Instant Problems :-(

Instant messaging (IM) is big. I remember trying out this new thing called ICQ (now a very popular form of Instant Messaging) at home a number of years ago and thinking how useful it was being able to communicate with people via text in real-time, free of charge whilst connected to the Internet. Faster and more efficient than email, it is little wonder that IM has since experienced massive growth in home and business use.

Consider some of the cases for using IM, which in some organisations has become a critical business tool:

Speed – People often have to wait a long time for a response to an email, and we all know how frustrating that can be. With IM, immediate responses can mean a boost for time-sensitive business processes, problem resolution and customer service.

Task augmentation – An example is when a person is on the telephone to a client and can also communicate with internal colleagues to take advice or relevant information at the same time.

Conferencing – With IM, you can hold several conversations at once separately (just make sure you don’t type the stuff to the boss that was meant for your spouse!), or in a conference, which can save time and potential phone costs.

The Dark Side

Sounds too good to be true? Unfortunately there are potentially serious downsides.

IM can be yet another distraction in the working day – people chatting, flirting and sending various “smileys” to friends all day instead of performing their tasks.

Then of course comes the inevitable plethora of security issues to cope with.

Public IM is sent unencrypted over the Internet, so conversations may be subject to eavesdropping (or sniffing, as it is called in the IT world).

Identities can be spoofed. Public IM systems allow users to be anonymous, with user names which don’t necessarily correspond to real email addresses. This has identity theft implications and opens up the world of social engineering via authentication abuse.

By default, most IM packages do not log conversations and other actions like file transfers. With these going undetected, IM makes for an excellent covert communications means. Sensitive files may be leaked without a trace, making unauthorised distribution of confidential data a real risk. Unmonitored use of chat lets employees converse about anything they wish, not just work-related things either. When people want to have a good gossip, instead of going off to whisper secretly in a dark corner, IM allows this to take place from the relative comfort of their desks.

Viruses and worms can spread via IM, and the number of these is increasing rapidly. So far this year alone, more than 40 different worms have been seen spreading via IM systems, mostly targeting Microsoft’s MSN Messenger (nothing new there). Two of the big security problems include users clicking on links to websites that contain malicious code (e.g. the Bropia virus), as well as downloading & executing infected attachments.

Firewall protection is breached. Using IM can be akin to punching a hole in the corporate firewall thus allowing hackers, viruses, worms and corporate spies access to the internal network.

There is even IM spam, termed “Spim”. Although not yet up there with email spamming in terms of prevalence and annoyance, spim will likely play a bigger part in the future. Spim can be even more disruptive than spam, because the spim pops up, thus interrupting what the recipient is doing at the time. It is also often of a sexually offensive nature, which could lead to HR and legal risk in organisations.

So here is yet another killer application with the ability to cause large headaches for those organisations utilising it. Don’t make the assumption that employees in your office aren’t using IM. If it’s not part of a formal system, it is likely to be in use anyway. With workarounds such as ‘Web Messenger’ – using IM via a web browser – the circumventing of security policy could be well underway. To add to this loophole there are many sites that offer this facility, so blacklisting them could prove to be a painstaking operation.

Dealing with IM Security

Strategies can be adopted to combat these security challenges. Some security layers to be considered are:

  • Making an Instant Messaging Acceptable Usage Policy, providing employees with guidelines for general and specific use
  • Educating users of the dangers associated with using IM
  • Keeping IM on the internal side of the firewall only. Host your own IM application if necessary and disallow outsiders
  • Encrypting IM to avoid eavesdropping of confidential information. Reliable software is available for this
  • Turning logging of IM communications on
  • Filtering for sensitive words or phrases and monitor communications
  • Disallowing file transfers from within IM
  • Controlling communications between user types
  • Patching relevant software – client and server

If IM is still having an adverse effect by causing many of the problems outlined in this article (i.e. the risk is deemed unacceptable), organisations can always do what many already have - ban it!

Alan Phillips, 7Safe Information Security
May 2005