IM: Real-Time Security Problems For Financial Services
Traders increasingly are adopting public instant messaging services, but most of these applications open severe security holes
By Cory Levine, Wall Street & Technology
21 March 2006
In an industry in which millions of dollars are won or lost in milliseconds, the drive to improve speed permeates virtually every business function, and communications is no exception. As a result, Wall Street increasingly is adopting instant messaging (IM), which is versatile and reliable and, most important, facilitates real-time communication. Traders are using IM as a method of improving productivity as it enables them to exchange market updates and data pertinent to trade decisions with five, 10 or 15 individuals simultaneously, limited only by how many conversation windows they can manage on their desktops.
"Instant messaging allows you to have multiple conversations -- as many as you can fit on your [computer] screen," relates Art Gilliland, VP of products for IMLogic, a provider of enterprise IM management solutions that was recently acquired by Symantec. "When working on telephones, however, traders "run into the problem that they only have two ears."
Laying Down the Law
But the proliferation of IM comes with its own set of regulatory woes. IM is a recognized form of electronic communication by regulators, and, therefore, falls under the same scrutiny as e-mail. Firms must take appropriate measures to ensure compliance with SEC rules 17a-3 and 17a-4, as well as individual NYSE and NASD mandates. Further, firms also must consider IM's impact on USA Patriot Act and Sarbanes-Oxley compliance.
Yet, enterprise instant messaging can be a challenge to control, particularly if business users are subscribing to popular public IM services such as those from AOL, Yahoo! and MSN. These services, in an effort to ensure reliability, have built-in work-arounds that are difficult to block with an enterprise firewall.
Public IM software connects to a central server using a TCP connection. Should a TCP connection be unavailable or blocked, the IM software simulates the connection using HTTP, which causes the connection and subsequent conversation to appear as basic, seemingly harmless Web traffic. The challenges presented by this type of work-around are compounded by the fact that IM host servers constantly are growing and changing IP addresses, making them particularly difficult to track and block using standard Internet control processes.
Given the difficulty of banning and blocking IM, and the power of the technology as a real-time collaboration tool, firms instead are accepting IM -- with a handful of caveats. A corporate IM policy must be implemented, and IM use needs to be monitored. Moreover, all IM communications must be retained in accordance with the regulations that govern electronic communications.
When determining a corporate policy on IM, most firms simply apply the same controls they apply to e-mail, according to IMLogic's Gilliland. "What we typically recommend for our customers, and what we see as guidance from some of the consulting companies, is that you implement the same exact policy as you do for e-mail," he explains.
Adam Honoré, senior analyst with Aite Group, agrees. "Instant messaging is treated like any other written correspondence in [regulators'] eyes," he offers, and should be treated as such by financial services firms.
For Archipelago Holdings, the parent company of the electronic Archipelago Exchange, managing IM is about ensuring that all users are aware of their corporate responsibility and having the technology to enforce that responsibility. "Since it's a corporate resource, and it's corporate information that's being transferred, ... it's got to be able to be monitored by tools that we have and has to be able to be controlled," explains Steve Rubinow, CTO of Archipelago. "The No. 1 item is to make sure that any communications related to the business can be trapped, surveilled and reviewed."
To do so, Archipelago uses the IMLogic solution to mitigate the compliance risks that arise as a result of enterprise IM use. Rubinow says the solution makes the exchange's decision regarding IM use easy because the total cost of ownership is low and maintenance is not a burden. "Given that people do find [IM] convenient, and that the cost of supporting it and controlling it is not great, it doesn't really require much thinking to allow people to use it," he explains.
But IMLogic's ability to monitor, control and retain all IM communications is the critical factor in Archipelago's decision. "Without that particular product," Rubinow asserts, "we would not allow the use of IM here because it wouldn't have adequate controls."
Archipelago isn't the only organization faced with questions about IM use. In fact, the use of IM on the Street seemingly is ubiquitous, and so is the need for a solution. "We no longer run into any firm that says, 'We're not going to allow any IM,'" reports Kailash Ambwani, president and CEO, FaceTime Communications. Unfortunately, the more users who adopt IM, the more significant the technology's security vulnerabilities become.
FaceTime categorizes IM applications as "greynets" -- a term for a class of applications that enter the enterprise via the end user and exhibit evasive behavior over the network (including peer-to-peer sharing, VoIP and Web conferencing applications). The problem with greynets is that their providers' primary objective is to ensure usability regardless of location, whereas a priority for IT managers is to control everything their users are doing on the network. Those IM applications that succeed in their missions of network evasion open major security holes.
Unchecked, IM use can lead to the leakage of intellectual information and trade secrets, for example. This can occur both maliciously and inadvertently. IM services generally include file transfer capabilities that largely are undetectable by standard network monitoring tools. While the transfer of a 10MB database over FTP or through e-mail likely would raise a red flag, doing so using IM may go completely undetected -- without the proper tools.
A simple turn of phrase during an IM conversation might also result in inadvertent information leakage. IM historically is an informal method of communication, more so than even e-mail, which can be carefully crafted, worded, spell-checked and filtered. The immediacy of IM degrades formality even further, explains Matt Bienfang, senior analyst, TowerGroup. "With instant messaging, because of its real-time nature, people are typically a bit more casual in their use," he says. "They'll be a little bit more candid, even, than they would be in e-mail," he adds.
"You've got real-time leakage of information," Bienfang continues, which is perhaps the most challenging aspect of controlling the use of IM. Reacting quickly isn't good enough -- a firm has to be able to stay ahead of the game.
"The window of vulnerability is very short," says FaceTime's Ambwani. "You've got to make sure you're able to safeguard against this in real time."
IM also is subject to an increasing number of attacks and is capable of propagating the same laundry list of threats as e-mail, including viruses, trojans, worms, malware, spyware and spIM (spam over IM). Further, the immediacy and flexibility of IM communication makes it the perfect delivery tool for malicious payloads -- the speed of IM would allow a successful attack to cripple a business in a matter of minutes.
In its annual security review, IMLogic reported that 2005 saw 2,403 unique threats to IM services. January 2005 saw 21 new threats. But by November, IM security threats peaked at 307, and IMLogic and other experts expect them only to increase.
"You will have active participants on your IM network [at all times], and as these things become unleashed -- it might be in the middle of the night, it might be on the weekend -- they can hit your network," says Dan Evans, VP, network systems engineer and IM management administrator at full-service investment bank Morgan Keegan. To protect itself, Morgan Keegan uses FaceTime's IM Auditor network appliance to track approximately 3,000 IM users. The solution provides archiving and messaging security.
But the key to using any IM solution effectively is centralizing management and controls, argues Evans. "We keep it very limited, and we keep a very close watch on that," he says. "That helps out tremendously."