As Instant Messaging becomes ubiquitous, speeding communications and adding one more means of sharing information to the business arsenal, IT managers are being warned that IM is fast becoming a gateway for more attacks on the corporate network.
Instant Messaging is the hottest communication tool in the business office these days. The ability to connect with colleagues, to ask questions of team members and, of course, to chat with friends — all instantaneously — has pushed the telephone and even email back from the forefront of communication tools. Millions of corporate users have IM on their work machines.
The first problem is that the users, in most cases, installed the software themselves. IT leaders have no control over it. No supervision. No set standards or security procedures.
Another problem is that instant messaging can also mean instant problems.
Virus writers and spammers aren’t blind to the explosion of IM. Security analysts and industry observers say the black hats and the spammers are taking aim at what appears to be their next frontier — IM.
”It is a little risky today but the risk is growing,” says Richard Stiennon, vice president of research at Gartner, Inc., a major industry analyst firm. ”As the usage and the predominance of IM increases, it’s only a matter of time before a virus with strength and destructive capabilities hits instant messaging.”
Echoing Stiennon, Tony Magallanez, systems engineer at F-Secure, Inc., a data security and anti-virus company, says IM isn’t a major safety concern – yet.
”In general, 90 percent of the time, it’s not a risk,” says Magallanez. ”Just like with emails, opening a file from somebody you don’t know has the potential of infecting a machine. People can do things that bring on risk.”
But Magallanez adds that virus writers are turning an eye toward IM, upgrading worms and viruses to take advantage of IM. Magallanez says they’re on the watch for malicious code that will enter computers through IM, much like it does today via email. But he also notes that some viruses out there today include instant chat clients that will — unbeknownst to the user — connect to a live chat room and wait for instructions from the virus writer.
Dan Woolley, a vice president at SilentRunner, a network security company, says instant messaging has been a security concern ever since it hit desktops. And with proof-of-concept viruses hitting IM more and more frequently, he says that concern is increasing.
”We’ve been concerned for a long time about instant messaging,” says Woolley, adding that viruses are only part of the problem. ”IT managers have to remember that when a user carries on a discussion with the person in the cube right next to him, if it’s not a corporate mechanism, it doesn’t go from one computer right next door to the other one. It goes out of the corporate network and across different networks and then back to the other person’s desk. Whatever is being transmitted is being transmitted in the clear.”
Russ Cooper, surgeon general for TruSecure, Corp. a security company based in Virginia, says there have been few security vulnerabilities in the major IM products, and viruses and spammers are just gearing up for it. The immediate threat is in-house communications, which could very well contain critical corporate information, traveling through outside networks.
”From a corporate secrets perspective, it’s probably not what you want happening,” says Cooper. ”It’s likely that somebody will try to eaves drop on important conversations… So far we have not seen that type of action on a large scale but the possibility exists.”
Analysts say a surefire way to avoid that problem, along with IM viruses and spam, is simply to not allow users to install IM on their machines. Make it a policy. Enforce it. And just to be safe, block it from the network.
But analysts also say they realize that may be too restrictive for many companies. Another way to avoid that problem is for a company to standardize on an IM product designed for corporate use — one with security features, like encryption, and an in-house server to keep private communications private.
”Adopting a standard and having your own instant messaging server — the advantage is that it’s completely under your control,” says TruSecures Cooper. ”Instead of allowing any Tom, Dick and Harry to connect to the IM system we’re using, I can keep this just for my end users. You then have control over who has access to information.”
Gordon Haff, a senior analyst at Illuminata, an industry analyst firm based in Nashua, N.H., says IM should be treated just like email. IT leaders need to sit down and form policies governing instant messaging.
”It’s not that companies shouldn’t use AOL Instant Messaging, but they need to include IM in their company usage policy,” says Haff. ”It’s a company resource. Excessive use, trading dirty jokes — it should all be part of the policy… People need to be aware that there’s a potential for certain types of problems and they need to follow basic, safe-computing practices.”
Gartner’s Stiennon also recommends that users set it up so their IM will only receive messages from people on their Buddy List. Remind users, he also warns, not to click on anything that is sent over IM — just as they wouldn’t with email.
”I think most enterprises have to start looking at this today,” says Stiennon. ”The productivity gains from IM are there, so if we’re doing it securely, we’re getting all the benefits.”
For more news and information about instant messaging, go to Instant Messaging Planet.com.