Under the Radar: IM Emerging as a Stealth Threat

By Allen Bernard

(Back to article)

Although not nearly as pervasive as email or Web browsers, instant messaging (IM) is becoming more and more popular in the corporate world. Yet most IT managers have no idea how widespread IM is within their organizations. And this is a problem -- specifically, a security problem.

Because IM clients reside on users' desktops and communicate with the outside world using http, it is difficult to identify IM messages from everyday Web traffic. Yet, IM clients are basically interpretation programs, like Microsoft Word, that can execute all manner of attachments, thus creating a backdoor into the corporate network, said Fred Cohen, a principal analyst with the Burton Group.

"Companies that don't have a proper policy in place and the technological safegards to support that policy have big (security) holes," he said.

While there are products to control, track and/or block the usage of IM, few IT managers have fielded solutions. Instead, they focus their time on more immediate and well-defined threats such as viruses, hackers, worms and Trojans, Cohen said. Yet, blended threats that look for the easiest entry into the network -- either email or IM -- are becoming more common.

According to a recent Websense/Harris Interactive poll of employee Web use, 17% of employees admit to using IM and 37% of those users also admit to downloading and opening attachments via IM, yet 64% of companies do not officially sanction its use.

While 17% may not seem like much of a threat, the actual number of users is probably much higher since most employees are not likely to admit they use it, said Francis deSouza, founder and CEO of IM Logic, which makes IM tracking and management software.

deSouza has seen research indicating IM usage is common in up to 84% of companies. Some 20 million employees are estimated to be IM users, he said, yet the commercial IM products, such as Lotus Sametime, account for only a few million seats.

"That tells you ... most of these companies have their users on AOL, MSN or Yahoo!," he said.

Lurking Links

As Web-based and browser-based attacks that require no opened attachment from which to launch also increase (such as the recent Sasser virus and Web pages that need only be visited to release a viral payload) IM becomes even more of a threat to corporate networks, said Richard Kagan, vice president of Marketing for Fortinet, a hardware firewall maker.

"It's incredibly common for links to be embedded in IM," he said. "Much more so than attachments; 'Here, check this out' and bang, you're done."The other underlying threat posed by IM is the speed with which viruses can travel once released into enough IM clients. Instead of days for a virus to infect computers world-wide via email (it used to be months), IM can propagate a virus in a matter of hours.

This creates a major challenge for network security administrators tasked with ensuring it doesn't happen. And if they are unaware IM is being commonly used within their companies, it could be a major headache too, said deSouza.

Currently, there are about 200 IM-specific viruses in circulation. But, as IM usage continues to grow, so will the number of attacks, said Burton's Cohen. Today, there just aren't enough IM users to get any headlines from writing IM viruses, which is the good news.

"So, working for IM is the fact that the user base isn't as big as email, so it's not as attractive for virus writers," said IM Logic's deSouza. "But, working against it is it's actually a very efficient medium to propagate stuff, so if it hits it can hit really, really fast."

IM Ignorance Isn't Bliss

Aside from actual network threats there are compliance issues to think of as well. Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) both call for controls and tracking of the electronic transfer of information. If employees are using IM to make deals (SOX) or discuss patients (HIPAA), there could be problems, said deSouza.

In March, the New York Stock Exchange (NYSE) and the NASD, for example, sent out memos specifically stating IM is covered under the electronic communication clauses of their guidelines and regulations, he said.

Perhaps the biggest threat from IM, however, isn't so much regulatory or even virus-born, but the one that comes from ignorance. If you don't know you are threatened, then there isn't much you can do about it. And, for now, that is the main risk posed by IM.

"It's the combination of threats, vulnerabilities and consequences that leads to risk," Cohen said. "And, in IM, we have a big vulnerability, but the threats haven't become so big that they're causing the corporate people to respond in a harsh way. The consequences so far with IM have not been so severe that they've caused anything like the harm associated with email."