Instant Messaging: Friend or Foe?
In the beginning
In the late 90s, with the proliferation of the Internet, people worked out that email was a useful way to communicate with other users. IRC (Internet Relay Chat) was big at the time and so were forums, but enthusiasts and business people alike needed some thing more real time. Applications with instant messaging capability were born, being able to communicate in real time to any online contacts became a useful tool. The ability to verify arability and instant thought and file transfer was even more useful. Today more than double the amount of instant messages are sent with comparison to email. Some organisations use instant messaging as their primary communication mechanism.
IM as a business tool can be quite effective, but any tool can be abused, especially if unmanaged. The best way to manage any communication is to ensure that communication is directed through a central point, like a gateway. Vendors have worked this out and have built clients that are gateway aware and that function as both internal and external IM solutions.
The ideal situation would be an endpoint that is fully protected even if the endpoint (in the form of a laptop or mobile device) leaves the sanctuary of the corporate network. If the endpoint has the correct level of protection, like Host Intrusion Prevention System (HIPS) bundled with a personal firewall and malware detection, then it is likely that the endpoint is more secure.
Today social contact over an electronic medium is common and some companies encourage this culture, web 2.0 and 3.0 have applications that make this possible and clients are becoming less necessary. In most cases only a browser is necessary, true cloud computing is now possible, making connections to friends, family and colleagues over the internet trivial.
Sharing of files, links, content and other media is possible spanning access to large groups in seconds.
What are the threats?
Recently there have been many Instant Messaging vulnerabilities. Antivirus vendors are realising that worms, viruses and other malware can spread through IM and are building new defences that reduce the risk.
Essentially multiple networks can be interconnected by the incorrect use of IM and for this reason a structured defence mechanism is mandatory. If your users use IM, then a gateway defence solution is required. The endpoint is where the files are downloaded to and this is an additional threat. Antivirus vendors now have solutions that scan the IM client's downloads.
Links transferred by the use of IM are an additional risk, the use of application firewalls on the corporate LAN can reduce the risk, but a bigger problem is presented when users take their corporate machines offsite. On unprotected networks application layer firewalls are absent at the perimeter meaning that communication is less secure, for this reason the endpoint requires a host based firewall solution that has scanning capability.
Other hosts on the same unprotected LAN often share the connections; these machines are typically less secure and more vulnerable to attack and in some cases are infected with unknown malware. This malware can spread to any device that is present on the remote LAN. Moreover file sharing is typical on these remote networks especially over IM as the user is travel mode, meaning normal access to resources is limited again this will present an additional vulnerability.
Malware typically hijacks the machines resources and attempts to use ordinary ports to deliver the payload, only application layer firewalls on the network as a gateway or on the host as a host firewall have the capability to mitigate this risk. Some IM software tunnel over encrypted ports like 443 challenging session layer firewalls as Session Layer firewalls have limited scanning capability on encrypted ports. This door is often wide open and infections often originate through un-scanned file transfer.
Buffer overflows are common in the IM world; this can result in malicious ports being opened that enables the use of unauthorised applications and communications over the newly opened ports. Also it is common for the malicious software to corrupt or disable the defence solution so that it can operate undetected.
In some organisations where the policy is not to allow Instant Messaging communications, some users have found a way around the firewall technical control by using HTTPS based websites. These websites effectively bypass the scanning and grant access to these users. The problem is that some of these websites capture the data and credentials for spying deliberately.
What are the risks?
Viruses, Malware, Spyware, denial of service, remote control, unauthorised monitoring, data leakage, unauthorised data flow, disclosure of confidential company information, productivity loss, remote access, remote control.
Because IM does not yet consider authentication mechanisms like two factor authentication, impersonation and unauthorised access is a strong possibility.
Some worms spread using links that are sent to your entire contact list like ([email protected]), it then installs browser plug-in and then the fun begins. Certain worms patch files and when these systems files are executed. a unique trojanware is downloaded. Backdoors and encrypted tunnels to internet based servers are all common.
Some worms are so volatile and aggressive that in seven seconds Symantec reported that over 500,000 machines were infected and Zombified.
Threats like man in the middle, password theft, information disclosure, data leakage and many more similar threats are all possible and create a significant risk to any business and or individual.
When organisations consider using IM as a business tool, often confidentially of transmitted data is a concern, unlike email where by all traffic is plain text unless encryption retrofitting is performed. IM has native encryption available to most platforms, but it is not the default.
Encryption is often not implemented because little is known about it, and the barriers to a successful implementation are many. So what is the answer? When selecting an IM solution choose one that has encryption built-in.
Inter network connections are possible, some IM clients have the capability of network linking whereby bridges are created between networks when both IM clients are online. This is done so that the users are able to play games or for peer to peer file transfer to be quicker and more direct. In most cases other network traffic also traverses these virtual links. In one case that I investigated, more than seven networks had been connected by a group of gamers. Some of these corporate LANs were utility companies and other financial and legal organisations.
It is surprising the number of clients that are capable of this network sharing and interconnection over https and other common open ports. Some of these clients are used for support whilst other clients are used for personal chat.
What are the benefits?
Low communication costs.
Quicker turn around.
Instant file sharing.
Is there a balance?
With an enforceable security policy and adequate technical controls it is possible to achieve balance. The implementation of application layer firewalls with fifth generation scanning capabilities will better secure your network. Corporate IM servers that scan and manage connections outbound acting like a proxy can provide for greater management and control over the wave clients being used. A strong security policy that can be enforced and implemented by use of network and endpoint technical controls is a must. User education and awareness is key and a consistent and structured approach will ensure a happy medium.