Closing the Instant Messaging Security Loophole

By Judy Mottl

Instant messaging applications have proven to be a valuable workplace communications tool. The ability to share knowledge in real-time is the primary reason that IM has been embraced today by a majority of enterprises. But while IM has become a beloved messaging avenue -- second only to email -- its popularity has also led to an array of security concerns.

More than 90% of enterprises now use instant messaging, with user rates approaching 50% in terms of desktop penetration, according to Osterman Research, of Black Diamond, Wash., a market research firm specializing in messaging and collaboration. And that penetration is expected to grow, thanks to IM vendor interoperability efforts such as the news in October that MSN and Yahoo users will soon be able to exchange messages.

"IM is increasingly important to global operations in many large organizations. It does not eliminate emails or phones but bridges between these other forms of communications," says Bill Boni, vice president of the Information Systems Audit and Control Association (ISACA), an organization focused on IT governance, security, control, and assurance, and the IT Governance Institute. Boni is also a corporate vice president and CISO for Motorola.

 Like email, the growing adoption and workplace reliance on IM is spurring IT attention on how best to secure the technology. IM is now a top target of malicious activity. In 2005 there was a 1,500% jump in IM attacks, according to a report from IMLogic, a Waltham, Mass., instant messaging management solutions provider. Of those attacks, 87 % were worms, 12 % were viruses, and 1% were client vulnerabilities.

Malicious activities involving IM can -- and have -- had an impact on business operations. In one incident, an IM worm disabled 10,000 desktops, stalling operations productivity. While no massive data breach has yet been attributed to IM, the potential costs related to lost or stolen data is a serious risk. To recover from a single security breach costs a company $14 million on average or $140 per lost customer record, according to a November study by The Ponemon Institute.
 
The biggest virus target in 2005 was the MSN Messenger network, which received 62% of viruses and worms, according to IMLogic. As the number of attacks increases, so too does their sophistication. In March 2005, a virus aimed at MSN came disguised as adult-oriented hyperlink in an IM session. The virus held a program information file extension. When clicked on, it infected computers and propagated the virus to all of the user's messenger contacts.

AOL Instant Messenger is the next favorite virus target, with 31% of attacks aimed its way, while Yahoo Messenger received 7% of attacks.

In December, the IMLogic Center released a warning on a new breed of malicious IM bots that duped AOL users into activating their IM worm payloads.  Infected users were unable to see the messages the worm sends out on their behalf. When users reply to the bot messages, the bot sends a follow-up message that says, "lol no its not its a virus" or "lol thats cool." This attempt at interactive communication that simulates a live user represents a shift in bot attack behavior, says IMLogic.

Yet the increasing threats aren't dampening IM user growth. According to AOL's third annual Instant Messaging Trends Survey, IM use is up 19% this year, and users are sending as many -- if not more -- IMs than emails. The survey found that, at work, 58% use IMs to communicate with colleagues, 49% use it to get answers and make business decisions, and 28% use it to interact with clients or customers.

Increasing productivity is a key factor spurring the nearly 12 billion instant messages being sent every day worldwide, according to the IDC report, Worldwide Enterprise Instant Messaging Applications 2005-2009, Forecast and 2004 Vendor Shares: Clearing the Decks for Substantial Growth. More than 28 million business users worldwide send nearly 1 billion messages each day at work, IDC says.

The focus for CIOs, say experts, is to make sure that all this IM activity isn't putting valuable business resources at risk. Some simple preventive steps include boosting user awareness training, checking for viruses, strong IM use policy enforcement, and network behavior analysis systems.

What the IT department has to understand, say experts, is that IM is no different from any other software product. Before workers download an application from the Internet, they need to ensure that it comes from a trusted source. If IM is used on the Internet -- with external partners, clients, and customers -- the enterprise has essentially opened a door in the corporate security environment. 

Here's a short list of additional IM security tips IT leaders can follow:

• Deploy safeguards at the IM gateways and/or at individual systems to neutralize dangerous payloads.
• Maintain up-to-date patches for operating systems and applications to reduce the potential pool of vulnerable systems.
• Properly configure firewalls, IDS, and IPS to control port and unauthorized access and use a proxy when necessary. Servers and desktops should be at the appropriate patch levels (service packs and antivirus).
• Educate users on IM etiquette and security measures. IM worm/virus writers very effectively use "social engineering" techniques to propagate malicious payloads and get users to accept infected attachments.

As IM use continues to increase, security will continue to be a constant requirement for enterprises. Perhaps the best posture for a CIO to adopt is that an organization can never have too much defense. Protecting the perimeter, end point, and internal network will let an organization allow IM use to flourish while addressing potential risks.

Judy Mottl is a freelance technology writer based in New York who has contributed articles to such publications as InformationWeek, Bio-IT World and Information Security Magazine.