
Here we examine three different situations that resulted in financial losses or other consequences arising from use
of consumer-grade IM in the workplace without screening or filtering in place. Recent studies indicate that malware
attacks via IM have the potential to spread at very high speed. Worms, for example, will often ping other local IP
systems looking for vulnerable targets. The Code Red virus required 14 hours to ping all possible IP addresses on a
network, whereas the Slammer worm did the same thing in only 20 minutes3. Using buddy or friend lists, IM attacks can
propagate onto the Internet in mere seconds4. Some experts estimate the average cost of malware infections in Enterprises
at $2 million and up for cleanup, repair and recovery5. Significant financial losses and exposures are never too far behind
when this occurs.
In 2001, Internet Web services company eFront executive staff used the ICQ IM application to communicate with one
another. Thousands of ICQ messages to and from Sam Jain, the eFront CEO, and other executives were posted on public
Web sites. This led to multiple resignations, strained and broken relationships with partners and threats of legal
action from network affiliates and Web site owners in the eFront network. Thought to be posted by a disgruntled affiliate
or former eFront employee, these messages included strong language and critical remarks about eFront partners, Web operators
and affiliates, plus potentially illegal or unethical advice on how to evade taxes, cheat banner company advertising payment
plans, ranking schemes and more. It's hard not to see eFront's ultimate closure as a consequence of its use of insecure IM
communications, though it clearly had other problems as well.
In 2005, a worm named Oscarbot-B or Doyorg began to make the rounds through a vulnerability in AIM6. This worm hijacks
buddy list in an infected user's AIM account, and sends messages with a subject of "Hey check this out" to all
such users. Those who click the embedded link in that message risk falling prey to this infection. Where infection succeeds,
the worm opens a backdoor into
Internet Relay Chat (IRC), then downloads and executes files on the compromised PC, giving an
attacker remote access to that machine. Because such malware could potentially install and monitor a keylogger, and actively
search for identity and account data, losses from identity theft could easily occur. In such cases, losses of individual or
corporate assets may occur depending on what information resides on compromised PCs.
The bad news is that consumer-grade IM software is inadequately protected, is vulnerable to attack or compromise, does
not comply with regulations and mandates and infringes copyright, especially when used in the workplace. The good news is
that corporate-grade filtering and screening services, and more secure software, are readily available, affordable and
integrate well with existing security services and solutions. With the right tools in place, there will be no further
need to dodge bullets, or worry about where the next one is coming from.
IM Security Services can address your concerns
IMSS proactively prevents wrongdoing by controlling who uses IM and how they use it. The fact
that some kind of monitoring is in place will, in many cases, provide a defense against actions brought on as a result
of use of public IM systems.
MessageLabs hosted Instant Messaging Security Services (IMSS) is an IM security solution
designed specifically for businesses that see the value in IM, but want to eliminate some of the risks associated with
public IM services (such as Yahoo Mail, AOL AIM and Microsoft's Live Messenger). IMSS provides advanced functionality
such as content control, malicious link blocking and logging of all IM conversations. These logs can then be imported
into an archive system for quick and easy retrieval in the event of legal disclosure requirements.
The legal risks associated with uncontrolled IM use need to be taken seriously by organizations of all sizes. Taking
preventive measures is better than applying a cure after the fact. Formulating company policy on IM use is essential, but
it cannot protect an organization to the same extent as a dedicated IM security service, such as IMSS. IMSS proactively
prevents wrongdoing by controlling who uses IM and how they use it. The fact that some kind of monitoring is in place will,
in many cases, provide a defense against actions brought on as a result of use of public IM systems.
For more information about how the MessageLabs hosted IM Security Service could help your business address the legal
risks of unmonitored IM use or to register for a free trial, visit
www.messagelabs.com/trials/free_im.
About MessageLabs | Now part of Symantec
MessageLabs, now part of Symantec, is the world's leading provider of hosted services for securing and managing
email, web, and IM traffic (or communications). Over 21,000 organizations and over 9 million end users in 99 countries
employ MessageLabs services to protect against viruses, spam, phishing, inappropriate Internet use, spyware and other
business damaging threats.
For more information on MessageLabs, now a part of Symantec,
Email and Web Security Services,
contact us
at
(866) 460-0000
or visit us at
www.messagelabs.com.
All terms mentioned in this white paper that are known trademarks or service marks have been appropriately
capitalized. The trademarks or service marks are the property of their respective owners.