Instant messaging is a tool most teenagers would say they’d have a hard time living without. In theory, conducting a conversation via computers in real-time means no one can eavesdrop on what is being said. But for corporations, these chats can be a productivity-killer and a silent threat lurking
on the network.
“”It’s happening all over the place and the IT guys don’t even know about it,”” says Nick Galletto, partner and expert with Deloitte & Touche‘s secure e-business practice.
According to Framingham, Mass-based IDC (U.S.), IM will reach over 180 million corporate users by 2004 and Gartner predicts that by 2005 IM will be integrated into 50 per cent of business applications. For example, two years ago the US navy implemented a system called “”Collaboration at Sea,”” using Lotus Domino and Sametime for mobile command forces, ships at sea and shore-based command centres. Anyone on a US Navy ship at sea anywhere in the world can be aware of anyone on line on any other ship at sea.
But it isn’t corporate-sanctioned IM that’s seen as problematic says Warren Shiau, software analyst with Toronto-based IDC. He says companies risk losing a certain degree of control when it comes to rogue IM travelling across the network.
“”ICQ or AIM (AOL’s instant messenger system) exist outside internal messaging applications and what people use them for is not work-related — it’s just talking to friends. But the question is, how do companies keep track of it?”” says Shiau. “”There are security issues there. Chatting to friends isn’t illegal, but passing information to someone could be.””
When workers download and install IM applications to their desktops without the IT department knowing about it, Shiau says they could also be unknowingly inviting security threats such as viruses.
The concern is that IM can bypass anti-virus defence systems and firewalls. While an anti-virus software package will scan e-mail before it comes in, it won’t recognize IM. There’s also the issue of continuous chat room conversations eating up bandwidth on the network.
Galletto says that when Deloitte conducts network security reviews for their clients, IM is something that is highlighted as a potential threat. One way to address the problem, he says, is to make sure individuals are aware of the implications of using IM, then take steps to put controls in place to monitor or eliminate use.
“”Most organizations today are still blind-sided by it. Some of them think it’s just in small pockets, and when they start digging a little deeper it’s 10-fold and proliferating throughout, which is pretty scary when you think about it. If you start engaging in large file transfers there is the risk of downloading malicious code,”” says Galletto.
In most cases, all the information is transmitted in plain text, making it possible for someone to read what is being typed as it travels over the network. There’s also an authentication issue: in some cases when a user logs on the information is not encrypted.
“”A lot of these IM software packages can go into remote control mode. So someone from the outside can use it to take over your system and then use it as a gateway into internal systems,”” says Galletto.
One way to pick up on IM use is through the use of a network intrusion detection system, but Galletto says it must be told to specifically look for the actual protocol each application uses. For example, with AOL’s AIM service, it would have to look for and block the AOL protocol.
Users should also make sure what is being typed can be encrypted.
“”If you’re going to be using something like this, make sure the system encrypts your user ID and password, then limit it to internal use only,”” he said.