Advertisement
Advertisement

Tools can take the threat out of instant messages

Lee Li

IM users face having private information stolen - or worse - but experts agree security risks can be minimised

SECURITY CHALLENGES posed by instant messaging tools such as those offered by AOL, Yahoo and MSN have left information technology administrators wringing their hands. But security software vendors say the situation is far from being out of control, as long as the right measures are in place.

Instant messaging software is used by nearly 400 million global users, according to a recent report by Symantec's IMlogic Threat Centre. And research firm Gartner predicts that instant messaging will replace about 40 per cent of e-mail traffic and reduce phone and travel expenses by about 20 per cent over the next couple of years.

While instant messaging tools offer benefits such as increased productivity, lower communications costs and faster decision making, they can leave computer systems open to a myriad of security threats.

The most common ones, according to Michael Chue, managing director of Symantec Hong Kong, include worms and Trojan horses, denial-of-service attacks and privacy intrusion.

Using messaging software, hackers can install a Trojan horse into the computer of an unsuspecting victim, allowing them to reconfigure the system to allow access to all files via peer-to-peer file sharing. Ultimately, instant messaging software could allow hackers to circumnavigate a network's security layers, leaving it open to attack.

Once hackers have gained access to a victim's computer, they can also access instant messaging software log files, which may contain sensitive or private data from past conversations. This information can be devastating to businesses if exposed, causing tainted reputations, legal problems and, in some cases, loss of business.

As many instant messaging tools do not encrypt messages, another problem for IT administrators is that a third party can eavesdrop on conversations.

Instant messaging clients are also vulnerable to denial-of-service attacks. These attacks, which involve flooding a computer system with data, can cause the instant messaging client to crash or hang, or in some cases cause the entire computer system to become unstable. Hackers may use a denial-of-service attack to force a victim out of his instant messaging account and then steal the victim's online identity.

This would provide hackers with a platform to lure unsuspecting users to a particular website embedded with keystroke loggers and spyware.

Abby Tang, enterprise solution marketing manager for Asia-Pacific at Juniper Networks, said keystroke loggers could be used to collect private information such as bank account user identities and passwords. To safeguard networks from threats coming through IM traffic, she said companies should use server-based encryption for instant messaging.

There are also various software-based solutions for proactive threat protection and correction, which secure the real-time communications infrastructure against external threats such as worms, spam, viruses, phishing and other unwanted content.

Linda Hui, managing director at F5 Networks Hong Kong, suggested simply blocking IM traffic from passing through the firewall, but noted that more sophisticated users could often find ways around such measures.

Mr Chue of Symantec said: 'Many IM users are resourceful and search for alternate methods to log in if they are unable to connect to their IM network; meaning that some attempts to block IM traffic are often futile.

'A much better approach is to accept that IM has now become part of our everyday tool set, and wrap the necessary security and control around a selection of public IM networks,' he added

Mr Chue said businesses should apply a four-phase approach to securing and controlling IM and establishing a longer-term strategy.

In the first phase, enterprises need to come up with a detailed picture of IM usage to develop a company risk profile and a deeper understanding of the value that IM brings to the end user.

Organisations should then move quickly to mitigate the most pressing threats based on the established profile. Once current threats are neutralised, the company can focus on the medium-term challenge of enforcing policies that mitigate the broad spectrum of risk, including regulatory compliance, corporate governance and intellectual property loss.

In the third phase, a comprehensive programme of policy development, end-user education, enforcement and ongoing monitoring needs to be developed to effectively reduce the risks.

In the last phase, a longer-term strategy should be developed to include a broader direction for reducing the costs to support real-time communications, identifying areas for building economies of collaboration through standardisation and consolidation, and integrating real-time communications into the organisation's business processes.

David Mario Smith, a research analyst at Gartner, said enterprises should recast their e-mail policy as a communications policy that included e-mail, IM, blogs, chat rooms or whatever technologies were appropriate for their environments.

'IM should be regarded as a business record, regardless of whether it is generated from a public network system or an internal enterprise system, if its use is for business purposes, generating content that - per internal retention policy or external regulation - is deemed important,' Mr Smith said.

When formulating a policy, companies should ensure that their objectives are clear and explicitly written.

Mr Smith suggested that the policy contained: general guidelines for usage to establish which IM systems were to be used; clear definitions of acceptable and unacceptable use, including guidelines for etiquette and acceptable business or personal use; consequences of not adhering to policy guidelines, with a list of repercussions for unacceptable behaviour; and information highlighting compliance requirements, including legal mandates such as the Sarbanes-Oxley Act.

Mr Chue said it was vital for organisations to educate employees on the proper usage of IM, and they should include safe computing tips in their corporate guidelines on IM usage.

Despite repeated efforts to educate them, users might still forget or even ignore the safety tips. Thus, experts agree that IT departments should be proactive in checking whether users use IM clients safely.

Ms Tang of Juniper said: 'I know an IT manager who pretends to be an attacker. He broadcasts unsolicited messages via IM to employees who use IM at the same time. Whenever someone responded by clicking a URL link or trying to open an executable file attachment, he would immediately reveal his true identity and remind them not to do the same thing again.'

Tips for safe instant messaging usage

Education plays an important role in making sure that networks are secure against threats coming through instant messaging clients. Michael Chue, managing director of Symantec Hong Kong, suggests that IT managers set guidelines for users, including the following:

Users should not accept any messages from sources they do not recognise

Even if users recognise the sender of a file or a link, they should use caution when opening attachments or when clicking a link

If users cannot see the URL the hyperlink points to, they should move the mouse pointer over the link to make the actual URL visible

Users should not accept file transfers as there are many other ways of sharing files that are safer

Post