Study: Instant Messaging Use Is A Big Security Threat

By Bob Woods

When it comes to security issues in the enterprise, blame the messenger and not the communications channel – at least that’s what a majority of IT security pros say in a new study from Gartner Inc. for managed security-services provider Guardent Inc.

Eighty percent of all network security managers who were surveyed last month at the Gartner Information Security Conference in Chicago, claim their biggest security threat comes from their own employees. Just as surprising is that 58% of those surveyed said the careless use of personal communications by their employees – especially e-mail and instant messaging (IM) – poses the most dangerous security risk to their networks.

On the flip side, just 22% point to deliberate insider breaches as their biggest concern.

The Gartner/Guardent survey’s results are very surprising, especially when recent news stories of bugs and breeches of public IM systems are taken into account. While extra precautions can be taken to avoid those technical maladies, though, the human part of the IT equation definitely needs work.

Gartner’s/Guardent’s findings once again emphasize the need for corporations, organizations and governments to not only develop and implement comprehensive security policies, but to enforce them as well. Those policies now must also include IM usage, if they do not already.

In a study by INT Media Research, 70% of businesses surveyed said they don’t offer their employees guidelines on acceptable use of IM technology.

All of this data should not, however, discourage management from enabling their employees to use IM – preferably an enterprise-strength IM system that exists either from behind a firewall or as part of a ASP-supplied service.

The INT Media Research survey says that of the 47% of enterprises allowing or supplying IM access in the workplace, 13% take no security precautions whatsoever. Forty-one percent said their IM applications are installed behind a commercial firewall, while 41% said a network firewall prevents access to unauthorized free IM services. Just 5% said they outsource IM security functions to a third-party firm.

Such an enterprise system can come with interoperability, so that employees can chat with people on the free IM networks.

The use of free IM clients alone on a company’s network, though, is another matter. By using the services, messages sent by employees are essentially “in the clear” on the Internet, meaning that a savvy eavesdropper can “see” the IM session. Also, hackers use the public IM nets to try to entice unsuspecting workers to go to a malicious Web page or click on a link in the IM window. By following hackers’ leads, employees can unknowingly let a worm loose on a company’s network – especially because IM attachments can’t be easily scanned for viruses.

What’s more, employees open themselves up to the growing trend of IM spam by using the public IM nets.

However, if employees demand to use a free IM service, and a company does not purchase an enterprise-strength IM system that is interoperable with the IM networks, a small measure of security can be ensured by using the Trillian cross-platform IM service on both ends of the conversation. The selling point here isn’t the fact that the client enables simultaneous IM access to the four major services, AOL’s AIM, ICQ, MSN Messenger and Yahoo Messenger. When both users employ the Trillian client via the AIM network, their one-on-one electronic chat is encrypted. So while an enterprise’s network is still “open” by the use of Trillian, at least the IM conversation is no longer in the clear.

The use of AIM-enabled Trillian, combined with a strongly enforced comprehensive security policy, can reduce but not eliminate security risks.

While the question of deliberate intrusions by malicious hackers did not show up in the survey, IT managers nonetheless should take proactive security measures such as internal intrusion detection solutions and regular internal and external vulnerability scanning.

To mitigate the risk of IM vulnerabilities, Gartner recommends:

Security administrators should stay on top of the spate of alerts in regards to IM

Administrators should also attempt to get users to apply patches in a timely manner and to treat IM as a formal communication tool subject to the same usage restrictions as e-mail

When choosing among competing IM systems, enterprises should heavily weight the security of the code.

Reprinted From InstantMessagingPlanet.

Must Read