Naughty but nice

Walk into any office and you will see people frantically alt-tabbing as they switch from instant messaging their mates to something that makes them look busy.

Like it or lump it (and most people like it), instant messaging (IM) has invaded our offices. It's become the email for the noughties – simply the only way to communicate. Some 28 million business users sent nearly one billion messages a day last year, according to analyst IDC.

Alongside the tremendous benefits IM brings come a fresh bunch of problems for security professionals to tackle.

As Chris Penner, director of product management at Barracuda Networks, points out: "Companies are finding it helps productivity, but because it comes in under the radar, it really hasn't been managed up to this point."

These threats are becoming increasingly hard to ignore. IM security specialist FaceTime Communications estimates there were almost 800 incidents in the last quarter of 2005, compared to just 59 in the first quarter. Security threats through IM and peer-to-peer (P2P) networks grew twenty-fold – that's a 2,200 per cent increase over 2004.

While P2P incidents still represent only a fraction of total security threats, they are growing and, what's worse, they are becoming increasingly sophisticated.

"The worrying thing is that the motive for writers of malware is changing from notoriety to financial gain," says Jonathan Mepsted, regional director at Fortinet.

Instant messaging isn't the only P2P technology that poses a security threat. P2P file sharing, Skype and spyware, together with IM have been dubbed "greynets" because they can be downloaded and installed on people's systems without IT (or the end user) any the wiser. Once there, they can traverse the network at their leisure.

But it's IM that security experts agree is the weakest link in corporate defences, because of its scale and ubiquity.

"I'd say that IM is a bigger problem than, say, using peer-to-peer file sharing," says Donal Casey, security consultant at IT services company Morse. "It's very pervasive and does everything it can to get through firewalls."

File sharing is important to keep track of because exchanging copyrighted material leaves companies at risk of breaching copyright laws. But it's easier to stop, says Casey, because it uses fixed ports which can be blocked.

IM will subject you to the usual roll-call of threats: data theft, denial-of-service attacks, viruses, worms. The only thing different is hackers are trying a new entry-point. So the simplest thing to do is to cut off that entry-point and ban messaging outright, which some companies have done.

But this is proving hard and unpopular to do. According to Mepsted, 40 per cent of enterprise users use P2P networks for communication. "And you have to think of the next generation of graduates coming out of university who are used to IM – they probably don't use email because it's too slow," points out Mepsted. "So ideally, you should try and embrace the opportunities IM brings."

One effective compromise is to only allow employees to use IM internally. But in the same way that companies tried to limit people's usage of email and web browsing to "work" only, this is often an impractical and unworkable solution.

And as Casey rather cynically points out: "There's a chain of thought that says people are going to waste their time whatever you do. Thirty years ago, they would have read a paper, so maybe you're better off keeping them from being disgruntled."

Banning IM also means ignoring its many business benefits. Messaging is unbeatable for fast, uncomplicated communication, making email look sluggish in comparison. Unlike phones or email, you can actually respond to IM while you're doing something else without breaking your concentration.

"Emails tend to be quite long and telephone calls are too – and you can only do one of those at once. Whereas with IM, you can be doing other things too," Casey points out.

Not only that, Gartner estimates that IM allows you to cut down phone calls by 30 per cent, email by 40 per cent and voicemail by 15 per cent.

Rather than ban IM, most companies are looking at ways to control and manage it. The first thing is to establish how big the problem is, so it's crucial to check the firewall log and audit PCs.

But before you lay your hands on any security kit: "Start with training the humans," advises Sandrijm Stead, director of EMEA sales and marketing at Proofpoint.

The main way IM hackers work is through social engineering: getting people to visit a website or open an attachment to launch a virus or worm.

At the beginning of last year, two major worms, Bropia and Kelvir and their variants specifically targeted MSN Messenger. Bropier.F was sent with a second, more damaging worm that exploited poorly patched software. The Win32.Kelvir sent a URL containing an infected file. The message "omg this is funny" followed by a URL, enticed people to go to the website.

While staff have wised up to such threats delivered through email, they don't yet understand that IM needs the same attention. So educate your workers not to open attachments or URLs unless they are absolutely sure that it is kosher, and ban file sharing using IM. The tricky thing is that "omg this is funny" from a known contact could sound like a genuine message.

Set out a corporate IM usage policy, so staff know where they are.

But as John Fomook, director of worldwide marketing at Paceteer, points out: "You can have a policy, but we all know that having a policy and enforcing it are two different things," he says.

After all, we all know chocolate is fattening, but that doesn't stop people eating it.

A sneaky and pragmatic approach to reducing IM usage is to cut the available bandwidth. If people start finding IM sluggish, they'll quickly drop it and return to their old favourite, email.

But for those companies that want to make full business use out of IM, the best thing to do is to buy one of the many internal enterprise IM products on the market, which can then link with the public networks.

"A large percentage of attacks target the public IM client, but if you switch to an internal IM server and client structure, it takes you off that public client," says Penner. "So if you allow people to connect to Yahoo! you first connect them to your own server then your own server connects to Yahoo!."

That means workers don't need to have ICQ, Yahoo!, MSN and AOL all open on their desktop to communicate with different clients. From a security point of view, it also ensures that the data is encrypted, which it isn't over the public networks (unless specifically set up to be).

The key thing about IM threats in those immortal words from The Hitchhiker's Guide to the Galaxy is "Don't panic!" Technology is there to deal with IM and without a huge investment.

Pragmatically, ask your security suppliers if they include or plan to include IM security in their suite of products and if not, why not. "I think it really should be up to us to educate the end-user community and offer them a solution that's not too difficult to implement or costs too much," says Mepsted.

For any threat, you need to ensure you set up your firewalls, and your intrusion detection and prevention systems to control port and unauthorised access. Keep patches for your operating systems and applications bang up-to-date.

Establish which users can have full access, which can send data but not use Skype, and so on. You could limit things by file size, or by person, however you choose; there are legitimate reasons to transfer any type of file, so companies must establish that for themselves.

"The problem is there are virulent applications," says Stead. "They will work round firewalls or jump ports or they will disguise themselves as HTTP – it's pretty simple to do."

And although anti-virus is clearly a must, in practice it's hard to ensure that every PC or other device is bang up to date. "Other systems will come onto your network through visitors or people will take their laptops home, so things can spread quickly before it draws attention to IT," states Fomook.

Anti-virus software is also reactive: it can only sort out a problem once it's found it. That might be fine for email, but in an IM world a virus can spread extremely fast. Someone in sales could be contacting clients on multiple messaging systems simultaneously. Viruses can now jump between messaging systems, so that salesperson could instantly be infecting possibly legions of others.

"In terms of speed, it's very dangerous – probably more so than email because it's instant and rapid. In volume, it could potentially exceed email," says Penner.

Barracuda and others include a complete integrated solution that includes key word blocking (stopping anything that looks like an account number, for example) and logging.

Sarbanes-Oxley and other regulations call for organisations to track electronic transfers of information, so if employees are using IM to make deals, then this information needs to be stored and made easily accessible, just like email. There's a similar problem here with P2P voice service Skype. "When you're using a corporate phone system, the call will be logged and Skype takes that away," explains Penner.

Skype is not a security threat in itself, it's more the amount of bandwidth it devours that causes companies problems, as Manchester University has found.

Ultimately, if someone is hell-bent on scuttling sensitive data out of your company, then battening down your IM communications won't be enough to stop them. All they need to do is use a memory stick or even print off the pages. And no amount of technology can help you deal with that.