Messaging
> IM in the Enterprise
IM, or instant messaging is expanding in the Enterprise market, having already conquered the con-
sumer segment. By the end of 2008, statistics indicated that as many as 80 percent of corporate or
Enterprise users ran some form of IM on their desktops1. In dollars and people, Enterprise IM is a
sizable market, with over 350 million users running IM and over $600 million spent on IM solutions
in 20082.
IM’s workplace appeal isn’t hard to understand. Users like IM’s near real-time chat facility, and it
makes file and information transfer among peers quick and easy. With a majority of corporations
now using IM, many CIOs and IT managers are horrified to learn that IM is a serious source of
liability and security exposure. Many users are blissfully unaware of the losses and exposures that
can result from incautious or incorrect use of this popular and convenient tool.
By the end of
2008, statistics Before we dig into the kinds of risks and exposures that IM can enable, let’s look at current IM soft-
indicated that ware offerings and how these tools function in the workplace.
as many as 80
percent of Leading purveyors of IM software
corporate or Whether at home or in the workplace, users gravitate toward tools they already know or to well-
Enterprise users known and popular offerings they are likely to encounter. The best-known IM packages include AIM
(AOL Instant Messenger), Yahoo! Messenger, Google Talk and Windows Messenger. (The latter
ran some form
has been bundled with Windows XP since Service Pack 2 and comes with all versions of Windows
of IM on their
Vista; it’s now available at the Windows Live Web site for all current Windows versions, including
desktops. Windows 7.) There are many other options also available, including open source or free multiser-
vice clients such as Trillian, plus integrated IM/chat facilities in packages such as Skype, Open-
Zoep, ICQ, Tpad and countless other multi-purpose communications clients.
Business uses for IM might involve ongoing and miscellaneous exchanges of document drafts, rap-
id back-and-forth comments, a back channel for a conference call, changes to specific Web pages,
database snapshots, images, video or other multimedia. In fact, IM is preferred for quick, unstruc-
tured, unformatted conversations with friends and family or coworkers and colleagues. Boundaries
between work and personal use can easily become blurred, because the technology that works so
well for quick-and-easy transfer of files and documents also works for personal photos, music
and video files.
______________________________________________________
1
Source: Radicati Group 2008.
2
2
Source: Gartner Group 2008.
nology is not encrypted, that makes a good place to start exploring how and why this claim holds
water. Many IM packages also lack strong proofs of user identity, perform neither file nor content
screening on transmissions and directly expose users to malicious software and behavior.
●● Infected files
●● Copyrighted material belonging to third parties
●● Private, sensitive or confidential information that should never be disclosed to
third parties but only shared with users with a legitimate “need to know”
3
Easy ingress for unwanted IM or SPIM
The same things that enable identity spoofing and identify theft—namely, easy creation of new IM
identities or impersonation of known and trusted IM identities—also opens an avenue for delivery of
unsolicited and usually unwanted IM traffic. Such messages are often called SPIM as a contraction
of “spam IM.” Users who aren’t careful about who gets onto their buddy or friend lists may accept
all incoming messages from anyone on those lists, opening their PCs to malicious attachments or
links and all kinds of social engineering scams and attacks. Examples of the latter include the 419
or Nigerian scam, phishing, pharming, IM-based advertisements and other forms of unwanted
IM content.
Given the serious security issues that consumer IM invites, this paints a grim picture of what’s
wrong with using it in a business setting. Does this mean that IM is inherently unsuited for business
use? Numerous tools that can secure IM are available to effectively counter vulnerabilities and ex-
posures. In particular, Software as a Service (aka SaaS) implementations used to filter and screen
IM traffic can be incredibly effective—they not only secure consumer-grade IM software in the
Enterprise, they also route all IM traffic through filtering and policy control mechanisms designed to
meet compliance requirements, avoid exposure and counter specific vulnerabilities.
4
train them neither to send nor receive copyrighted materials without permission.
Conditions where transfers are permissible should be clearly spelled out and all
other transfers expressly forbidden.
●● Security policy is strictly enforced: This involves some or all of the following:
ºº Use of strong passwords
ºº Use of multi-factor authentication
ºº Use of specific types of authentication services
Across the board, ºº Compliance with the organization’s acceptable use policy (AUP) for appro-
corporate-grade priate use of or reference to content, Web sites and IM activity
IM screening ºº Logging of all sensitive data access and transfer
and filtering ºº Use of encryption
helps establish ºº Installation and use of consumer-grade IM software
a secure and
compliant Where corporate solutions are available, users are typically forbidden to bypass
messaging corporate screening and filtering services when using IM on the job. Instead they
environment must route IM traffic through required pathways and services for work-related
where risk is purposes and content. (See also the following compliance and authentication
greatly reduced, items, as all three are inextricably intertwined in corporate IM.)
exposures to
●● Compliance is assured: By flagging specific applications or data repositories,
vulnerability
corporate IM solutions can log and capture any traffic involving sensitive, private
severely or confidential information to comply with prevailing best industry practices and
mitigated and regulatory mandates.
regulatory
compliance is ●● Strong and appropriate authentication and access controls prevail: Al-
though this might be considered part of enforcing security policy, it warrants a
automatic and
separate item because it touches on multiple security issues. Strong and ap-
effective. propriate authentication and access controls ensure that users cannot obtain,
attach or reference sensitive, private or confidential data unless both sender and
receiver have sufficient “need to know” to access that information. Also, appropri-
ate use of authentication and access control stymies account spoofing (imper-
sonation) and improper use of friend or buddy list data. Finally, strong authenti-
cation coupled with content screening and security policy enforcement prevents
identity theft.
Across the board, corporate-grade IM screening and filtering helps establish a secure and com-
pliant messaging environment where risk is greatly reduced, exposures to vulnerability severely
mitigated and regulatory compliance is automatic and effective. This raises the question: “What
happens when organizations don’t secure their IM traffic?” As you’ll see in the section that follows,
outcomes can range from expensive to dire.
In 2001, Internet Web services company eFront executive staff used the ICQ IM application to com-
______________________________________________________
3
MacDonald, L., K. Fougere, and K. Sousa. 2007. “Managing instant messaging security: A pilot study of recommended practices,”
http://www.docstoc.com/docs/6513561/Managing-Instant-Messaging-Security.
4
Keizer, G. “Symantec warns that IM worms could devastate business,” InformationWeek,
http://www.informationweek.com/story/showArticle.jhtml?articleID=22100814, 14 June 2004.
5 5
Danchev, D. “Malware—future trends,” http://www.packetstormsecurity.org/papers/general/malware-trends.pdf,” nd.
municate with one another. Thousands of ICQ messages to and from Sam Jain, the eFront CEO,
and other executives were posted on public Web sites. This led to multiple resignations, strained
and broken relationships with partners and threats of legal action from network affiliates and Web
site owners in the eFront network. Thought to be posted by a disgruntled affiliate or former eFront
employee, these messages included strong language and critical remarks about eFront partners,
Web operators and affiliates, plus potentially illegal or unethical advice on how to evade taxes,
cheat banner company advertising payment plans, ranking schemes and more. It’s hard not to see
eFront’s ultimate closure as a consequence of its use of insecure IM communications, though it
clearly had other problems as well.
In 2005, a worm named Oscarbot-B or Doyorg began to make the rounds through a vulnerability
in AIM6. This worm hijacks buddy list in an infected user’s AIM account, and sends messages with
a subject of “Hey check this out” to all such users. Those who click the embedded link in that mes-
sage risk falling prey to this infection. Where infection succeeds, the worm opens a backdoor into
Internet Relay Chat (IRC), then downloads and executes files on the compromised PC, giving an
IMSS proactively attacker remote access to that machine. Because such malware could potentially install and moni-
prevents tor a keylogger, and actively search for identity and account data, losses from identity theft could
wrongdoing by easily occur. In such cases, losses of individual or corporate assets may occur depending on what
controlling who information resides on compromised PCs.
uses IM and how
The bad news is that consumer-grade IM software is inadequately protected, is vulnerable to attack
they use it.
or compromise, does not comply with regulations and mandates and infringes copyright, especially
The fact that when used in the workplace. The good news is that corporate-grade filtering and screening ser-
some kind of vices, and more secure software, are readily available, affordable and integrate well with existing
monitoring is security services and solutions. With the right tools in place, there will be no further need to dodge
in place will, bullets, or worry about where the next one is coming from.
in many cases,
provide a defense > IM Security Services can address your concerns
against actions
brought on as a MessageLabs hosted IM Security Services (IMSS) is an IM security solution designed specifically
result of use for businesses that see the value in IM, but want to eliminate some of the risks associated with
of public IM public IM services (such as Yahoo Mail, AOL AIM and Microsoft’s Live Messenger). IMSS provides
systems. advanced functionality such as content control, malicious link blocking and logging of all IM conver-
sations. These logs can then be imported into an archive system for quick and easy retrieval in the
event of legal disclosure requirements.
The legal risks associated with uncontrolled IM use need to be taken seriously by organizations
of all sizes. Taking preventive measures is better than applying a cure after the fact. Formulating
company policy on IM use is essential, but it cannot protect an organization to the same extent as
a dedicated IM security service, such as IMSS. IMSS proactively prevents wrongdoing by control-
ling who uses IM and how they use it. The fact that some kind of monitoring is in place will, in many
cases, provide a defense against actions brought on as a result of use of public IM systems.
For more information about how the MessageLabs hosted IM Security Service could help your
business address the legal risks of unmonitored IM use or to register for a free trial, visit
http://www.messagelabs.com/trials/free_im.
For more information on MessageLabs, now a part of Symantec, Email and Web Security Services,
contact us at (866) 460-0000 or visit us at www.messagelabs.com.
All terms mentioned in this white paper that are known trademarks or service marks have been appropriately capitalized. The
trademarks or service marks are the property of their respective owners.
______________________________________________________
6
Dunn, J. 16 May 2005. “New IM worm is coming to you,” TechWorld,
6
http://www.techworld.com/security/news/index.cfm?NewsID=3667.
>WWW.MESSAGELABS.COM
>INFO@MESSAGELABS.COM
>US AND CANADA 866 460 0000
>NETHERLANDS >JAPAN
Teleport Towers Akasaka Intercity
Kingsfordweg 151 1-11-44 Akasaka
1043 GR Minato-ku, Tokyo 107-0052
Amsterdam Japan
Netherlands T: + 81 3 5114 4540
T: +31 (0) 20 491 9600
>AUSTRALIA
>BELGIUM / LUXEMBOURG Level 13
Culliganlaan 1B 207 Kent Street,
B-1831 Diegem Sydney NSW 2000
Belgium Australia
T: +32 (0) 2 403 12 61 T: +61 2 8200 7100
© MessageLabs 2009
All rights reserved