Lock IT Down: Instant messaging threatens enterprise security

by Salvatore Salamone | Jan 04, 2002 8:00:00 AM

Tags: Salvatore Salamone

Takeaway: Explore the security risks associated with instant messaging in the enterprise

It’s no surprise that instant messaging (IM) is gaining in popularity. The often-free communication feature lets people interact instantly, make decisions on the fly, and provide immediate contact, as opposed to the delays that can occur when using e-mail.

But what may be surprising, especially to today’s IT leaders, are the serious security issues posed by IM usage. Add that to the fact that most IM applications are used without corporate IT’s knowledge or approval, and it’s not a pretty picture for network security.

Popularity soaring
According to Jupiter Media Metrix, a New York City-based research firm, IM use has doubled in just two years. In September 1999, IM gobbled up 2.3 billion user minutes for the month. In September 2001, IM grabbed 4.9 billion user minutes.

“We’ve seen a rise in instant messaging use by individual departments where employees have taken matters into their own hands and set up informal IM groups to supplement our corporate e-mail system,” said William McGee, vice president of operations at a plastics manufacturing company in New Jersey. “All of this is being done without the IT department’s approval or oversight.”

McGee and his company are not alone. Gartner, Inc., a consulting and research firm based in Stamford, CT, predicts that 70 percent of enterprises will be using IM by 2003.

Such explosive growth, coupled with today’s ad hoc adoption approach, should have CIOs trembling in fear according to security experts, as IM opens up a company to many potential security and legal problems.

Potential for disaster is multipronged
Most commercial IM services use port 80, the port that carries most HTTP traffic. But, because port 80 is used for HTTP traffic, there is no good way to keep an eye on IM traffic alone. IM traffic can open up port 80 thousands to tens of thousands of times a day, which can significantly increase a company’s exposure to security breaches.

Messages exchanged using Yahoo, MSN, or AOL IM services are not usually scanned by enterprises for viruses or malicious programs. This means hackers can exploit this security lapse by sending attachments holding viruses, worms, and other malicious software. Any of these could then enter a corporate network undetected.

Identity theft is another security issue associated with IM. Anyone can set up an account at Yahoo, AOL, or MSN using any name. An unscrupulous person could, for example, set up an account taking the name of the head of a major company. No one would be able to know for sure if that person is who he or she claims to be.

While there have not been any major outbreaks due to IM hacking or infected files sent via IM (the main source continues to be e-mail), the potential threat of malicious activity still exists.

“The widespread adoption of instant messaging has made it a new conduit for the spread of malicious code,” said Pete Cafarchio, vice president of marketing at security software vendor PestPatrol, Inc., based in Carlisle, PA.

Cafarchio recommends that users only share files with trusted and known sources and that they scan all files for pests and viruses.

Help on the way
To help reduce an enterprise’s exposure to security and legal risks, messaging outsourcing provider United Messaging, Inc., based in Malvern, PA, will launch Enterprise Instant Messaging (EIM) this January. EIM is a new managed service aimed at securing IM within the corporate enterprise.

Because EIM uses specific ports for its service, and not port 80, it is easier to monitor IM traffic in and out of a corporation. The service lets network admins save all IM “conversations” as a text file. This feature could come in handy if the corporation is working under specific industry regulations.

For instance, the National Association of Securities Dealers, Inc., and the Securities and Exchange Commission mandate that e-mail and IM traffic must be monitored and archived by companies. If employees use IM on their own, without company approval, the IM communications could be considered a securities violation.

The EIM service avoids possible identity theft by linking IM accounts to existing e-mail accounts. Specifically, EIM uses Lightweight Directory Access Protocol (LDAP) to tie into a corporate directory for authentication purposes.

Additionally, the service encrypts communications between the corporate site and United Messaging’s hosting centers. And although this may not seem like a big deal, this encryption is quite critical, as many companies fail to realize the vast exposure inherent in electronic eavesdropping.

In standard internal corporate e-mail systems, the traffic carrying messages between employees is housed on a corporate network and afforded some privacy because the network is protected by a firewall. But this scenario does not apply to IM communications.

Even if two people are working in adjacent offices, IM traffic between the two first traverses the firewall, then travels over the Internet to the IM provider’s server. At that point, the IM provider’s server then forwards the message back over the Internet to the recipient. All of this communication is done in clear text (meaning it is not encrypted). So a hacker listening in on traffic to and from a corporation can potentially read everything messaged between employees. The EIM encryption feature ensures that IM traffic has a higher level of confidentiality.

Interested in EIM?
EIM is currently being offered in limited trials and will be widely available in January 2002. Pricing is $30 per user per year.

---

How prevalent is IM in your enterprise?
What, if any, guidelines or rules have you established to make IM as secure as possible for your network? Share your experience and insight with fellow TechRepublic members by starting a discussion below.

---

 

Print/View all Posts Comments on this article

Radio stations mircea_t | 01/03/02

misplaced reply mircea_t | 01/03/02

Corporate Instant Messaging dennis.kenny@... | 01/04/02

Corporate Instant Messaging cslebl | 01/13/02

What exactly did you block genesius | 01/14/02

IM is Needed, Admin of it, is NOT raclapp@... | 01/13/02

Additional cost reductions not credited. jamesj@... | 01/16/02

powen01@... | 05/29/02

Lotus Sametime jaybrew | 01/16/02

ICQ for Groupware Davis College | 01/04/02

Jabber Network Ken | 01/04/02

ICQ Groupware don@... | 01/13/02

ICQ Viri and Trojans Keith246 | 01/15/02

Other IM options gshollingsworth | 01/04/02

No Guidelines qhcomputingny | 01/04/02

Scare Tactics gkane | 01/04/02

Not Smart res02erk@... | 01/04/02

Cost of Opperations ng@... | 01/13/02

Agree with edwin... To much money ng@... | 01/13/02

Concur - "The sky is falling" jckarp@... | 01/13/02

Scare Tactics gkane | 01/04/02

Not sure if it is scare tactics. ny_sal | 01/04/02

Marketing Brochure bvolpone@... | 01/04/02

I disagree ... d_payne@... | 01/08/02

bvolpone has a good point Keith246 | 01/15/02

Oops Keith246 | 01/15/02

well sure .. but... d_payne@... | 01/08/02

We scare because we care ... wybnormal | 01/13/02

Actual it bringd the control freaks out evansed@... | 01/15/02

You can spoof anyone you want with email georgeou | 01/04/02

IM is no threat - Bad Admin Is. Bucky Kaufman (MCSD) | 01/04/02

Can Current IM be Tracked? genesius | 01/08/02

Over the Barracades part II info@... | 01/09/02

I agree... kcnakamura@... | 01/15/02

If only it is that simple ndewhall@... | 04/29/02

Over the Barracades info@... | 01/09/02

The middle ground Michael Erana | 01/13/02

Secured gateway? rklyn@... | 01/13/02

EIM fails to solve the real problem david@... | 01/13/02

A problem yes, but not for us. Michael Erana | 01/14/02

The point was calling out not in Keith246 | 01/15/02

The problem as I see it Sys Admin in Colorado | 01/13/02

Instant messaging threatens Security cio-techrep@... | 01/13/02

Fix: "Public" Instant Messaging ... migs@... | 01/13/02

Corporate Messaging Alternatives jerblack@... | 01/13/02

How does it feel to re-invent the wheel? gg5653@... | 01/13/02

Security on Instant messaging steveg@... | 01/13/02

Opening Port 80 = increase sec. risks rklyn@... | 01/13/02

Closing the gate after the horse has bol piers@... | 01/13/02

WinPopup dmckean@... | 01/13/02

WinPopup cio-techrep@... | 01/14/02

Question about file attachments jaybrew | 01/13/02

I've seen attachments to IM's JBinTX | 01/13/02

Question about file attachments cio-techrep@... | 01/14/02

Attachments to IMs Keith246 | 01/15/02

msn instant messager matthew@... | 01/13/02

IM not an Enterprise necessity. Rayment | 01/13/02

old news radar92 | 01/13/02

Your Article is One-sided dr@... | 01/13/02

Securities Regulation crp@... | 01/13/02

Lotus Sametime is already on the market MoshiMoshi | 01/13/02

AMEN! jaybrew | 01/16/02

Security... always security.... sethanon31a@... | 01/13/02

IT missing the ball mi283i | 01/14/02

We're forgetting basic Intranet Policies Data Ninja | 01/14/02

I'm in a School System! sslater@... | 01/14/02

Limited budget focus on 5 basics Keith246 | 01/15/02

We Hadn't thought of it IMSent | 01/14/02

Article states the problem... Optionzz | 01/14/02

Instant Messaging bpotter@... | 01/14/02

Hey bpotter@... | 01/14/02

Why 'EIM SERVICE' from an IM Provider? tushar1957@... | 01/14/02

IM's Can be restricted for sure sujinb@... | 01/14/02

I Agree It can be done tj81 | 01/20/02

ICQ Allows Point to Point messaging photodude_2000@... | 01/16/02

Exchange 2000 ndewhall@... | 04/29/02

P&P's ??? trina.spalding@... | 01/28/03