Communication is the key to any successful business, and technology has always helped enterprises gain that edge. The growing need for faster communication systems have led to the advancement of tools like instant messaging. Instant messaging may seem like a new technology, but it is actually decades old. It began in 1988 with first IRC system and since then, many new IM systems have been launched -- for example, AIM, Yahoo messenger, MSN messenger and ICQ. All of these tools offer different features, but the basic service remains the same: peer-to–peer real-time chatting and file transfer capabilities.
Believe it or not, instant messaging is here to stay. Its growing presence is not only evident from growing IM Internet users, but also in corporate communication infrastructure. Just like PDAs and other communication devices, IM has quietly worked its way into corporate sector. According to IDC, there will be 255 million worldwide IM users in the workplace by the end of 2006. But the big question still remains… security!
Speaking of security, the majority of the IM systems are based on client-server architecture. This means that a user does not exchange messages with his/her buddy directly but must first communicate with IM servers of the service provider over the public Internet and then down to the recipient. This makes messages exchanged between users susceptible to eavesdropping.
Most of the IM systems available today were not designed keeping security in mind. Almost every freeware IM system available today not only lacks basic security such as encryption capabilities, but also has features to bypass corporate firewalls, making its use inside an organization virtually uncontrollable. A recent study by Gartner Inc. suggests, "Fifty percent of companies are penetrated by IM, but only one percent of businesses are actually managing it." The fact is that IM systems are rapidly becoming an ideal platform for fast spreading viruses and worms. Based on integrated directories, IM systems provide an able communication infrastructure, making it easier to locate new targets using buddy list and potentially to distributed denial of service attack.
Most of the IM systems allow scripting enabling users to control certain features of IM client. Such scripts can turn an IM client into a message-generating tool that sends Trojan horse or software executables instead, silently co-opting the PC for use in a distributed denial of service attack. There are a lot of known script-based IM worms including W32.Aplore@mm, W32.Holar.A@mm and W32.AimVen.Worm, just to name a few.
An exposed bug in the IM software, such as buffer overflow and malformed data-packets, can potentially provide access to an attacker over the Internet. For most IM users, the news or stories of account hijacking are not new. This comes as a part of insecure password management, which makes accounts vulnerable to account hijacking or spoofing. Many IM systems allow user passwords to be stored on their PCs, making it easier for an attacker to gain access.
While IM users are growing in numbers everyday, organizations are finding it difficult to monitor its use inside their corporate networks, even the ones that support it. Due to the way most IM systems are designed, even corporate firewall configurations are not sufficient to block access. These systems employ a number of techniques to bypass corporate firewalls to communicate with their IM authentication servers. For example, an IM client can tunnel over HTTP, which is generally open at the corporate firewall.
The best way to block IM clients in your company is to prevent these clients from connecting to their IM authentication servers. This can be achieved by adding either the server address name such as chat.messenger.com or the IP address of the same as BLOCKED in your firewall. This should be done for every chat service you want to block. Since IM service providers keep adding new authentication servers, you will need to keep your blocked list updated accordingly.
Enabling secure IM communication
If you are really serious about deploying an IM system in your corporate communication infrastructure, you must follow certain guidelines:
- Establish a corporate IM usage policy.
- Do not allow any public IM services inside the corporate network.
- Educate employees about the potential security risks involved in using public IM services.
- Configure your firewalls to block all non-approved IM services.
- Install good anti-virus software on every PC. This is the only way you can stop viruses, Trojans and worms from spreading through IM file transfers. Configure the anti-virus clients for Live/Automatic Update, so that you don't miss out on any new virus definitions.
- Not everything can be blocked at the corporate firewall. Desktop firewalls provide another layer of security by restricting users from using public IM services. These firewalls work on deny and allow rules, which are associated with programs installed on the PC. You can configure them to only allow approved programs to connect to the Internet.
- It's always better to deploy corporate IM servers. A secure IM system is the one which features certified strong encryption and authentication and integrates well with existing corporate directory services infrastructure (LDAP). One such product, which is widely used in many organizations, is IBM's Lotus Same Time.
- If you choose to go with an external IM service provider, make sure the IM clients only connect to the designated servers. Do not list these servers publicly.
- Never miss out on new IM security patches and updates.
- Auditing is an important tool. Regular auditing helps ensure IM usage policy compliance.
No matter what IM system you choose to deploy, security should be the primary concern. Enterprises should consider all security issues such as virus scanning, content filtering, file transfer blocking and anti-spam before deploying an enterprise IM system. While there are clear advantages of these systems, no organization can reap the full benefits of IM systems without following a secure blueprint.
Puneet Mehta is a CISSP Security Architect, at SDG Corporation, an e-security consulting and e-business software services and solutions firm headquartered in Connecticut.
