|Mark T. Edmead|
OK, I admit it. I'm one of those instant messaging junkies. Instant messaging (IM) is one of those great applications that lets you keep in touch with friends and colleagues by giving you the ability to chat on-line in real time. There are four major players in this arena: America Online's AIM, ICQ, MSN Messenger and Yahoo Messenger, and truth be told, I have accounts with all of them.
According to a study by INT Media Research, of the 47% of enterprises allowing IM access in the workplace, 13% don't take any security precautions. In addition, 41% said their IM applications are installed behind a firewall. In a survey conduced at the Gartner Information Security Conference in Chicago, 58% of those surveyed said that the careless use of personal communications –- especially the use of instant messaging -— poses the most dangerous security risk to their networks.
What exactly is the security risk? For starters, messages are sent in "clear text," which means that it's easy for an unsuspecting employee to send confidential or private information using IM ready to be "sniffed" by a hacker. Because many implementations of IM bypass the firewall, it's possible to receive virus-infected files using the built-in file transfer capabilities of the IM program.
Several vulnerabilities have been found in AOL AIM, Yahoo Messenger and MSN Messenger. Many of those vulnerabilities involve the ability for a hacker to execute unauthorized code, holes that allow unauthorized script execution and the ability to create buffer overrun conditions. Those vulnerabilities could allow the hacker to gain control of a target system or to render the system inoperable.
In addition to the risks outlined above, there are other security concerns, including the following:
- Ability for individuals to send copyrighted material across the Internet. This includes copyrighted software, MP3 files and photos.
- Ability for hackers to perform social engineering attacks, enabling them to receive sensitive information such as user names, passwords or credit card numbers.
- When performing a file transfer, it's possible to reveal the true IP address of the system. An attacker can use that information to perform a denial-of-service attack.
- If the user name and password of an account can be determined, a hacker can then impersonate another user.
Because of those security risks, it's crucial for anyone using IM in his corporate environment to develop, adopt and implement security policies that include the use of IM. There are additional mitigation controls one can implement:
- Security administrators should stay on top of the spate of alerts in regard to IM.
- Administrators should also attempt to get users to apply patches in a timely manner and to treat IM as a formal communication tool subject to the same usage restrictions as e-mail.
- Disable file transfers and block unwanted TCP IM sessions. (You will need to check the IM settings to determine which ports to block.)
- If IM is going to be used in your company, consider using third-party software solutions that add security to IM networks. Check out Akonix, Softwin and Impasse. Other companies, such as WiredRed, have secure instant messaging solutions.
There are definite benefits to using IM in the corporate environment, but like any other service connected to the Internet, you need to make sure it's secure from unauthorized and unwanted use.
About the author:
Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software, Inc. (www.mtesoft.com), and has more than 25 years' experience in software development, product development and network systems security. Fortune 500 companies have turned to Mark often to help them with projects related to Internet and computer security. He was managing editor of SANS Digest (Systems Administration & Network Security) and contributing editor to the SANS Step-by-Step Windows NT Security Guide. Mark previously worked for KPMG's Information Risk Management Group and IBM's Privacy and Security Group, where he performed network security assessments, security system reviews, development of security recommendations and ethical hacking. Other projects included assisting companies develop secure and reliable network system architectures for their web-enabled businesses. Mark is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.
Read other Security Spotlight articles from Mark.
This was first published in July 2002