IM Security: A Balancing Act

by Rajendra Chaudhary    Jun 26, 2006

In the light of all that’s being said and written about Instant Messaging (IM), it’s not really difficult to gauge that IM is fast becoming the medium of choice for real-time communication across the globe. It is not just the average Internet addict who is using it, even corporate users are beginning to view IM as an important business collaboration tool and are using it extensively.

An IDC study has indicated that the total number of enterprise users of IM will grow to more than 140 million by 2009 and the worldwide IM market will reach an estimated $736 million by the same time. Several other surveys have also predicted booming future for IM and have endorsed it as one of the fastest growing communication medium of all time.

However, despite the growing popularity, most corporate IM usage is largely unmonitored and unprotected. Given the mechanics of IM, infection of one computer can result in rapid proliferation of viruses, worms and spyware within the corporate environments.

Peter Firstbrook, Research Director - Information Security and Privacy research group, Gartner, informed that in a survey conducted with several IT security professional it was discovered that 77% of the respondents were fully aware of the security risk associated with IM and yet only 22% of them had implemented a solution to secure their IM communication.

This apathy of the enterprises is encouraging attackers to go after IM. According to a recent Symantec Internet Security Threat Report more than 2,400 unique IM and peer-to-peer (P2P) threats were identified in 2005, a whooping 1700% increase from the previous year.

Firstbrook believes that a major virus outbreak or a series of nasty attacks could just be the wake up call for the enterprise community to secure their IM systems.

Keeping a check on IM communication is more complicated and in many ways difficult than regular emails. Explaining the complexities associated with IM security, Firstbrook said, “Because you control the gateway (MTA) for email and the mailbox, all traffic passes through the corporate infrastructure and hence can be monitored. IM however is very slippery and can port hop, so you have to do protocol analysis to catch it on the outbound.”

“Also if users set up simple proxy servers in their home, they can proxy IM traffic making URL or IP filtering ineffective. Besides, unlike email which is standard SMTP, IM protocols and formats are proprietary and keep changing rapidly and in order to secure IM you have to keep up with all the changes in the public networks,” added Firstbrook.

Some suggest that one way to prevent IM security threats is to completely block IM usage. However, the idea hasn’t found many takers. Preventing the use of instant messaging is very difficult and a simple port blocking firewall can’t be effective because clients can use common destination ports such as HTTP port 80 and FTP port 21.

“Locking the IM out of the enterprise network is not a practical idea and one that is not likely to succeed. Besides, clients can easily devise work-arounds and bypass the corporate network by auto-configuring their computers to other ports if they are not allowed to communicate over the default port,” said Marcus Loh, Regional Business Manager - enterprise message management, Asia South, Symantec.

Firstbrook advised enterprises to keep IM security threats in context and balance them against the productivity benefits of IM.

“Employees report benefiting from faster decisions, higher productivity and lower telecommunications costs when they use IM. However, organizations must plan for and build a strategy for IM management and security, much like they have for e-mail,” concluded Firstbrook.