Securing Instant Messaging

IM is rife with security holes, which translates to holes in your enterprise. Here's how to find and close them.

Like it or not, instant messaging (IM) is one communication tool that's here to stay. Many users are ecstatic about IM: It's quicker than e-mail and less intrusive than the telephone. It's also riddled with security challenges.

Take logistics and supply chain company Ryder System Inc. (parent company of Ryder Truck) in Miami, which has been using Lotus Sametime, an IM product from IBM, for over two years. "It's a great way for us to increase personal productivity," notes David Baildon, Ryder's group director of knowledge management. For Ryder's 2,000 users of Sametime, IM radically reduces phone tag and voice mails. "Someone will usually ping someone on Sametime to see if they're ready to take a call," he says. In addition, people in conference calls often multitask with IM, answering short questions or quickly scheduling small-group meeting times.

Other companies employ IM for real-time customer support (via a Web-based applet or one of the free IM services) or to communicate with extranet partners.

Yet too many companies haven't thought out, or begun to deal with, the myriad security and enforcement issues surrounding IM. In short, IM can be a nightmare, and your company must make a choice—manage IM or block it. The time for that decision is now.

If you're like the majority of companies and have no IM policy, use free IM products, or just ignore the technology, you're in trouble. A recent survey from Osterman Research Inc. (Black Diamond, Wash.), found that IM is currently used, officially or unofficially, in 84 percent of organizations, rising to 88 percent within a year. (See "Who's Using What.") For organizations that have officially standardized on IM, however, 61 percent use Lotus Sametime.

Even those organizations that support IM may not control it. Gartner Inc. analyst Rob Batchelder suggests that "50 percent of companies are penetrated by IM, but only 1 percent of businesses are actually managing it."

Who's Using What Graph

When IM Attacks
Here's the crux of the problem: Since IM attachments are sent directly from PC to PC, neither firewalls nor corporate virus software scan them first.

That means that free, consumer-aimed IM services such as AOL, MSN and Yahoo, which are widely used in the workplace, are highly dangerous if used in the wrong way.

While these IM clients are so relatively lightweight that they can't be co-opted into doing much damage, their users can. Without authentication, anyone finding an empty cubicle and a PC with IM software can easily masquerade as that PC's owner, eliciting corporate secrets from other users or gaining passwords from brute-force dictionary attacks.

One particular problem affecting "tens of thousands of systems," according to the CERT Coordination Center at Carnegie Mellon University, is automated. It works by opening an IM window and offering attractive downloads—music, games, a fix for a bogus virus—but behind it is a malicious, message-generating tool that sends Trojan horse or software executables instead, silently co-opting the PC for use in a distributed denial-of-service attack.

At press time, Symantec's Norton Antivirus 2003 software promised to scan in-line IM attachments. However, experts warn that in general, interrogating every message or attachment can slow IM to the point where it functions like e-mail.

IT Organizations' Current Attitude Toward IM

Saying No
Pulling the plug on IM won't work. "It's become a rogue infrastructure [and] it's become useful," Batchelder says. Users will resist.

Trying to manually block the free IM services by tweaking firewalls is difficult, if not impossible. IM clients are adept at circumventing port restrictions: If MSN Messenger can't get through the HTTP port (80), it will flood other known ports (such as FTP) or a user-defined port looking for a way in.

Tread carefully in banning IM, advises a security IT director at American Presidential Lines, a 150-year old global ocean transportation services company with headquarters in Singapore. "We get people who are real creative. We put a policy out—no use of IM—and the next thing you know, ‘this is how you get around it' is out on the grapevine," says Van Nguyen, director of global IT security. "I usually give [the offenders] a call personally, and usually you do that once or twice, and it stops, because people know what they're doing isn't allowed." Only if users are abusive does he get the legal department and human resources involved.

Taking Control
If you insist on saying no, realize that at the most basic level, a network sniffer will be able to root out the IM protocols in play. You'll want to install heavy-duty software to catch more potential protocol problems. SilentRunner (from Silent Runner Inc.) checks every last network packet for compliance; Investigator 4.0 (WinWhatWhere Corp.) monitors keystrokes.

Instead of saying no, perhaps you need to take control of your IM traffic.

IM that's safe for corporate use means an IM client with encryption, authentication and LDAP integration. Gartner estimates that there are about 30 companies offering an "enterprise-class" IM product.

In this group of products, Lotus Sametime is the most popular (Lotus claims seven million users). The product uses 128-bit encryption and integrates with LDAP servers to authenticate and automatically build the IM user names for corporate users.

Security is "the primary driver for people who purchase Sametime," notes Jeremy Dies, the advanced collaboration group's offerings manager at Lotus/IBM in Cambridge, Mass. Ryder says it chose Sametime in part because it integrated immediately with the Notes company directory. Sametime users can also talk to AOL IM users by signing in with their insecure AOL password. The Sametime chat window lets users know visually when their IM sessions are not authenticated or encrypted.

Two other business-class products that are able to talk to all of the major consumer IM services are Imici Business Messenger from Imici, part of Bodokun LLC, and the Bantu IM & Presence Platform from Bantu Inc.

Where confidentiality is imperative, you'll also need content analysis to see what people are talking about. Companies especially cautious or subject to legally vague privacy regulations are increasingly logging all IM, creating an audit trail.

For extranets or communities of business partners, cross-directory integration is also essential. "Companies have some system ID and password list, and one thing the firm doesn't want is to create another. So we've worked hard to integrate with those systems," notes Gary Reifman, product manager for the Hub IM from Communicator Inc. Over 30,000 employees and clients of a financial services consortium that includes J.P. Morgan Chase & Co. and Credit Suisse First Boston Corp. currently use Communicator for research sharing and delivery, as well as IM. Since the financial industry relies on non-repudiation, one of the community's rules is that only real names, not aliases, may be used as IM names.

Monitoring Options
Instead of blocking IM, you might choose to monitor all IM communications. IM Auditor Guardian software (FaceTime Communications Inc.) can intercept IM messages from AOL, MSN and Yahoo, among others, and record them all, as can software from Vericept Corp. and Stellar Internet Monitoring (formerly ICaughtYou LLC).

Akonix Systems' L7 intercepts what the company dubs "rogue protocols" (meaning traffic with hard-to-predict behavior such as IM and peer-to-peer) and subjects it to certain rules. IM attachments can be stripped, or IM blocked outright. Better yet, IM that's destined for someone else in the same company can simply be delivered by L7—so it never passes beyond the firewall. The company also offers a free tool, RogueAware, for diagnosing current IM use on the corporate network.

IMlog Enterprise lets companies archive all internal IM messages as well as monitor IM use by employee or department, and even exercise IM access control. Merrill Lynch (which uses IMlogic's full, enterprise IM product) has rolled out about 7,000 IMlogic clients internally, though it declined to comment on the product.

A step down from enterprise-class IM is IMpasse Systems LLC, which encrypts otherwise consumer, plain-text IMs. Unfortunately, the encryption works only if the recipient is also using IMpasse. On the plus side, a two-user license is just $20.

Protection Needn't Break the Bank
Secure IM doesn't have to be expensive, either. St. Agnes Healthcare, a community teaching hospital in Baltimore, has been using software called e/pop IM, from San Diego-based WiredRed Software Corp. to link roughly 800 hospital PCs for 2,000 users. Initially it deployed IM as a one-way notification service for IT; now all PCs can send IM. IT director Larry Lawson says he chose e/pop for St. Agnes because of its security. "We have to be extra wary in healthcare," he says, noting that safeguarding privacy and patient records is paramount.

He looked at products from Lotus, Novell and Microsoft, but chose WiredRed because of its feature set and price. "With the cost of WiredRed's product, it's not something that's going to break your budget right from the get-go."

St. Agnes Tech Support Engineer Jonathan Schoemann, who installed the software, recommends that unlike consumer IM software, companies not just hand e/pop to end users, because it includes powerful desktop remote-management capabilities. "You need someone in IS to configure the product so it's safe," he says.

The Bottom Line
If you or your employees are serious about IM and security, then you need to invest in IM software with end-to-end encryption and authentication. Don't let those instant messages inadvertently bleed corporate secrets.

Enterprise-Class IM Products