Really useful… very dangerous

You might not have noticed it, but something happened this summer which could haunt IT security departments for years to come.

On June 10, the sports equipment company Nike integrated its online 3-D soccer game into MSN Messenger (a first for MSN) across 11 European countries, to generate awareness for its Ole marketing campaign. The Ole game, a peer-to-peer, multi-player application, invited MSN users to recruit fellow players via online conversations.

This followed hot on the heels of the launch of the MSN Instant Games Clubhouse offering head-to-head games aimed "at attracting the millions of computer users who want the ability to communicate online at speed, without many of the hassles of email exchanges." By adding MSN to the marketing mix, Nike recognized that instant messaging (IM) offers an extremely powerful communication channel with the potential to surpass the impact that email had on digital messaging in the 1980s.

IM is a growing communications channel that is interactive, informal, near real-time and without boundaries. In 2003, Ferris Research predicted that, by 2007, there will be 182 million business IM users and that market value will rocket from $133 million in 2002 to almost $800 million in four years. By 2005, research firm Gartner believes half of all companies will be using enterprise-level (rather than freeware) IM clients.

Not so long ago, IM was the domain of the youth and the net savvy enterprise. But as with so many products that begin with "humble" origins, they soon migrate from being neat tools to becoming useful business applications.

There can be no doubt that IM can speed critical communications across the corporate network, and many analysts believe that it will eventually overtake email as the medium of choice. As communication technologies converge, many organizations are seeking to implement IM as an integral component element of customer relationship management using IM's web/video conferencing, real-time chat and file-sharing capabilities. Gartner suggests that IM "will rival email in terms of both volume and ubiquity."

Two main issues have surfaced with the presence of IM on corporate networks. First, IM has become part of business through employee osmosis, rather than through any conscious, deliberate, policy-led decisions. As a result, many organizations are unaware of IM being deployed within them. This creates the problem of controlling and managing a myriad of disparate, "phantom" client applications.

Another big problem is that IM applications were originally designed for residential use. They are rich in features and functionality, but have little security. While commercial versions of IM clients exist, many organizations are finding that their employees prefer to use the consumer versions. These enable them to participate in activities which they avoid when using corporate messaging systems (around 65 percent of organizations where IM is present have the consumer variant, according to a study from Osterman Research).

For many employees, IM is a way of indulging without "affecting" their productivity. After all, an employee can attend a conference call while chatting to their buddies about weekend plans.

What separates IM use from email use at work is that these employees would almost certainly not choose to use the corporate email network to discuss personal issues. They would perceive this to be an inappropriate use of the company's systems and know they might be monitored and caught.

Many users admit their uncertainty about whether corporate internet policies govern the use of IM services. This is not surprising. If most organizations are unaware of the presence of IM, it is unlikely to be legislated.

Faced with the widespread backdoor deployment of IM, corporate IT managers are being forced to deal with this threat whether they want to or not – a situation similar to the securing of email systems a few years back.

If a powerhouse such as Nike has realized there is mileage in targeting IM users, then those users are low-hanging fruit for virus creators, spammers and hackers. Spim (spam over Instant Messenger) is predicted to rise to 1.2 billion messages this year across both consumer and corporate IM platforms.

Evidence suggests that nearly 40 percent of the top viruses are capable of propagation through IM applications. Ferris Research estimates that there are more than 40 million IM users in the workplace, rising to nearly 200 million by 2007, so this represents rich pickings for miscreants. With lessons learned from email, you would think that securing IM would be easy. Unfortunately, IM presents a raft of old threats delivered in an entirely new package.

Again, IM clients have been designed with functionality in mind, not security. The most popular IM clients – MSN, AOL, Yahoo! – condense feature-rich functionality into a user-friendly client.

One user-friendly feature of IM clients that causes security concerns is its ability to counter connection difficulties. IM clients achieve this by being adept at "navigating" their way through obstacles, such as perimeter network defenses. They use unauthorized ports in firewalls – described as "port agility" – which is the ability to move from port to port in order to find access. The obvious solution of blocking and closing firewall ports is not enough.

In addition to providing a channel for viruses, worms and trojans, this ability to tunnel through perimeter defenses offers an effective method of moving materials in and out of an organization without alerting security departments.

As a real-time tool, IM lends itself to an informal style of communication. The sense of community, familiarity and trust that IM builds within its user base presents the greatest challenge for corporations to overcome. IM has become the online version of SMS, with users adopting informal language, little regard for commonsense, and even less regard for associated legal liabilities.

Users choose their own IM identity, which means that there is no guarantee that they are who they claim to be. A user might think that they are messaging a colleague or a friend, but are really "chatting" with a stranger. Users could be duped into disclosing confidential business information, compromising themselves by entering into defamatory or inflammatory conversations, for example, or sending and receiving inappropriate material.

As online identities are not created or managed by the IT department, it becomes a virtually impossible task, using traditional security measures, to track messages and provide an audit trail. The situation is compounded as the IM client usually reveals its true IP address during file transfer and chat, leaving the organization open for hacking or a DoS attack.

Finally, if you add the fact that files transferred over IM usually lack encryption, and that all messages can potentially be intercepted "as is," (particularly as they are forwarded and stored on a third-party, central server) an organization's security can be well and truly compromised.

So how do enterprises secure themselves against the threats posed by IM? There is no simple solution – a multi-tiered approach must be adopted. Virtually all the current IM security products and suggested procedures have potential flaws – port agility, SSL tunnelling, encrypted IM conversations, and ASP hosted IM platforms can all bypass traditional measures – but actions can be taken to lessen the threat.

The first and most basic task faced by enterprises is to formulate, implement and communicate policy concerning IM. Users must know what they can and what they cannot do. For example, if IM is to be used within the organization, then a secure, dedicated, corporately managed IM server should be deployed. A corporate platform will provide organizations with their own network clients and naming conventions that can enable internal threat detection, monitoring and auditing.

If the organization allows IM, but decides against an in-house managed solution, then one client should be selected. Likewise, properly configured firewalls must be implemented to help manage any non-corporate IM.

Although IM is a port-agile application, ensuring outbound connections use only authorized ports will reduce some of the threat.

Another tactic for IT departments is to lock down the desktop, preventing the local installation of applications. But this will not stop IM entering the organization. The block is easily circumvented through websites offering hosted IM, like They provide users with the ability to communicate without the need for a local client. Blocking these sites will prevent access.

The most effective approach to securing IM is to monitor the endpoint. Deploy an endpoint protection product that will monitor and report on all processes, applications and user interaction. This will enable the organization to control both the presence of IM and its use. An endpoint solution should detect file access, application use, and port/network traffic, enabling current security policies and solutions such as anti-virus, web blocking, firewall, and so on, to apply to IM.

IM is here to stay. If implemented properly, it will become a valuable business tool, but if it remains unchecked, the enterprise will suffer.

Phil Worms is marketing director with NetIntelligence

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.