Once viewed as only a casual chatting tool for students and home users, instant messaging (IM) is now quickly making its case as a popular business communication tool. An International Data Center (IDC) study predicts that the number of corporate users of IM software will reach 350 million in 2005.1 More and more corporate users are installing free IM software on their desktops to chat with their friends and colleagues, often without the knowledge (let alone the authorization) of the organization’s IT or security departments. While IM is considered by some as a powerful business communication means, uncontrolled IM deployment in the enterprise raises a number of security and productivity concerns, which are presented in this article.
Instant Messaging Primer
The first large-scale IM network was Internet Relay Chat (IRC), which has been online since 1988. Mirabilis’s ICQ followed in 1996. While IRC and ICQ still have a large user base, they have been superseded by the IM systems developed by Yahoo!, Microsoft and AOL (ICQ was acquired by AOL in 1998).
All major IM systems work on the same client-server model (Figure 1). The user downloads and installs the client software, and signs up for the instant messaging service. The user is then given a personal ID in the form of a name or number. The user uses his/her client software to authenticate to the IM vendor’s server farm by entering his/her ID and password.
Once connected, the user can add friends’ IDs to the friends list, and start exchanging messages in real-time with them. The friends list shows which users are currently online and available. Messages exchanged between users are usually routed through the IM server farm. However, IM programs also contain peer-to-peer features, allowing direct communication between users, most notably for file transfers.
The fierce competition between the three tenors of the IM market has led to new features in IM software, such as avatars, profile pages, audio and video conferencing, online gaming, conference chat and public chat rooms. Also, IM client programs have been adapted to run on wireless devices, such as PDAs and cellular phones.
An important characteristic of IM is that the major networks are not interoperable: two users can communicate only if they are using the same IM service. Unlike e-mail, which relies on a single standard protocol (SMTP) to connect everyone worldwide, the lack of interoperability in IM can make it difficult for an enterprise to choose an IM solution that will satisfy all of its users.
What Are the Risks Related to Instant Messaging?
Loss of Productivity
The widespread use of IM as a chatting tool for home users raises the concern that employees using IM at the office might spend too much time chatting instead of doing their work, resulting in loss of productivity. Features such as online gaming, introduced in the latest versions of MSN Messenger, further raise this concern. However, IM advocates argue that instant messaging accelerates the collaborative work with coworkers and business partners, resulting in increased productivity.
Circumvention of Corporate Policies and Controls
The protocols used by IM systems are often considered as rogue, because they are specifically designed to evade standard security controls. Not only can IM software be configured to connect through a SOCKS or web proxy server, but the protocol is also capable of finding its way out of the enterprise firewall on its own by looking for an open port, such as tcp/80, and by tunnelling its traffic in HTTP requests, making it unrecognizable from standard web traffic. Companies most concerned with uncontrolled use of IM are those that have a regulatory requirement to archive employee communications with external parties. In the US, this applies notably to companies subject to HIPAA and SEC regulations.
However, any company is exposed to potential damage if it does not control the use of IM. The scripting and file transfer capabilities of IM systems expose the enterprise to malware, inappropriate content and leakage of sensitive information.
Although no major malware outbreak has yet occurred over an IM network, the possibility of that happening has been demonstrated by a number of viral events in the recent past, the most noteworthy being the GONE.SCR worm of December 2001, which used IRC and ICQ as spreading vectors. A search in online virus databases shows that malware currently targets IRC more than other IM systems. Extended scripting capabilities and a more “underground cachet” explain this, but the popularity of AOL Instant Messenger, MSN Messenger and Yahoo! Messenger may appeal to more malware writers in the future.
Public IM systems also expose the company to the risk of losing sensitive information. A message sent by an employee to a colleague working on the same floor transits unencrypted through the Internet and the provider’s server farm. As a result, the message is vulnerable to eavesdropping.
An even more serious concern is the weak MD5-based authentication mechanisms, on which public IM systems rely, making them vulnerable to brute-force and man-in-the-middle attacks. An MD5 brute-force attack tool available on the Internet claims that it can crack most eight-character passwords in less than a week. Therefore, a risk exists that sensitive information could be disclosed to someone impersonating a trusted correspondent. The security of authentication schemes has been improved in the latest versions of most IM platforms, but the older, weaker versions of the protocols are still supported.
Loss of Corporate Image
On a corporate e-mail system, employees have consistent e-mail addresses, typically in the form of email@example.com. Most public IM networks let the user choose the identifier. Employees might then use nicknames such as coolguy853 or redheadbarbie for corporate IM communications, which is unlikely to comply with the company’s quality standards.
Furthermore, an employee’s identifier is associated with the public IM provider rather than with the company for which he/she works. On MSN Messenger, the identifier is actually a complete Hotmail address. IM providers also provide a web space for each registered ID, allowing the owner to publish personal information about himself, such as his “ASL” (age, sex, location), a list of hobbies and interests, favorite Internet links and even a picture. For instance, each Yahoo! ID has a “profile page” accessible at http://profiles.yahoo.com/ID. If an employee uses Yahoo! Messenger for business purposes, the company may worry about the image projected on the profile page.
Can Instant Messaging Serve a Useful Purpose in a Corporate Context?
It is safe to say that IM can facilitate communication between employees and business partners. Real-time text messaging provides an efficient way to quickly send short messages, and the presence indicator shows who is available and who is not. Online users can even specify their current availability status (e.g., “out to lunch,” “in a meeting”). Users working remotely can report as being in, and can be reached easily.
When voice or video is not particularly necessary, IM can also be used as an efficient, low-cost, text conferencing solution, easier to set up than a phone or video conference call. The latest versions of IM programs even support multimedia, but not yet with business-class quality.
Addressing the Risks
As with any security issue, the risks related to IM must first be addressed in the corporate security policies. An IM policy should clearly state whether the use of IM is accepted in the company and, if it is, what the restrictions are. It should cover basic functionalities of IM systems, such as the presence indicator, the real-time text messaging and the file transfers. The IM policy should not be specific to one technology or another. Its contents should be applicable, but not restricted, to all of the popular IM networks (IRC, ICQ, AOL, Microsoft and Yahoo!).
Other programs may include IM functionalities. This is the case for the popular peer-to-peer file sharing tools, such as Gnutella and KaZaa. While these programs are beyond the scope of this article, it should be noted that they share some common characteristics with IM programs. The architecture of peer-to-peer networks, however, is very different from that of IM networks, and their use as a business tool is more questionable than IM.
If the use of IM is forbidden, it should be reflected in the company’s security policies. In order to remain independent from existing and future technologies, the policies should specify that the use of any communications system that is not endorsed by the company is not permitted.
Blocking Public Instant Messaging
Because of their rogue nature, blocking IM protocols at the perimeter firewall is not easy. Most users quickly learn how to configure their IM client software to slip past the security systems. A simple search on the web can provide a user with a list of hundreds of open proxies available on the Internet, which can be used to tunnel the IM traffic.
A somewhat more efficient method consists in filtering IM access based on the destination domain names, instead of the IP addresses or port numbers. As of December 2003, the following domain names can be used to block access to the major IM platforms:2
- AOL Instant Messenger, login.oscar.aol.com (on all ports)
- ICQ, login.icq.com (on all ports)
- MSN Messenger, *.msgr.hotmail.com (on all ports)
- Yahoo! Messenger, *.msg.*.yahoo.com (on all ports)
Even then, these filters should not be expected to be 100 percent effective. Detection of IM should be considered in addition to preventive controls. This can be achieved through the use of network intrusion detection systems or traffic shaping devices. Intrusion detection systems may even be used to log the contents of a conversation. A regular search of workstations for unauthorized programs can also mitigate the risk of uncontrolled IM proliferation.
Implementing a Corporate Instant Messaging Solution
The growing market of corporate IM has drawn several vendors to develop solutions adapted to the enterprise. AOL, Microsoft and Yahoo! have all developed business editions of their IM programs. Other solutions include Lotus Sametime, Novell Groupwise, Jabber and Reuters Messaging. Jabber is a solution that, unlike the closed, proprietary solutions, promotes the use of a standard protocol for IM. The Jabber project promotes the standardization of an open protocol called XMPP (eXtensible Messaging and Presence Protocol). XMPP currently exists as Internet drafts at the IETF.3 Reuters also promotes interoperability with their MSN-based IM solution, with agreements already signed with Lotus, Microsoft and AOL.4 Corporate IM solutions include several benefits:
- Use of IDs associated with the company
- Centralized control and logging capabilities
- Server located inside the company
An internal IM server has the advantage of keeping communications between employees inside the company. The server also acts as a gateway for IM communications with the outside world.
The main drawback to corporate IM is that the solutions are not free of charge, with the exception of some IRC and Jabber implementations, which are currently not the IM solutions preferred by most users.
This brings us to an important criterion to consider when choosing a corporate solution: what public IM systems are currently used by employees? All it takes is two incompatible public programs on the network to jeopardize the corporate IM project. If the chosen product is incompatible with the program of choice of some users, they might be tempted to stick to the unauthorized tool, because switching to a different IM system would require all of their “friends” to switch.
This is why the deployment of a corporate IM solution should not mask the need to control the use of public IM programs. Specialized gateway products exist, such as Akonix L7 and BlueCoat ProxySG, which provide better control over IM traffic than generic firewalls and proxy servers and include extensive logging features. However, these products are still relatively new and have yet to stand the test of time. IM protocols evolve quickly, and the gateways will become useless if their vendors cannot keep up with the pace.
Instant messaging has found its way to the enterprise, often without any control by the IT or security departments. While the technology itself can effectively improve business communications, the uncontrolled proliferation of public IM solutions might expose organizations to serious security risks, which must be addressed in a responsible manner. Completely denying the use of IM is not necessarily the best approach, nor is it always feasible. Organizations should thus consider deploying an enterprise-class solution, compliant with corporate security policies and adapted to employees’ needs. Forced into dealing with instant messaging as a security issue, an organization might just find itself with an efficient business communication tool and improved productivity.
2 “Instant Headache,” http://infosecuritymag.techtarget.com/2002/aug/cover.shtml
3 Jabber and the XMPP working group, www.jabber.org and www.ietf.org/html.charters/xmpp-charter.html
4 Reuters Messaging, http://about.reuters.com/productinfo/messaging/
Christophe Hug-Heuveneers, CISSP is a consultant in IT security who has been providing integrated security solutions to large organizations in France and Canada since 1997. He is currently a senior consultant for AGTI Services Conseils Inc., a Montreal-based IT consulting firm (www.agti.ca).
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2005