Seven steps to keeping your employees’ instant messaging secure.
By Todd Datz, CSO Magazine
Instant messaging is a phenomenon that infiltrated corporate America like bedbugs in a flophouse. It burrowed its way into companies a few users at a time, became fruitful and multiplied, and today has become a popular tool for employees to carry on business and, yes, exchange the occasional message with buddies scheduling that night’s cocktail hour.
Yet IM can introduce some nasty byproducts to a company’s security posture. The wildfirelike growth of the technology has led to a spike in the number of Internet bloodletters who have found a new and vulnerable target for their attacks. And the speed with which an IM worm can propagate leaves a typical e-mail attack looking like a funeral procession down Main Street. “The fastest-ever e-mail threat took about 10 hours to hit 500,000 sites. On IM, it takes about five to seven minutes,” says Francis deSouza, CEO and president of IMlogic, an IM security company acquired by Symantec early this year. According to antivirus vendor Sophos, the second-ever virus aimed at the Macintosh operating system propagates itself to other computers via iChat. Fear not, CISOs: You can defend your company against the IM nasties. This story takes a look at how popular IM has become, why banning it may be wishful thinking and what steps you can take to secure your IM networks. (Hint: Sticking your head in the sand and denying there’s a problem isn’t one of them.)
Market researcher Radicati Group says IM is being used in 85 percent of enterprises; that the number of IM messages being sent each day will increase from 11.4 billion in 2004 to more than 45.8 billion in 2008; and that the number of IM users will grow from 320 million to 592 million in 2008. And IM isn’t just for 12-year-old kiddies talking about crushes, Brangelina and the latest episode of The OC. Responsibly used, IM can make workers more productive. “From a general, philosophical standpoint, we try to keep our headcount lower to have lower operational costs and to be more efficient. We try to give people all the reasonable tools they need to expedite their jobs; one is IM,” says Steve Rubinow, CTO of NYSE Group, an electronic stock market. Brian Trudeau, CIO at Amerex Energy, supports IM because some of the company’s brokers rely on it. “It’s kind of been an organic growth through the industry. One person starts it, now some traders won’t talk to you unless you have an IM handle. It’s instant gratification, not like e-mail, for which you have to wait. The nice thing about it is the ability to transmit information instantly,” he says.
In today’s business environment where speed thrills, that makes IM a winner. But, as with e-mail, IM channels are vulnerable to malware, and CISOs and IT leaders need to be cognizant of the risks. The problem, according to some, is that security is often an afterthought when it comes to IM in the workplace. When asked about the state of IM security in companies, Kailash Ambwani, CEO and president of IM security company Facetime, says, “It’s nonexistent mostly. The good news is that they’re aware they need to do something about it; a year and a half ago, that awareness didn’t exist.”
The security risks are real. The predominant IM networks in use in companies are insecure public networks—AOL, Yahoo and MSN, to name a few. Employees can download those clients easily and at no cost. Malware is propagating rapidly—IMlogic’s Threat Center reports that in 2005 there was a 1,693 percent increase in reported incidents of new threats, 2,403 unique IM and peer-to-peer threats, and that 90 percent of IM-related attacks included worm propagation. It also notes a dramatic increase in the sophistication of attacks. In addition to those risks, IM also offers employees an all-too-easy method of sending intellectual property outside the borders of your company, accidentally or intentionally.
So there’s the bad, but here’s the good: Take the steps below and you can sleep a little more peacefully at night. But look lively. If you haven’t already done steps 1 and 2 at the very least, you’re way behind.
1. Find out how much IM is going on inside your company.
Before making decisions about IM security, it’s good to know what’s crossing the wires every day. Who’s using IM? What public networks are they using? How much traffic is there? What are people using it for—Games? File transfer? Arguing the merits of a flat tax or debating the latest steroid scandal? You may be able to determine much of this using standard network tools, or you might choose to dive into an IM-specific security tool to get a handle on IM activity.
2. Determine your posture toward IM.
The first question to ask: Should we allow it or block it? The easiest thing to do, of course, would be to say, I don’t want to deal with this headache, let’s just ban it. For starters, Don Montgomery, VP of marketing and customer support at IM security company Akonix, says that trying to block it from a technology standpoint is darn near impossible. “Once the public clients, which are free, are installed, they are port-seeking clients. So you can identify a protocol and try to shut down the port it uses at the firewall, but all of these clients use multiple ports, and they seek the next open one,” says Montgomery. An IMlogic report titled “Understanding the IM Security Threat,” notes that any attempt to secure IM “using purely network-layer tools and techniques such as combinations of port, IP and URL blocking is bound to be partial at best.”
Firewall purveyors might hold the solution with deeper inspection of network traffic. And you can also by various means attempt to block end users from installing IM clients on their systems in the first place. Regardless of technical measures, though, the social issues are even harder to surmount. An IM ban could bring a revolt from users. “Trying to shut down the use of public IM has proven to be futile because typically in large companies, you have a user base using it for business purposes, and they scream bloody murder if you try to shut it down,” says Montgomery.
So before taking drastic and potentially futile steps, talk to your users and find out whether there’s a business need for keeping IM on the premises—odds are, there is.
3. Decide which type of IM network works best for your company.
There are multiple network types. Public networks are the most common—AOL, Yahoo and the like. Enterprise networks, offered by companies such as IBM, Jabber and Microsoft, allow companies to purchase client/server solutions in which users typically can talk only to others on their own corporate network. (Though deSouza says that enterprise vendors are starting to offer connectivity to public networks.) Industry-specific networks are tailored to meet the needs of particular industries. Bloomberg and Reuters, for example, offer networks for the financial services industry. There are also geography-specific networks.
In choosing the type or types of networks to allow, assess your business needs and the risk factors. For example, Pete Lindstrom, research director at Spire Security, advises using more easily protected enterprise networks, not public networks, if employees are passing along sensitive data over the IM pipes.
4. Create an IM policy.
Most companies already have a policy that covers electronic communication—that is, “We own the machines you’re communicating on. Therefore, any information being transmitted on the machines can be monitored.” IM should be part of that policy. Rubinow says that Archipelago had an e-mail policy first, then added Web and IM sections to that policy. “There are various pieces of IM software [our employees] can use, provided they understand our usage policy. We are able to control it and monitor it; no information can come in or out of the company without us being able to log it. It will always be at our fingertips because that’s good business practice and a regulatory requirement,” he says.
It’s also part of the overall policy at Amerex, says Trudeau. “In the employee handbook, we have privacy policies that there isn’t any privacy on a company-owned machine. Any electronic data can be monitored. The employees sign off on that knowingly,” he says. Trudeau notes that it’s interesting what people say on IM, even though they may know in the back of their minds that their messages are being logged. “They may either forget about it or think no one cares. It does come around to bite people sometimes,” he says.
5. Develop rules.
One best practice to consider is not allowing file transfers. You could do it in the we-trust-our-employees kind of way and create a rule that bans them; or you could use technical means to enforce the ban, which is what Amerex has done. “We shut down the file transfer capability of all instant messengers. We try to block down through file names and file extensions and shut those ports down for file transfer,” says Trudeau.
Montgomery says that file transfer is one of two primary methods of IM attacks (the other, he says, is malicious URLs). A user downloads a file that appears to come from a buddy, which launches some piece of insidious code, which propagates. DeSouza recommends a rule outlawing games: “There’s no real business reason for games to be allowed,” he says.
CSOs may want to create rules for different levels of users. Montgomery says you could block file transfer capabilities for all except for those in the executive or financial or legal ranks, for example. Or you could say that executives and customer support people can have access to videoconferencing or VoIP, but no one else can, says deSouza.
6. Educate and train users.
When asked what the most common IM vulnerabilities are in companies, John Rittinghouse, senior VP of commercial professional services at SecureInfo and coauthor of a book on IM security, points to lack of user awareness and training. “Most of the damage we see is done on the inside when people do dumb things,” he says. He cites clicking on a link from a spam message as an example. “Bam, you get a payload or rootkit put on your box. The next thing you know it’s propagating on the network or going through all of your contacts, causing a denial of service,” he says.
Rittinghouse says security execs need to educate users to be acutely aware of the risks IM can bring and reinforce that it’s part of their job to protect the business. Employees also need to understand that IM communications are archived. “One of the things that killed Enron is employees not understanding that IM was part of the record. Some of the IM communications were very embarrassing, very damaging. Sexually explicit things were in there from employees to other employees. It’s just ignorance,” he says.
Employees should be especially vigilant given the stepped-up regulatory environment. “A lot of the stuff imposed by the SEC and Sarbanes-Oxley [for example] doesn’t make a distinction between e-mail and IM traffic. A lot of companies only find that out when they get into trouble,” says Rittinghouse.
He says that awareness and training programs don’t necessarily cost a lot in money, but they do in effort. And some companies haven’t been willing to make that effort. “Companies seem to find time not to do it,” says Rittinghouse. He says security leaders must become evangelists about issues such as IM security and should be held accountable if they fail to educate their users.
7. Consider implementing an IM security product.
A passel of companies (among them Akonix, Blue Coat, Check Point Software, Facetime, IMlogic and ZoneLabs) offer products that allow companies to control and secure their use of IM. E-mail filtering companies such as Postini are starting to offer IM protection services too. At Amerex, Trudeau says security was actually a side benefit—the primary reason he installed a middleman product (IMlogic) was to log IM conversations. The same was true for Rubinow at Archipelago. “From a regulatory standpoint, we had to have that software in place or prohibit the use of IM,” he says.
Thomas Pottanat, CISO at Banco Santander, says his bank doesn’t currently allow IM, but that’s going to change. “That’s one of the mediums people are going to use. People are doing trades from New York in Latin American countries. I’m thinking about it, looking for a solution for how best to handle it,” he says, knowing that when the bank allows it, regulations will require him to capture his IM data.
“You cannot tell people, ‘Don’t use e-mail or other telecommunications,’ because that’s a means of doing business now,” says Pottanat. “The world has changed, and everything needs to be done immediately.”