Growing IM Attacks Threaten the Enterprise

When it comes to messaging security, email still gets all the attention... and IT budget. But as IM threats increase, more thought will have to be paid to protecting this growing business tool.
More and more companies are embracing the benefits of instant messaging as a corporate application. But many are leaving such applications uncontrolled and vulnerable, and the potential for attack is sending shivers down the spines of network administrators.

Email still takes priority over instant messaging (IM) when it comes to corporate security, according to a recent poll of 100 organizations conducted by Akonix Systems, Inc., a San Diego-based provider of IM security software. The survey shows that only 11 percent have IM hygiene solutions in place, compared to 73 percent that take care of email. Additionally, almost 50 percent of respondents say deploying an IM hygiene solution never crossed their minds.

Industry observers say this gap between the security applied to email and that applied to IM is particularly alarming since 47 percent of respondents indicate that the people in charge of email also are responsible for securing instant messaging.

Globally, IM use is on the rise with nearly 12 billion instant messages being sent every day, according to IDC, an industry analyst firm based in Framingham, Mass. IM use isn't the only thing on the rise, however. Attacks on instant messaging are going up, as well.

Akonix tracked 62 IM-based attacks last November, and saw a 226 percent increase over the previous month, according to Don Montgomery, vice president of marketing for Akonix.

The primary reason organizations are not focused on IM security, despite the increase in attacks, is that there hasn't been a major IM virus outbreak yet, according to Osterman. While email systems have been pounded by malware attacks, the viruses and worms hitting instant messaging haven't made as much of a splash yet since the damage has been low, so far.

And many network administrators think the protections they already have in place will safeguard IM, as well.

''There's a perception that a lot of investments made in firewalls and perimeter security will protect [networks] from viruses,'' Osterman says. ''They would be wrong, though, because instant messaging uses unique protocols and a firewall won't be able to scan instant messaging for content or for malicious URLs or for the file transfer for viruses.''

Osterman adds that firewalls work by shutting down ports. But public IM clients, like Yahoo, AOL and MSN, which many employees use in lieu of a corporate standard, are port seeking. ''You can shut down one port and the public IM clients will find another,'' he explains.

IT administrators at Kforce Professional Staffing, based in Tampa, Fla., aren't going to let that happen. The professional staffing firm has taken prescriptive steps to ensure that its approximately 1,400 employees, who are situated around the U.S., are protected.

''We didn't want to hinder productivity since... we believe [instant messaging] will be a good tool for employees, especially if someone in one office wants to discuss a job with someone in another office. It's real time,'' says Jon Portz, network security lead at KForce. ''We had anti-virus software in place... but it can't stop a direct attack on a buddy list on AIM, which is quite vulnerable to buddy list hijacking.''

Administrators at Kforce decided to bring in an instant messaging security and management system to handle ''uncontrolled use of IM, whatever the client''. Portz adds that they also wanted to prevent ''information leakage'', and have the ability to track and log employees' IM sessions.

The enterprise instant messaging security market is burgeoning. Other providers include FaceTime Communications, IMLogic, which was recently acquired by Symantec Corp., Postini, Inc. and ScanSafe, Inc.

Since moving to Akonix, which Portz says provided granularity of control and customization features, KForce has standardized on MSN and AIM clients until it moves to an internal IM solution.

Akonix gives Portz the ability to create reports on usage and do keyword searches if he wants to check on employees discussing a particular subject. ''Compliance is gaining concern here,'' he notes. ''Our HR and legal departments have given us directives to treat IM as email.''

Company administrators are looking at integrating Akonix with their Legato mail archive system, which would give them the ability to archive all instant messages as if they were email and attach the conversations to a specific user, Portz notes.

''If something questionable comes across Akonix, I get an email,'' Portz says. Since Kforce doesn't allow use of the extended attributes of IM -- raw chats only -- an employee will receive a notification that they have violated company policy if they try to do something like an audio/visual session, for example.

''We also get an alert from Akonix if anything outside of the policy boundaries, like file transfers, occurs,'' he adds. ''Executives used to be very afraid of IM. Trying to lock it all down and turn it all off is harder than you think... Having an instant messaging security management system in place gives a heck of a lot more peace of mind.''

Osterman says it's a given that there will be a big outage caused by instant messaging. ''Its not a matter of if, but when.''

He estimates the cost of implementing an IM security system at about $10 per user. ''We point out to companies,'' he notes, ''that they're spending more on coffee every year for their employees than to protect themselves from outside threats.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.