IM Attacks Present Growing Threat to Enterprises
More and more enterprises are embracing the benefits of instant messaging as a corporate application. But many are leaving such applications uncontrolled and vulnerable, and the potential for attack is sending shivers down the spines of network administrators.E-mail may get all the attention when it comes to messaging security, but the time has come to begin giving more focus -- and budget dollars -- to IM.
E-mail still takes priority over instant messaging (IM) when it comes to corporate security, according to a recent poll of 100 organizations conducted by Akonix Systems, a San Diego-based provider of IM security software. The survey shows that only 11 percent have IM hygiene solutions in place, compared to 73 percent that take care of e-mail. Additionally, almost 50 percent of respondents say deploying an IM hygiene solution never crossed their minds.
Industry observers say this gap between the security applied to e-mail and that applied to IM is particularly alarming since 47 percent of respondents indicated that the people in charge of e-mail are also responsible for securing IM.
Globally, IM use is on the rise with nearly 12 billion instant messages being sent every day, according to IDC, an industry analyst firm based in Framingham, Mass. IM use isn't the only thing on the rise, however. Attacks on instant messaging are going up, as well.
Akonix tracked 62 IM-based attacks last November, and saw a 226 percent increase over the previous month, according to Don Montgomery, vice president of marketing for Akonix.
The primary reason organizations are not focused on IM security, despite the increase in attacks, is that there hasn't been a major IM virus outbreak yet, according to Osterman. While e-mail systems have been pounded by malware attacks, the viruses and worms hitting IM clients and servers haven't made as much of a splash, since the damage has been low -- so far.
Many network administrators believe the protections already in place will safeguard IM, as well.
''There's a perception that a lot of investments made in firewalls and perimeter security will protect [networks] from viruses,'' Osterman says. ''They would be wrong, though, because instant messaging uses unique protocols and a firewall won't be able to scan instant messaging for content or for malicious URLs or for the file transfer for viruses.''
Osterman adds that firewalls work by shutting down ports. But public IM clients, like those from Yahoo, AOL ,and MSN, which many employees use in lieu of a corporate standard, are port-seeking. ''You can shut down one port and the public IM clients will find another,'' he explains.
IT administrators at Kforce Professional Staffing, based in Tampa, Fla., aren't going to let that happen. The professional staffing firm has taken prescriptive steps to ensure that its approximately 1,400 employees, who are situated around the United States, are protected.
"We didn't want to hinder productivity since ... we believe [IM] will be a good tool for employees, especially if someone in one office wants to discuss a job with someone in another office. It's real time," says Jon Portz, network security lead at KForce. "We had anti-virus software in place ... but it can't stop a direct attack on a buddy list on AIM, which is quite vulnerable to buddy list hijacking."
Administrators at Kforce decided to bring in an IM security and management system to handle "uncontrolled use of IM, whatever the client." Portz adds that the firm also wanted to prevent ''information leakage," and have the ability to track and log employees' IM sessions.
The enterprise IM security market is burgeoning. In addition to Akonix, the providers include FaceTime Communications, IMLogic, which was recently acquired by Symantec, Postini, and ScanSafe.
Since moving to Akonix, which Portz says provided granularity of control and customization features, KForce has standardized on MSN and AIM clients until it moves to an internal IM solution.
Akonix gives Portz the ability to create reports on usage and do keyword searches if he wants to check on employees discussing a particular subject. "Compliance is gaining concern here," he notes. "Our HR and legal departments have given us directives to treat IM as e-mail."
Company administrators are looking at integrating Akonix with their Legato mail archive system, which would enable them to archive all instant messages as if they were sent via e-mail and attach the conversations to a specific user, Portz notes.
''If something questionable comes across Akonix, I get an email,'' Portz says. Since Kforce doesn't allow use of the extended attributes of IM -- raw chats only -- an employee will receive a notification that they have violated company policy if they try to do something like an audio/visual session, for example.
"We also get an alert from Akonix if anything outside of the policy boundaries, like file transfers, occurs,'' he adds. ''Executives used to be very afraid of IM. Trying to lock it all down and turn it all off is harder than you think ... Having an IM security management system in place gives a heck of a lot more peace of mind."
Osterman says it's a given that there will be a big outage caused by instant messaging. "It's not a matter of if, but when."
He estimates the cost of implementing an IM security system at about $10 per user. "We point out to companies," he notes, "that they're spending more on coffee every year for their employees than to protect themselves from outside threats."
This article was originally published on Datamation.