The Risks of IM in the Workplace

By Carlos Valiente, Jr., CISSP, CISA, CISM Introduction

Instant Messaging (IM), that popular collaborative business tool for instant electronic communication, brings with it serious security exposures that organizations need to address in order to avoid potential financial liability and the risk of public embarrassment. Originally created in the late 1980s as Internet Relay Chat (IRC), Instant Messaging technologies began to evolve in the mid to late 90s and have rapidly become a highly popular method for communicating across global networks. Instant Messaging has also become a supplement to andin some casesa replacement for, e-mail. It allows users to communicate instantaneously with friends, coworkers and business partners. A major anti-virus company reported that the e-mail Sasser worm attack took only 14 minutes to compromise 95 percent of all vulnerable computers around the world; as an index of its speed, consider that Instant Messaging worms could infect all IM-using computers in under 14 seconds. A computer industry study projects that IM services will be employed in 70 to 80 percent of enterprises, and that those services will most frequently be self-installed by individual users for interpersonal communications. Users install public non-standard IM technologies largely primarily to establish communications with friends, business colleagues, clients, vendors, and loved ones. IM use may also be driven by the desire to use such new functions or features as voice chat (net phone) and webcam (video phone) that have evolved in these technologies. But, regardless of the reason for their use, the widespread use of these technologies on corporate systems represents a growing risk today. In past studies, assessments of Instant Messaging capabilities have ranged from those that categorized them as a complete waste of resource and a productivity-lowering waste of time to those that envision that as a critical application for workplace connectivity. While the truth may lie somewhere between these extremes, it is safe to assume that IM has made a significant impact in the way we work, the way we communicate, and the way we collaborate. While concern for the risks posed by IM technologies may lead businesses to consider eliminating public IM services from their corporate networks, consideration must also be given to personal and business reasons why users continue to use these services.

Risk #2: Legal and Copyright Liabilities

After several high-profile lawsuits with multi-million dollar settlements that revolved around the contents of corporate communications, companies should be aware that simply by using IM, they are exposing themselves to an additional potential source of legal liability. It is imperative that organizations develop a comprehensive IM content policy that includes: A list of instant messaging risks to make users aware of the potential harmful effects of their actions. If you dont want it posted on an Internet bulletin board, then dont hit the send button. The policy should expressly state that the IM system is not to be used for the creation or distribution of any offensive, or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability. Furthermore, mention that employees should not use IM to discuss competitors, potential acquisitions or mergers or to give their opinion about another firm. If you are going to monitor the content of your employees instant messages, you must mention this in your IM policy (In most countries/states you are allowed to monitor your employees emails if your employees are made aware of this). In addition, IM applications enable the downloading and exchange of files; these files may contain copyrighted materials (e.g. music, video, software), and may even include offensive materials thatif shared with clients or other external userscould expose your organization to potential harassment lawsuits and public embarrassment. Sharing copyrighted files or unlicensed software could also result in legal liability. Each organization needs to take the appropriate steps to ensure that their confidential information is safeguarded from external exposures and that its organizational culture supports staff awareness of what it considers acceptable business practices.

Risk #3: Bypassing Anti-Virus Gateways

Most organizations implement anti-virus (AV) gateways as a preventive measure to avoid virus infestations; however, unlike e-mail viruses, IM applications can bypass these gateways because they communicate directly to the desktop, and infected files riding on IM can slip past the AV scanners. Unless the desktops have active scanning and updated signatures, IM can easily introduce viruses, worms and Trojans to the network. In addition, if remote workstations dont execute the firms supported

Risk #1: Bypassing of Firewall Restricted Ports

Corporate Web users with the requisite technical capabilities can reconfigure their IM application to route traffic through external proxy servers (many of which are free on the Internet) and can bypass corporate firewalls by using non-restricted ports (e.g., those used for standard Web, SSL or other legitimate business access) for activity initiated from within the internal network.

2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

THE ISSA JOURNAL January 2006

Operating Systems, it is unlikely that there is adequate AV in place or that the vendor is contracted to provide regular updates. Desktop anti-virus is currently the last line of defence against such malicious codes. Examples of Attacks: W32.Choke WormThis worm uses the MSN Messenger Service program to replicate; it is the second worm that is known to do so. The worm itself does nothing more than replicate, and if it is executed on a computer that does not have MSNMS installed, it simply remains resident in memory without replicating. W95.SoFunny.Worm@mA password-stealing Trojan horse that has worm capabilities and targets AOL IM users and is distributed as Sofunny.exe or Love.exe. W32.Goner.A@mm WormA mass-mailing worm that is written in Visual Basic and spreads using the ICQ IM. W32.LedA mass-mailing worm that propagates itself through Microsoft Messenger. W32.HLLP.VB.14336.CA worm which spreads using MSN Messenger using the file name Black Hat.exe. The worm appears to originate from Sweden, and the only thing it does is attempt to spread using MSN Messenger. W32.Kelvir.BAA worm that attempts to spread W32.Spybot.OFN to all MSN Messenger contacts on the compromised computer through MSN Messenger. This network-aware worm has distributed denial of service and back door capabilities. Backdoor.DoyorgA back door Trojan which allows unauthorized remote access. The Trojan may arrive via an instant message received in AOL Instant Messenger (AIM).

mation that can be used to break normal security procedures, can take the form of persuading its victims to download and execute malicious software that allows entry into the network; becoming a zombie attack platform for launching denial-of-service attacks or establishing back-door network tunnels that bypass firewalls and other filtering devices. Once an unsuspecting user executes the malicious software, their system is co-opted by the perpetrator for use as an agent resident on the trusted side of the network.

Risk #7: Harassment and Inappropriate Use

The use of IM to transmit messages containing inappropriate language, adult content, or harassing materials between one or more IM users can give rise to legal liability for the company whose resources are used, and organizations can be held liable for failing to implement appropriate controls or accused of fostering a hostile working environment.

Risk #8: Consumption of Bandwidth

A common appeal of IM technologies is the access they provide to corporate bandwidth for resource-intensive downloads. Large format file downloads congest the network, often at the expense of more important business and customer-related traffic. Poorly configured instant message applications may even conflict with the operation of other programs, resulting in unnecessary support calls and even overall network disruption.

Risk #9: Advertised Network Address

When Instant Messaging users engage in file transfers, voice chat, or file sharing (as opposed to regular IM text chat) the users network address is revealed due to the technical design of the underlying communication protocols and becomes an externally published Internet address. When IM users engage in IM services other than text chat, the IM systems are designed to utilize a peer-to-peer connection in order to reduce traffic across the IM relay servers and create efficiency in network file transfers. While efficient in managing file transfers, this design feature creates a significant security concern because employees working remotely from homepossibly on networks without firewalls or hardware filtering devicescannot be afforded the same protection as provided within the confines of their corporate network.

Risk #4: Unencrypted Communications

Most Instant Messaging applications dont encrypt messages as they travel from client to server and to other clients. Security controls that require authentication credentials and log session data are critical to mitigating those risks. While some non-standard IM applications protect the authentication credentials, few protect the session. As a result, eavesdroppers can read the transmitted information, which can have serious consequences if proprietary or other confidential data is transmitted. Another concern with unencrypted sessions is the issue of Identify Theft. Because IM sessions can be started impersonating other buddies, there is no assurance that the IM sender is who he purports to be, there is a very real risk that recipients of such messages might be duped into unknowingly revealing personal or private information.

Addressing the Risks with Industry Best Practices

There are a number of measures which your organization can take to control the risks they create: 1. Develop and enforce strong security policies and standards. 2. Employment agreements that establish a strong code of conduct should be considered; such agreements prohibit personal, illegal use of Internet access, including the use of unauthorized nonstandard applications. 3. Instant Messaging applications make it essential that the organization implement a strong anti-virus program that constantly searches users personal disks for known viruses and trojans. 4. Assess the potential enterprise liability that could result from storage or transmission of illegal information using company resources and develop a security and risk management plan for intrusions carried out by Instant Messaging applications. 5. Analyze and document each port and service opened outbound from your organizations firewall gateway. Doing so will enable you

Risk #5: Hyperlink Security Lapses and Phishing

Instant messages may contain hyperlinks for free offers, phishing attacks and other downloads that when clicked provide a way for viruses to enter the corporate network. Instant message attachments cannot be easily scanned with common virus software prior to execution. In addition, viruses can be disguised as other formatted files (e.g., music or pictures) that once downloaded can wreak havoc on your network. In addition, IM textincluding potentially confidential informationcan be readily viewed over the Internet.

Risk #6: Social Engineering

Instant Messaging services are also a great conduit for social engineering attacks. These attacks, whose objective is to trick people into divulging infor-

THE ISSA JOURNAL January 2006

2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18. 19.

to analyze each potential risk. Ensure that both your inbound and outbound firewall policies are clearly documented and examined periodically to deter unauthorized outbound traffic. Consider installing such tools as protocol analyzers and sniffers to review network traffic, detect bottlenecks, and identify any network users who may have re-configured their IM applications to circumvent controls designed to block unauthorized traffic. Identify hosts and servers that broker IM applications and block access to them from within your organization in order to reduce the likelihood that they will open back doors into your networks. Companies that opt to control bandwidth availability to discourage the use of IM services should be aware that doing so does not resolve the network security risks associated with them. However, limiting bandwidth to balance the load at egress points and combining those measures with other security controls can discourage users - by requiring them to wait for hours for a file downloadand lead to a mitigation of the risk. Enterprises allowing outbound initiation of IM applications should monitor their bandwidth 24x7 to identify traffic that would otherwise impact critical business processes. Make users aware of social engineering techniques that potentially occur as a result of establishing IM sessions with unknown users (or impostors). Never send sensitive information over IM unless the application has the capability to encrypt messages using a minimum 128-bit encryption (both authentication and session data packets). Promote and enforce good password construction; this is essential in safeguarding IM session(s). All users should be aware of the ease with which passwords can be discovered or cracked and choose passwords that cannot easily be guessed. The user should adopt a password naming structure that they can easily remember, without the need to write the password down. Some IM applications allow senders to hide their IP address from the recipient. If possible, users should utilize this feature within their application. Beware that when performing file sharing/transfer functions in IM, it is possible to reveal your computer IP address to the sender. If that person is malicious, he/she might attempt to use that information to perform a denial-of-service attack against your host PC if the IM application does not have the ability to hide the IP address or is not using a personal firewall. Ensure that files that are transferred (inbound and outbound) using IM are scanned using firm-installed anti-virus software. Do not alter the anti-virus software configuration settings on your desktop or laptop. When communicating with clients over IM, users should be aware of their companys contractual obligations to their client regarding data retention and destruction and ensure that processes are put in place to ensure compliance. Include in the policy provisions prohibiting the distribution of copyrighted materials (e.g., music mp3, photo, software etc.) via an IM application. Block all unauthorized IM session IP ports and services from communicating externally from within the companys internal network(s) unless such sessions are endorsed by IT Operations Management. Consider using third-party software solutions that block IP sessions for specific unwanted IM applications. Ensure that only authorized IM applications are used which are frequently updated with the latest security patches for that application. Authenticate using a methodology that provides a central point of

Figure 1: Instant Messaging Levels of Security

user management and password management features. Do not authenticate against a public or third party source. To stop IM applications from hijacking other business service ports, consider the use of network-based management products such as an intrusion detection system (NIDS) to watch for and reset unauthorized IM traffic (e.g., snort, www.packethound.com etc.). Perform logging of system events, periodically monitor logs for suspicious activity, and maintain the logs for at least 90 days. Display an approved warning banner or disclaimer notice. Do not accept any file transfer requests from unknown or unauthenticated users.

20.

21. 22. 23.

Conclusions
The use of non-standard IM applications represents a major and growing risk to organizations because, like e-mail, it leaves a written record. Many companies are not filtering their corporate communications, making their organization potentially vulnerable to harassment and discrimination lawsuits. An employer is obliged to provide a safe work environment that is free of discrimination and harassment. If employees circulate rude jokes via IM or make inappropriate comments regarding co-workers, the employer could be held responsible. Apart from legal liability, it is also important to protect against confidentiality breaches, lost productivity, network congestion and to ensure compliancy with industry regulations and privacy laws. Regulations such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley demand absolute protection and organizations face stiff penalties for failure to comply. In addition, Instant Messaging has become a popular vehicle for distributing viruses, worms, and other blended threats. Of the already known risks in IM, the bypassing of anti-virus, firewall protection, legal and privacy issues are at the top of the list. The use of IM to convey sensitive business or personal information should be restricted and enforced by policy, network and application controls. In addition, it is equally important that we identify and evaluate new business requirements to determine if they are being fulfilled by the other non-standard applications. As management and staff become more aware of the risks and business requirements, it is likely that more secure integrated solutions will begin to be incorporated in them.

Carlos Valiente, Jr. is a Regional Chief Information Security Officer for the IT Security Group Americas territories at PricewaterhouseCoopers (www.pwc.com).

2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

THE ISSA JOURNAL January 2006