>Bullet-Proofing Instant

Messaging
 > IM in the Enterprise
IM, or instant messaging is expanding in the Enterprise market, having already conquered the con-
sumer segment. By the end of 2008, statistics indicated that as many as 80 percent of corporate or
Enterprise users ran some form of IM on their desktops1. In dollars and people, Enterprise IM is a
sizable market, with over 350 million users running IM and over $600 million spent on IM solutions
in 20082.

IM’s workplace appeal isn’t hard to understand. Users like IM’s near real-time chat facility, and it
makes file and information transfer among peers quick and easy. With a majority of corporations
now using IM, many CIOs and IT managers are horrified to learn that IM is a serious source of
liability and security exposure. Many users are blissfully unaware of the losses and exposures that
can result from incautious or incorrect use of this popular and convenient tool.
By the end of
2008, statistics Before we dig into the kinds of risks and exposures that IM can enable, let’s look at current IM soft-
indicated that ware offerings and how these tools function in the workplace.
as many as 80
percent of Leading purveyors of IM software
corporate or Whether at home or in the workplace, users gravitate toward tools they already know or to well-
Enterprise users known and popular offerings they are likely to encounter. The best-known IM packages include AIM
(AOL Instant Messenger), Yahoo! Messenger, Google Talk and Windows Messenger. (The latter
ran some form
has been bundled with Windows XP since Service Pack 2 and comes with all versions of Windows
of IM on their
Vista; it’s now available at the Windows Live Web site for all current Windows versions, including
desktops. Windows 7.) There are many other options also available, including open source or free multiser-
vice clients such as Trillian, plus integrated IM/chat facilities in packages such as Skype, Open-
Zoep, ICQ, Tpad and countless other multi-purpose communications clients.

Although details differ, all IM packages offer the following capabilities:

●● Easy IM download, install and setup

●● Easy integration with e-mail clients for contact information, with automatic
generation of “buddy” or “friend” lists to facilitate messaging with frequent
communication partners
●● Integrated file transfer
●● Automatic capture and storage of IM conversations and other content

Typical usage scenarios

In the workplace IM often replaces e-mail and phone calls for user-to-user or group conversations.
This includes frequent exchanges of files, records and other data, plus regular back-and-forth
texting between coworkers or collaborators busy getting their jobs done. Though much IM traffic
involves pairs of users, it’s neither difficult nor unusual for multiparty IM sessions to replace
conference calls.

Business uses for IM might involve ongoing and miscellaneous exchanges of document drafts, rap-
id back-and-forth comments, a back channel for a conference call, changes to specific Web pages,
database snapshots, images, video or other multimedia. In fact, IM is preferred for quick, unstruc-
tured, unformatted conversations with friends and family or coworkers and colleagues. Boundaries
between work and personal use can easily become blurred, because the technology that works so
well for quick-and-easy transfer of files and documents also works for personal photos, music
and video files.

> Why is IM security such a critical concern?

Alas, many IM security problems can expose organizations directly to serious security risks and
potentially devastating legal liabilities or financial losses. Because most consumer-grade IM tech-

______________________________________________________
1
Source: Radicati Group 2008.
2
2
Source: Gartner Group 2008.
 nology is not encrypted, that makes a good place to start exploring how and why this claim holds
water. Many IM packages also lack strong proofs of user identity, perform neither file nor content
screening on transmissions and directly expose users to malicious software and behavior.

No limits or blocks to malware exposure

The SANS (SysAdmin, Audit, Network, Security) Institute offers security news, information, train-
IM makes it ing and certification programs. Since the mid-1990s, SANS has been a leader on the information
extremely easy security scene, and helped formulate significant standards and activities to promote security in both
for malicious the private and public sectors. From 2003 to the present, SANS lists IM as a primary and leading
conduit for malware infection. Simply put, IM makes it far too easy for malicious users to attach
users to attach
infected files or active content to messages. Because many users apply insufficient checks to block
infected files or
infected files from taking up residence on their computers, this gives malicious IM a straight path
active content to into unprotected systems.
messages, and far
too many users An open door for content to cross boundaries
do not apply Though many users and organizations routinely scan e-mail and Web pages they visit to screen
sufficient checks out unwanted or unsolicited content, controls and executable files or objects, far too much IM traffic
to block infected goes unscreened and is directly delivered to user desktops without prior scanning or checks. Along
files from taking with potential exposure to malware, IM allows users exchange copyrighted materials such as im-
up residence on ages, music or video files. Legally speaking IM messages and related content represent business
their computers. records, which makes organizations potentially liable for copyright infringement related to IM activity
in the workplace (or through an organization’s systems, even outside normal working hours
or activities).

Consumer IM is inherently insecure

Basic IM software packages include little or no security controls. This poses a litany of potential
problems and issues. To begin with, the Internet protocols that IM software uses are transparent,
making intercepted message traffic visible to anyone who knows how to extract and view IM mes-
sage content. Because these protocols include no built-in encryption, even sensitive or confidential
information sent via IM is completely readable. Likewise, the lack of content filtering, scanning or
policy checks creates a veritable free-for-all, where users can exchange any kind of information
they like using IM software.

Such exchanges can (and far too often do) include:

●● Infected files
●● Copyrighted material belonging to third parties
●● Private, sensitive or confidential information that should never be disclosed to
third parties but only shared with users with a legitimate “need to know”

Consumer IM provides no built-in compliance support

Many legal standards that apply to digital information, such as the Health Insurance Portability and
Accountability Act (HIPAA), Sarbanes-Oxley and the Payment Card Industry Data Security Stan-
dard (PCI DSS) stipulate that all access to and exchange of private or confidential information be
logged, and all such information be retained to meet specific requirements. Consumer-grade IM
does not comply with these stipulations and thereby exposes organizations to potential penalties
and liability for failure, should formal outside audits ever be conducted.

Users are exposed to identity spoofing and theft

Once an IM address is added to a user’s buddy or friend list, instant access and information ex-
change becomes absurdly easy. On the plus side, it is fast and convenient; on the minus side, IM
lets malefactors use fake or stolen user credentials to gain high-level access to many users’ com-
puters. Poisoned IMs may contain URLs for malicious Web sites as well as infected attachments,
and create multiple vectors for compromise and attack. Because consumer IM doesn’t enforce
strong proofs of identity nor strong access or content controls, it’s easy for unsuspecting users to
fall prey to identity theft. Others on their friends or buddy lists can likewise fall prey to such attacks
as owing to ongoing compromise of user accounts, domino-fashion.

3
 Easy ingress for unwanted IM or SPIM
The same things that enable identity spoofing and identify theft—namely, easy creation of new IM
identities or impersonation of known and trusted IM identities—also opens an avenue for delivery of
unsolicited and usually unwanted IM traffic. Such messages are often called SPIM as a contraction
of “spam IM.” Users who aren’t careful about who gets onto their buddy or friend lists may accept
all incoming messages from anyone on those lists, opening their PCs to malicious attachments or
links and all kinds of social engineering scams and attacks. Examples of the latter include the 419
or Nigerian scam, phishing, pharming, IM-based advertisements and other forms of unwanted
IM content.

Given the serious security issues that consumer IM invites, this paints a grim picture of what’s
wrong with using it in a business setting. Does this mean that IM is inherently unsuited for business
use? Numerous tools that can secure IM are available to effectively counter vulnerabilities and ex-
posures. In particular, Software as a Service (aka SaaS) implementations used to filter and screen
IM traffic can be incredibly effective—they not only secure consumer-grade IM software in the
Enterprise, they also route all IM traffic through filtering and policy control mechanisms designed to
meet compliance requirements, avoid exposure and counter specific vulnerabilities.

> Corporate IM security benefits

By installing the right IM services, and securing consumer-grade IM clients, savvy organizations
can avoid, forestall or mitigate vulnerabilities and exposures. They can also impose the same
content controls and policy constraints on IM traffic they already impose on e-mail and Web access.
This helps fend off unwanted or malicious content or software seeking ingress, prevents insecure
transmission of sensitive or confidential information and avoids copyright infringement coming
and going.

Taking control over data crossing organizational boundaries

Corporate-grade IM screening and filtering services perform detailed content checks as IM traf-
fic crosses organizational boundaries. Information can be restricted on the basis of file extension,
Most corporate URLs and actual file content. This prevents accidental infringement of copyright and protects users
against incoming or outgoing malware and SPIM. Most corporate IM screening and filtering servic-
IM filtering
es permit organizations to impose policy controls over what kinds of content may cross the bound-
and screening ary, and to enact a variety of checks and filters against file or message content, including URLs. By
services permit itself, this capability helps avoid egregious forms of vulnerability from malware and other potentially
organizations to hostile content.
impose policy
controls over Without such capabilities, organizations risk copyright infringement as images, music and video
what kinds of move across the network periphery. Likewise, they risk compliance violations whenever sensitive
content may cross data, customer account data or other private records and content crosses the boundary, coming
the boundary, or going.
and to impose a
Ensuring proper security measures are active and enforced
variety of checks
and filters Corporate-grade IM filtering and screening services address all security issues already aired in this
against file or white paper. Here’s how:
message content,
●● Built-in encryption hides plain text and file content: Encryption ensures that
including URLs. no files or message content crosses the organization boundary in transparent,
easily readable form. Most corporate IM solutions impose 128-bit Secure Sockets
Layer or other reasonably strong encryption sufficient to protect all but the most
sensitive of data (keys, passwords, other security information) as it transits the
network periphery. Other, stronger mechanisms are also supported for secure
exchange of security information itself.
●● All content is screened as it crosses the boundary: Malware and content
scans block malicious content, attachments (files) and links (URLs) from entering
or leaving the network, and other types of content screening prevent copyright
infringement from occurring or SPIM from crossing the periphery. Organizations
must educate users about acceptable and unacceptable forms of content, and

4
 train them neither to send nor receive copyrighted materials without permission.
Conditions where transfers are permissible should be clearly spelled out and all
other transfers expressly forbidden.
●● Security policy is strictly enforced: This involves some or all of the following:
ºº Use of strong passwords
ºº Use of multi-factor authentication
ºº Use of specific types of authentication services
Across the board, ºº Compliance with the organization’s acceptable use policy (AUP) for appro-
corporate-grade priate use of or reference to content, Web sites and IM activity
IM screening ºº Logging of all sensitive data access and transfer
and filtering ºº Use of encryption
helps establish ºº Installation and use of consumer-grade IM software
a secure and
compliant Where corporate solutions are available, users are typically forbidden to bypass
messaging corporate screening and filtering services when using IM on the job. Instead they
environment must route IM traffic through required pathways and services for work-related
where risk is purposes and content. (See also the following compliance and authentication
greatly reduced, items, as all three are inextricably intertwined in corporate IM.)
exposures to
●● Compliance is assured: By flagging specific applications or data repositories,
vulnerability
corporate IM solutions can log and capture any traffic involving sensitive, private
severely or confidential information to comply with prevailing best industry practices and
mitigated and regulatory mandates.
regulatory
compliance is ●● Strong and appropriate authentication and access controls prevail: Al-
though this might be considered part of enforcing security policy, it warrants a
automatic and
separate item because it touches on multiple security issues. Strong and ap-
effective. propriate authentication and access controls ensure that users cannot obtain,
attach or reference sensitive, private or confidential data unless both sender and
receiver have sufficient “need to know” to access that information. Also, appropri-
ate use of authentication and access control stymies account spoofing (imper-
sonation) and improper use of friend or buddy list data. Finally, strong authenti-
cation coupled with content screening and security policy enforcement prevents
identity theft.
Across the board, corporate-grade IM screening and filtering helps establish a secure and com-
pliant messaging environment where risk is greatly reduced, exposures to vulnerability severely
mitigated and regulatory compliance is automatic and effective. This raises the question: “What
happens when organizations don’t secure their IM traffic?” As you’ll see in the section that follows,
outcomes can range from expensive to dire.

> IM security breaches and their aftermath

Here we examine three different situations that resulted in financial losses or other consequences
arising from use of consumer-grade IM in the workplace without screening or filtering in place. Re-
cent studies indicate that malware attacks via IM have the potential to spread at very high speed.
Worms, for example, will often ping other local IP systems looking for vulnerable targets. The Code
Red virus required 14 hours to ping all possible IP addresses on a network, whereas the Slammer
worm did the same thing in only 20 minutes3. Using buddy or friend lists, IM attacks can propagate
onto the Internet in mere seconds4. Some experts estimate the average cost of malware infections
in Enterprises at $2 million and up for cleanup, repair and recovery5. Significant financial losses and
exposures are never too far behind when this occurs.

In 2001, Internet Web services company eFront executive staff used the ICQ IM application to com-
______________________________________________________
3
MacDonald, L., K. Fougere, and K. Sousa. 2007. “Managing instant messaging security: A pilot study of recommended practices,”
http://www.docstoc.com/docs/6513561/Managing-Instant-Messaging-Security.
4
Keizer, G. “Symantec warns that IM worms could devastate business,” InformationWeek,
http://www.informationweek.com/story/showArticle.jhtml?articleID=22100814, 14 June 2004.
5 5
Danchev, D. “Malware—future trends,” http://www.packetstormsecurity.org/papers/general/malware-trends.pdf,” nd.
 municate with one another. Thousands of ICQ messages to and from Sam Jain, the eFront CEO,
and other executives were posted on public Web sites. This led to multiple resignations, strained
and broken relationships with partners and threats of legal action from network affiliates and Web
site owners in the eFront network. Thought to be posted by a disgruntled affiliate or former eFront
employee, these messages included strong language and critical remarks about eFront partners,
Web operators and affiliates, plus potentially illegal or unethical advice on how to evade taxes,
cheat banner company advertising payment plans, ranking schemes and more. It’s hard not to see
eFront’s ultimate closure as a consequence of its use of insecure IM communications, though it
clearly had other problems as well.

In 2005, a worm named Oscarbot-B or Doyorg began to make the rounds through a vulnerability
in AIM6. This worm hijacks buddy list in an infected user’s AIM account, and sends messages with
a subject of “Hey check this out” to all such users. Those who click the embedded link in that mes-
sage risk falling prey to this infection. Where infection succeeds, the worm opens a backdoor into
Internet Relay Chat (IRC), then downloads and executes files on the compromised PC, giving an
IMSS proactively attacker remote access to that machine. Because such malware could potentially install and moni-
prevents tor a keylogger, and actively search for identity and account data, losses from identity theft could
wrongdoing by easily occur. In such cases, losses of individual or corporate assets may occur depending on what
controlling who information resides on compromised PCs.
uses IM and how
The bad news is that consumer-grade IM software is inadequately protected, is vulnerable to attack
they use it.
or compromise, does not comply with regulations and mandates and infringes copyright, especially
The fact that when used in the workplace. The good news is that corporate-grade filtering and screening ser-
some kind of vices, and more secure software, are readily available, affordable and integrate well with existing
monitoring is security services and solutions. With the right tools in place, there will be no further need to dodge
in place will, bullets, or worry about where the next one is coming from.
in many cases,
provide a defense > IM Security Services can address your concerns
against actions
brought on as a MessageLabs hosted IM Security Services (IMSS) is an IM security solution designed specifically
result of use for businesses that see the value in IM, but want to eliminate some of the risks associated with
of public IM public IM services (such as Yahoo Mail, AOL AIM and Microsoft’s Live Messenger). IMSS provides
systems. advanced functionality such as content control, malicious link blocking and logging of all IM conver-
sations. These logs can then be imported into an archive system for quick and easy retrieval in the
event of legal disclosure requirements.

The legal risks associated with uncontrolled IM use need to be taken seriously by organizations
of all sizes. Taking preventive measures is better than applying a cure after the fact. Formulating
company policy on IM use is essential, but it cannot protect an organization to the same extent as
a dedicated IM security service, such as IMSS. IMSS proactively prevents wrongdoing by control-
ling who uses IM and how they use it. The fact that some kind of monitoring is in place will, in many
cases, provide a defense against actions brought on as a result of use of public IM systems.

For more information about how the MessageLabs hosted IM Security Service could help your
business address the legal risks of unmonitored IM use or to register for a free trial, visit
http://www.messagelabs.com/trials/free_im.

> About MessageLabs | Now part of Symantec

MessageLabs, now part of Symantec, is the world’s leading provider of hosted services for securing
and managing email, web, and IM traffic (or communications). Over 21,000 organizations and over
9 million end users in 99 countries employ MessageLabs services to protect against viruses, spam,
phishing, inappropriate Internet use, spyware and other business damaging threats.

For more information on MessageLabs, now a part of Symantec, Email and Web Security Services,
contact us at (866) 460-0000 or visit us at www.messagelabs.com.

All terms mentioned in this white paper that are known trademarks or service marks have been appropriately capitalized. The
trademarks or service marks are the property of their respective owners.
______________________________________________________
6
Dunn, J. 16 May 2005. “New IM worm is coming to you,” TechWorld,
6
http://www.techworld.com/security/news/index.cfm?NewsID=3667.
>WWW.MESSAGELABS.COM
>INFO@MESSAGELABS.COM
>US AND CANADA 866 460 0000

>AMERICAS >EUROPE >ASIA PACIFIC

>UNITED STATES >UNITED KINGDOM >HONG KONG

512 Seventh Avenue 1270 Lansdowne Court Room 3006, Central Plaza
6th Floor Gloucester Business Park 18 Harbour Road
New York, NY 10018 Gloucester, GL3 4AB Tower II
USA United Kingdom Wanchai, Hong Kong
T: 1 866 460 0000 T: +44 (0) 1452 627 627 T: 852 2528 6206

>CANADA >LONDON >SINGAPORE

170 University Avenue 40 Whitfield St 6 Temasek Boulevard
Toronto, ON M5H 3B3 London WIT 2RH #11-01 Suntec Tower 4
Canada United Kingdom Singapore 038986
T: 1 866 460 0000 T: +44 (0) 207 291 1960 T: +65 6333 6366

>NETHERLANDS >JAPAN
Teleport Towers Akasaka Intercity
Kingsfordweg 151 1-11-44 Akasaka
1043 GR Minato-ku, Tokyo 107-0052
Amsterdam Japan
Netherlands T: + 81 3 5114 4540
T: +31 (0) 20 491 9600
>AUSTRALIA
>BELGIUM / LUXEMBOURG Level 13
Culliganlaan 1B 207 Kent Street,
B-1831 Diegem Sydney NSW 2000
Belgium Australia
T: +32 (0) 2 403 12 61 T: +61 2 8200 7100

>GERMANY, AUSTRIA, SWIT-

ZERLAND
Feringastraße 9
85774 Unterföhring
Munich
Germany
T: +49 (0) 89 189 43 990

© MessageLabs 2009
All rights reserved