IM: Increasing Menace

Few think of instant messaging (IM) systems when the talk is about managing data. But the sad truth is that IM has become a potentially lethal time bomb in many data centers, as managers struggle to police end-users and deal with a plethora of competing technologies.

IM, I believe, still poses a major security challenge for corporations,” says the information security director of a major U.S. airline, who asked not to be named. “Just by the breadth of the installed base, it increases a company’s attack surface substantially.”

To make matters worse, research released today by vendor Reconnex suggests that many users are blissfully unaware of the risks posed by IM. Over the past two months, according to the report, some 78 percent of companies have exposed Social Security numbers via IM and other Web-based communications. Some 38 percent of the 100 companies surveyed also exposed credit card numbers in this way, the survey says.

The airline director was not exactly surprised by these figures. “Most companies haven’t worked out how to deal with IM,” he says. “We struggled with it for about 12 to 18 months before we said, 'Right, this is the route that we are going to go.' ”

Whereas most users place their IM systems behind the same gateway devices that protect other parts of the network, the exec says the trick is securing IM with its own gateways. “IM is a beast that you have to tackle as a one-off and not collectively,” he notes.But not everyone has the IT resources of an airline. Jeff Springer, network security manager at the University of Nevada, Reno, is confronted with a hodge-podge of different IM technologies. “The problem is that we don’t have a centralized IM strategy,” he says. “There are people using Google’s Jabber-based IM, and there’s a lot of AOL IM and some MSN Instant Messenger.”

At this point, consolidating onto a single platform is out of the question. “I am not in a position to tell people that they can’t use these technologies, because of academic freedom,” says Springer.

The manager admits that, until the different IM vendors get their products to talk to each other, his centralized IM system will remain a pipe dream. But, in the interim, he is doing what he can to teach users about the security risks inherent in the technology.

”What we are trying to do is educate them in terms of what they can and can’t do with IM,” he says. “Things like not clicking on links in IM and not receiving or accepting content from people you don’t trust.”

Essentially, according to Springer, this means convincing staff to start viewing IM the way they view email.Kevin Cheek, Reconnex’s vice president of marketing, explains that lack of awareness is one of the biggest hurdles in the path of IM security. “It seems like an innocuous application, but organizations are only now realizing that trojans and worms are backpacking on top of it.”

These sentiments were echoed during a Webcast today by David Cole, Symantec’s director of product management. Increasingly, he said, IM is being used as a way to spread spyware. “Be skeptical of links sent to you in email and IM,” he said. “If it looks phishy, then it probably is.”

— James Rogers, Senior Editor, Byte and Switch

Organizations mentioned in this article: