Enterprises Need Strong IM Security and Management

By Allen Bernard

(Back to article)

As IM (instant messaging) software worms it's way deeper and deeper into employee's everyday usage, IT managers need to find ways to combat the security risks it represents and manage it's usage in terms of compliance and legal discovery obligations.

This according to a recent Gartner study written by Peter Firstbrook, research director for Gartner's Information Security and Privacy research group and analyst David Cearley.

IM threats increase with IM use and exposure to IM-related social engineering tactics, such as unsolicited IM messages from compromised buddy-lists. Firstbrook advocates adopting IM security and management strategies similar to those in place for enterprise email.

IT administrators who do not manage and protect IM properly will experience 80% more IM-related security incidents than those that do.

"Here is the liability; one is you have no record of IM," said Firstbrook. "So a record is good even from a productivity standpoint but it absolutely vital from a compliance standpoint. The other issue is viruses."

Gartner has identified a number of risks of uncontrolled IM including:

  • Lack of regulatory compliance involving records retention, communications limitations between employees and auditing of communications, among others.
  • Lack of universal encryption or widespread use of encryption can result in confidential or secret data being exposed in IM communications.
  • Lack of records or universal naming conventions can result in disputes over what was communicated and with whom, when business deals are conducted over IM networks.
  • Lack of visibility into IM usage can result in noncompliance with acceptable usage of enterprise assets, such as transfer of pornography, or salacious messages, and playing multiplayer games.
  • IM viruses are transmitted in two ways: as executable file attachments or as hyperlinks in IM text directing victims to malicious Web servers. In most cases, viruses are not automatically executed. Rather, they exploit social engineering tactics and an unjustified trust in IM buddy lists to convince victims to open unknown files or click on links.

    "Dedicated IM hygiene products are the best way to protect and manage IM usage," said Firstbrook. "You have to buy a dedicated product to do it really right. Some of the firewalls have IM filters there so you can try to block them that way but it doesn't manage them."

    But this doesn't stop someone from setting up their own Yahoo!, MSN, or AOL IM client on their desktop without your network admin's knowledge. To stop this, dedicated products work at the gateway, applying rules, via a management server, to all traffic that looks like IM, said Firstbrook. These are available from IM Logic, Aconix, FaceTime.

    The one drawback is you will need one appliance per Internet gateway on your network. But, if you don't do something, then "this is like email circa 1995," said Firstbrook, "when it was getting dangerous and people were ignoring the issue and suddenly it became a swamp. Get on top of this now."

    But, if you already have a email gateway product, then Firstbrook advises his client to put IM manage rule into these products so you don't have rewrite them later and have two sets (at the minimum) of gateway rules and definitions, which can be the size of dictionaries.

    "You don't want to write the policy twice," he said, "because then you have to keep two policies in sync the entire time. Really what you want, what your working towards isn't just an email policy or IM policy but standardized communications policy because eventually we're going to open this up and it'll be VOIP policy, it's going to be your Web blogging policy, Web mail policy, Skype policy … so if your looking further down the road you really want a communications policy."