Instant Messaging = Instant Death
In the second of a new weekly series for Cambridge Network members, IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Instant Messaging.
The Threat
Instant Messaging is a technology that is more immediate than e-mail, gives users the opportunity for real-time interaction across the internet, and is almost completely insecure. Users can download messaging software from the web, use it to bypass your firewall, anti-virus defences and anti-malware defences and also to despatch confidential information (including stock market price sensitive stuff, documents, folders and any other Intellectual Property) instantly - and without trace - to anyone they like. You will have no record of the interaction. That is why Instant Messaging is instant death to organizational security.
How does it work?
Instant Messaging (IM) is also incredibly useful. It developed, however, as consumer technology – ease of use was far more important than enterprise-strength security. MSN, AOL and Yahoo are the three main providers. Their client software condenses multiple communication functions into a small, easy-to-use and easy-to-configure application that is capable of tunnelling through most firewalls. Users download it and can then log into a central service where they can communicate with other online users of that service. The only way to block IM is to shut off ALL user access to the Internet – IM applications are ‘port agile’, which means that they will locate any open port in the firewall and tunnel their traffic through it.
What effects does it have?
IM is not secure. Viruses, worms, Trojans and other malware can spread easily through IM. Identity theft or spoofing is very straightforward. Files can be untraceably transferred via IM. IM is a potent tool for leaking data and information of any sort. For organizations, this means that they may have breaches of governance regulations and of the data protection, human rights and privacy legislation – and will not be aware of them until too late. It is also a major growth area for spam (called, in this context, spim), although spim is usually more offensive and intrusive than spam. IM also has well publicized vulnerabilities that are exploited in Denial of Service attacks.
What do we do about it?
First things first: decide whether you need to deploy IM. Even if you don’t, you may have to accept that it will be used on your network. You then have to decide whether to deploy the enterprise version of the software or to try and control use of the consumer version. This is a cost-benefit decision. Either way, you will need to deal with the basic security issues: authentication, anti-malware, anti-virus, confidentiality, encryption, integrity, patching, record of communication, traceability. You will need a combination of technology, policy and training to deal effectively with all these issues.
What else?
Policy guidelines about IM should be written into every user’s Acceptable Use agreement. User training and awareness is essential.
Next week: Wireless networking while on the Road