Instant messaging has arrived, and with it, a whole host of security problems.
In fact, rarely does such a far-reaching communication mechanism enter an enterprise so unexpectedly. And because it's been unexpected, IM usage has come in largely unplanned and often unregulated, and, as a result, most organizations lack an instant messaging security policy.
You might think that shutting IM off is the answer to any possible security issue, because it creates too many security holes and might lead to a loss of productivity. But you're too late for that solution already; it's a good bet that your CEO is using IM to communicate with some of your company's biggest clients.
The fact is that IM is here for better or worse. You wouldn't shut down e-mail or the telephone system, and IM is also a part of the organization's communications infrastructure, complete with security holes and misuse potential. So bow to the inevitable, treat it the same as you would e-mail. You need to come up with a security policy for instant message usage.
IM usage creates a number of common security issues of which you should be aware:
- Instant messaging clients create a persistent connection through any number of ports. This multiple-port accessibility makes IM difficult to block and monitor, and it opens the computer to worms.
- Almost all IM clients support peer-to-peer file sharing, leaving a possible back door to the computer's files.
- IM traffic is
- sent in clear text, so malicious hackers can use packet sniffers to steal information sent over IM or to gain account information that can be used to impersonate a user.
You can read more about IM's security issues in this article by Neal Hindocha.
So, aside from implementing new technology to monitor or encrypt IM traffic, you need to get a handle on IM by writing it into a security policy. Here are a few things to think about when writing the policy:
- Is IM for internal use only? Companies have wrestled with restricting other communication devices' use to business only. You can make a case that your users don't need instant messaging to communicate outside of the organization.
- Who can use IM? Some departments, the help desk, for instance, may have more of a business need for IM than others, like finance. Decide if IM is a necessity for everyone in the company.
- Which IM client will you use? Instant messages are sent over private networks using different, non-compatible protocols, so you really should have only one IM client. If IM is going to be used as a business communication tool, it makes sense that everyone should be on the same network.
- Will file transfer be allowed? Internal users have many ways to transfer files other than over IM. Disallowing the file transfer options will reduce some of the security risks.
- Think about identity management. If you use IM to communicate outside of the company, are users required to use a handle that identifies them as an employee of the company? Are company user IDs different from personal ones? This is important, because if you don't have a means of managing IM identities, ex-employees can continue to use their IM account IDs.
- Adhere to legal regulations. Many industries require logging or encryption of all communications. You might need to restrict IM usage until means of archiving or encrypting can be worked out.
IM has been around for quite a while, but, compared to e-mail, it's still in its infancy, but that is no reason not to be proactive in recognizing the ubiquity of IM and taking steps to mitigate its security risks.
About the author
Benjamin Vigil is a technical editor at SearchSecurity.com.
This was first published in October 2003