Communication is the key to any successful business, and technology has always helped enterprises gain that edge. The growing need for faster communication systems have led to the advancement of tools like instant messaging. Instant messaging may seem like a new technology, but it is actually decades old. It began in 1988 with first IRC system and since then, many new IM systems have been launched -- for example, AIM, Yahoo messenger, MSN messenger and ICQ. All of these tools offer different features, but the basic service remains the same: peer-to–peer real-time chatting and file transfer capabilities.
Believe it or not, instant messaging is here to stay. Its growing presence is not only evident from growing IM Internet users, but also in corporate communication infrastructure. Just like PDAs and other communication devices, IM has quietly worked its way into corporate sector. According to IDC, there will be 255 million worldwide IM users in the workplace by the end of 2006. But the big question still remains… security!
Speaking of security, the majority of the IM systems are based on client-server architecture. This means that a user does not exchange messages with his/her buddy directly but must first communicate with IM servers of the service provider over the public Internet and then down to the recipient. This makes messages exchanged between users susceptible to eavesdropping.
Most of the IM systems available today were not designed keeping security in mind. Almost every freeware IM system available today not only lacks basic security such as encryption capabilities, but also has features to bypass corporate firewalls, making its use inside an organization virtually uncontrollable. A recent study by Gartner Inc. suggests, "Fifty percent of companies are penetrated by IM, but only one percent of businesses are actually managing it." The fact is that IM systems are rapidly becoming an ideal platform for fast spreading viruses and w
To continue reading for free, register below or login
To read more you must become a member of SearchNetworking.com
orms. Based on integrated directories, IM systems provide an able communication infrastructure, making it easier to locate new targets using buddy list and potentially to distributed denial of service attack.
Most of the IM systems allow scripting enabling users to control certain features of IM client. Such scripts can turn an IM client into a message-generating tool that sends Trojan horse or software executables instead, silently co-opting the PC for use in a distributed denial of service attack. There are a lot of known script-based IM worms including W32.Aplore@mm, W32.Holar.A@mm and W32.AimVen.Worm, just to name a few.
An exposed bug in the IM software, such as buffer overflow and malformed data-packets, can potentially provide access to an attacker over the Internet. For most IM users, the news or stories of account hijacking are not new. This comes as a part of insecure password management, which makes accounts vulnerable to account hijacking or spoofing. Many IM systems allow user passwords to be stored on their PCs, making it easier for an attacker to gain access.
While IM users are growing in numbers everyday, organizations are finding it difficult to monitor its use inside their corporate networks, even the ones that support it. Due to the way most IM systems are designed, even corporate firewall configurations are not sufficient to block access. These systems employ a number of techniques to bypass corporate firewalls to communicate with their IM authentication servers. For example, an IM client can tunnel over HTTP, which is generally open at the corporate firewall.
The best way to block IM clients in your company is to prevent these clients from connecting to their IM authentication servers. This can be achieved by adding either the server address name such as chat.messenger.com or the IP address of the same as BLOCKED in your firewall. This should be done for every chat service you want to block. Since IM service providers keep adding new authentication servers, you will need to keep your blocked list updated accordingly.
Enabling secure IM communication
If you are really serious about deploying an IM system in your corporate communication infrastructure, you must follow certain guidelines:
No matter what IM system you choose to deploy, security should be the primary concern. Enterprises should consider all security issues such as virus scanning, content filtering, file transfer blocking and anti-spam before deploying an enterprise IM system. While there are clear advantages of these systems, no organization can reap the full benefits of IM systems without following a secure blueprint.
[TABLE]Puneet Mehta is a CISSP Security Architect, at SDG Corporation, an e-security consulting and e-business software services and solutions firm headquartered in Connecticut.
