Instant messaging (IM) platforms, such as AIM, Yahoo! Messenger and Google Talk, have moved beyond the world of high school chatter and into the world of corporate communications. Yet, in many cases, security policies and processes haven't caught up to this technology. It's now time to consider how instant messaging is, and should be, used in your organization, and how to protect against IM threats.
Instant messaging policies
The first step is to clearly state your organization's policy on instant messaging. Can users install and use IM software on systems owned by the organization? If you have a strict "no outside software" policy, you may think you're covered, but keep in mind that Windows XP SP2 ships with Windows Messenger installed, creating a policy loophole.
Here's a set of questions you should consider when defining your organization's IM policy:
- Is IM use permissible on your network?
- May users run IM software on systems owned by your organization?
- Does the organization endorse/require a specific IM platform?
- Is encryption mandatory?
- Is IM acceptable for corporate use or for personal communications only?
- Are there restrictions on the sensitivity of data that may be communicated via IM?
- Is there a requirement to retain records of IM communication for any period of time?
Once you have a clear policy on IM use, educate your users on policy requirements and their responsibilities.
Instant messaging security measures
If you decide to allow instant messaging, blanket it with layers of protection to ensure you're organization is protected against the viruses, worms and other malicious code that's become prevalent on IM networks. Run a modern antivirus program that includes IM scanning on all workstations, and consider a using network-based content filter that scans IM traffic for malware.
You also want to prevent the threat of eavesdropping on your traffic as it traverses public networks. Out of the box, IM software uses public servers hosted by the IM provider, which means all messaging must traverse the public Internet on its way to and from the server. If you think your users might send sensitive messages through IM (accidentally or intentionally), you should strongly consider encrypting that traffic. Unfortunately, encrypted IM is a relatively immature technology that typically requires a specialized client. One standout in this field is the free Trillian client by Cerulean Studios, which supports multiple IM networks and allows encrypted communications with other Trillian users.
The ultimate option in secure instant messaging is to run your own managed IM server or gateway. This eliminates the threat of outsiders intercepting internal messages as they cross the Internet by keeping the traffic on the local network, and it's actually easier than you might think. Many of these products allow you fine-grained control over the types and destinations of IM traffic on your network. In addition to the commercial products available, you may wish to consider the open-source Jabber IM server project.
Instant messaging is here for the foreseeable future and poses a significant challenge to information security professionals. If you're not able to block IM completely due to business requirements, you should certainly consider implementing strong controls to limit the risk this technology poses to your organization.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in January 2008