Daily IT Matters, this is the place where I post my daily findings on IT.

Sunday, September 24, 2006

Management and Security Considerations for Instant Messaging in the Workplace


Over the past several years, instant messaging (IM) has
evolved from a tool used almost exclusively by computer experts and systems
administrators into an everyday communication mechanism for business users.
Technology research firm the Radicati Group estimates that in 2004, 13.9 billion
IM messages were sent per day, with an increasing number of these used for
business collaboration.[1]
Clearly, increasing numbers of businesses are realizing that real-time
communications such as IM can help streamline communications and save
consider­able time and money.

As instant messaging technology is embraced by information
workers and their organizations, it is important that system administrators and
information technology (IT) professionals within these organizations recognize
both the value and the potential risks posed by this new technology. Businesses
must ensure that, like every other technology they have in place, IM is included
both in IT plans and in corporate security and usage policies.

In particular, two attributes of instant messaging
technology merit attention from IT professionals:

Because the technology is relatively new but proliferating
quickly, IM has increasingly become the target for attackers to propagate
IM-borne viruses, worms, spam over IM (spim), malware, and phishing attacks.
Because IM clients are widely (and often freely) available, they
can be installed by end users without knowledge or involvement from the IT
organization. This is especially true for organizations with mobile and remote
employees. Thus, while widespread in adoption, IM is often unprotected and
unmonitored in consumer and enterprise environments, leaving it vulnerable to
attacks and exploits.

The following paper discusses the benefits and risk factors
to consider when adopting IM in the workplace, as well as recommendations for
implementing and managing IM to obtain these benefits without compromising the
security of the computing environment.

Business Benefits of
Instant Messaging

IM is a highly effective, expedient means of communication.
Real-time text discussions harness information workers’ ability to multi-task
and break through typical organizational barriers to increase productivity. For
example, a user can be on the phone with a customer while using IM to gather
necessary information from others in the organization to help solve a problem or
close a sale.

Additional benefits include:

Presence Awareness. The ability to initiate real-time
communications with an associate or business partner is first enabled by knowing
whether contacts are online, temporarily away from their desks, or on the road.
Presence awareness allows users to indicate where they are and where/how/when is
the best time to contact them.
Reduced Long Distance Costs. Although IM is most commonly
used for two-way conversations in a business capacity, most programs offer a
conference or chat setting where workgroups can meet and conduct focused
conversations. Using IM to interact with employees and clients across the globe
in real time can reduce an organization’s long-distance phone charges.

Reduced Storage Space and Costs.
When personal messages are sent via e-mail, they are stored in the
groupware solu­tion and subsequently backed up. Storing and backing up these
messages consumes valuable space, with little or no business value. Sending
these messages via IM rather than e-mail frees up storage space for
business-critical information.

For some organizations, the use of public IM clients is an
acceptable, low-cost alternative to traditional forms of communica­tion.
However, reliance on public or consumer-class IM applications creates some
unique obstacles:

The organization has little or no control over how IM applications
are used and implemented. Public IM applications cannot be easily “locked” to
constrain the types of messages sent or with whom they may be exchanged.

The lack of interoperability between major IM applications makes
standardization difficult. Users may have to install multiple IM clients to
communicate with all of their intended parties.
As both legitimate and unapproved use of instant messaging clients
and peer-to-peer networking increases, new worms and viruses are increasingly
using these mechanisms to spread. According to the IMlogic Threat Center,
IM-based threats are increasing at an alarming rate.[2]
Without specific security measures in place to protect against IM-based attacks,
organizations may be exposing corporate networks to unacceptable levels of risk.
IM interactions are not easily captured, logged, or audited. After
the client software is closed, messages are typically de­leted. Hence, these
messages do not become part of any interaction history, and thus the information
cannot be mined or used for customer relationship management (CRM) or compliance

Industry-Specific Challenges

In addition to these common challenges, business may face
additional issues specific to their industry or line of business. Two examples
of these industry-specific considerations are presented below. Ultimately, each
organization must assess its unique needs to ensure that the instant messaging
solution fits well with its unique security, communications, and compliance

Scenario: Customer Service. Customer service organizations
that rely on consumer-class IM for communications with customers may find that
the inability to log or record IM conversations is a liability. While customers
may appreciate the immediacy of the communication, the organization may suffer
from the lack of integration with enterprise CRM or issue-tracking tools.
Likewise, the lack of a permanent record may hamper accountability or efforts to
follow up with customers.

Scenario: Financial Services. Organizations with strict
regulatory compliance burdens should be especially aware of issues relating to
the use of IM clients. For example, financial service providers (FSPs) such as
brokerage firms have a particular difficulty with public IM clients that do not
provide the tools or capabilities required by the U.S. Securities and Exchange
Commission (SEC) for monitor­ing and archiving written communications. Federal
regulations stipulate that FSPs must take measures to document any form of
financial advice or communication. It also requires FSPs to screen
communications for any possible sharing of insider trading information. Because
of these regulations, any FSP that relies on public IM applications must
consider the potential legal implications.

In each of these scenarios, the
risk and exposure posed by the non-secure, unmonitored communica­tion provided
by public IM clients could outweigh the benefits of real-time communication. To
implement instant messaging effectively, and without compromising security,
compliance, or communications policies, these organizations require solutions
that provide centralized management and tracking of IM communications.

Why IM Security is Critical

Organizations invest a great deal of money in security and
considerable time implementing corporate policies to prevent users from becoming
carriers or transmission points for malicious code; inappropriately sharing
confidential company information; or sending or receiving language or materials
that exposes the corporation to legal liabilities. The conversation and file
transfer capabilities of consumer-class or publicly available IM applications
can make it easy for users to bypass traditional security measures and e-mail
policies. This leaves systems susceptible to attacks such as worms and Trojan
horses that export data and create “back doors” into the system. As IM increases
in popularity, its utilization as a vector for potential malicious attacks or as
a means for sending unsolicited information is expected to increase as well. For
this reason, it is essential that enterprises put plans in place for this new
collaboration application, protecting themselves from these threats.


Potentially devastating e-mail worms are a common reality
for any computer security professional. These e-mail threats can be dealt with
effectively by using antivirus products that monitor e-mail traffic. IM-specific
worms are a newer threat, and their numbers are steadily rising.

Backdoor Trojans

Some malicious Trojan horse programs target IM by modifying
configuration settings to enable file sharing for an individual’s entire hard
drive, thus allowing hackers full file access to a machine. Meanwhile, classic
backdoor Trojans utilize IM to send mes­sages to the author of the Trojan horse,
giving the hacker information about the infected computer.

Hijacking and Impersonation

There are several ways that hackers can
impersonate unsuspecting users to access their account information. As noted, a
hacker can obtain the account information of a user, including passwords, via a
Trojan horse. He or she can then impersonate the victim and convince the
victim’s “buddies” to run files on their computers or divulge additional
confidential information. A hacker can also use a simple denial-of-service
exploit or other unrelated exploits to make a client disconnect. Since the
server keeps the connection open and does not know that the client has
disconnected, the hacker can then impersonate the user. Furthermore, since all
data is unencrypted and unauthenticated, a hacker can use classic
man-in-the-middle attacks such as address resolution protocol (ARP) spoofing.


“Phishing” is a form of attack in which an attacker
attempts to fraudulently acquire sensitive information, such as passwords and
credit card details, by sending e-mail or instant messages that appear to
originate with a trusted source. Phishing schemes are becoming increasingly
common and increasingly sophisticated, making it difficult for users to
recognize and ignore or delete fraudulent messages.

Denial-of-Service Attacks

Hackers can cause denial-of-service attacks on IM clients
in various ways. Some attacks cause the IM client to crash. Other types of
attacks make the client “hang,” and in some cases consume a large amount of CPU
power, causing an entire computer to become unstable. One common method of
attack is to flood a particular user with a large number of messages. Although
some IM clients protect against flood attacks by allowing users to ignore other
users, certain tools allow the hacker to use multiple accounts simultane­ously
or automatically create a large number of accounts to accomplish the flood
attack. Furthermore, once a flood attack has started, a computer may become
unresponsive by the time the victim realizes what is happening. This makes it
virtually impos­sible to add the attacking user accounts to the “ignore” list of
the IM client in a timely manner.

Information Disclosure

Tools that attempt to retrieve system information from IM
users, such as IP address retrievers, are frequently used by hackers. For
instance, if an IP address re­triever is used in conjunction with a backdoor
Trojan horse, a hacker could receive a message containing the IP address of an
infected user each time the victim is online. In this manner, a hacker could
know the IP address of the infected user, even if he or she uses dynamic IP

Undesirable Content

Because IM applications can often be used to exchange files
or other sensitive information easily and without trace, organizations must
recognize it as a potential threat to confidentiality and legal liability.
Examples include the ease with which users can pass confidential company
information, use prohibited language (sexual harassment, profanity, etc.) as
well as to share unauthorized file types. The use of corporate networks to share
media files (e.g.,.mp3 and .avi files) has been the subject of recent
litigation, while other file types (e.g., .exe and .vbs) can be used to harbor
malicious code.

Before implementing IM in an enterprise environment,
organizations should carefully consider the issues described below.

Evaluate Usage

Understanding existing deployments and usage patterns is
the first step to gaining control over IM usage in the workplace. Because many
IM client applications are preinstalled or can be downloaded for free, employees
may have started using IM applications on their own, unbe­knownst to
administrators or security officers. Several programs are available that can
audit usage and identify users that have IM clients deployed. These programs are
essential to developing an accurate picture of which applications are in use
(including version), by whom, and what they are being used for.

Assess Potential Risk vs. Value

Determine the value of implementing company-sanctioned IM
usage throughout the organization. How will employees and the organization as a
whole benefit from presence awareness, real-time communication, reduced e-mail
us­age, or reduced telephone costs? Should IM be deployed for internal use only,
or will it be used to communicate with customers and partners, as well?
Organizations must weigh the benefits of instant messaging against potential
risks to security, compliance, and corporate image that might result from use or
misuse of the technology.

Decide Whether to Deploy an Enterprise IM Solution

The decision should be based on the value to the
organization and the ability to manage risk, as well as factors including
network use, availability, and security standards. Enterprise IM solutions such
as Microsoft® Office Live Communications
Server 2005 provide organizations with a powerful internal IM system. Regardless
of whether or not an enterprise IM solution is deployed, companies must decide
whether and under what circumstances to allow the use of consumer IM clients on
the organization’s desktops.

Establish Consistent Corporate Policies

Corporate IT policies should be expanded to address IM
usage. Companies should examine their motives for managing IM at the corporate
level, for example to ensure compliance with legal regulations, management of
security issues such as viruses, communication storage, prevention of sensitive
data theft, or avoidance of the risk of remote hacking. File and
content-filtering policies can be used as the first line of defense against
viruses that propagate via IM clients. Certain filters can be static, such as
those that block scripts or executable files.

Educate Users

Administrators should educate their users on both the
ben­efits and the risks of IM usage, including how to recognize phishing
schemes, and the potential impacts if a client is hijacked. These guidelines
should be communicated to all employees as part of an updated corporate
messaging policy that covers both e-mail and IM usage.

Protect IM and File Sharing from Virus Attacks

Ensure that enterprise IM solutions and consumer managed
solutions are secured from the aforemen­tioned threats. For example, security
experts recognize the limitations of relying on desktop antivirus protection
alone for protecting e-mail servers, messaging gateways, and collaboration
applications. Today, a prudent “defense in-depth” strategy relies on multiple
levels of scanning and the use of multiple antivirus engines. Antivirus
protection should be enabled so that IT administrators can manage and secure
enterprise and public IM communications at the server level.

Even organizations that deploy enterprise IM solutions for
internal use only should implement security measures to prevent the corporate
messaging systems from being used to propagate malicious code or inappropriate
content that is introduced through other sources.

Centralize Control for Regulatory Compliance and Legal Protection

When deploying IM to desktops, organizations should also
deploy tools that enable administrators to log messages, scan for inappropriate
content, and implement corporate messaging policies from a central server
environment. Centralized protection mechanisms enable organizations to manage
and control IM traffic.

Tools for Secure Instant Messaging

Secure, well managed instant messaging requires technology
beyond the desktop messaging client. A central messaging server, such as Live
Communications Server 2005, provides control and management functionality, while
specialized security tools, such as Antigen®
for Instant Messaging, deliver antivirus scanning, content filtering, and
message content scanning. Together, these technologies create a secure,
manageable, collaborative environment. Tight integration between Live
Communications Server and Antigen for Instant Messaging enables organizations to
apply corporate security policies consistently and to deploy IM solutions
without compromising the security of the enterprise environment.

Antigen for Instant Messaging

Antigen for Instant Messaging is a
rver-based antivirus solution that provides comprehensive
protection for Live Communications Server and its Office Communicator and
Windows® Messenger clients. For
organizations that allow use of public IM clients, Antigen for Instant Messaging
also integrates with IMlogic IM Manager on a separate server to provide threat
protection for other public IM clients. By using layered defenses, corporate content policy enforcement, and
optimization of messaging server resources, Antigen for Instant Messaging
provides comprehensive protection to ensure that messages and file transfers are
cure at all times.

Layered Defenses

By managing multiple antivirus scan engines to scan all IM
and file transfers, Antigen for Instant Messaging minimizes the average window
of exposure for emerging threats by providing and managing frequent signature
updates from multiple antivirus labs around the world. Layered defenses also protect against downtime; if one engine
fails or goes offline to update, other engines remain active to provide
protection, ensuring that IM service
is not interrupted and user security and compliance are not compromised.

Content Control

Through administrator-defined content filtering rules,
Antigen for Instant Messaging helps enforce compliance with corporate policy for
language usage and confidentiality within IM conversations and file transfers.
Customizable filters help protect against inadvertent or intentional transmittal
of inappropriate content, such as offensive language, legally or ethically
questionable material, or confidential company information. Antigen for Instant
Messaging includes a set of predefined, customizable keyword dictionaries to
target profanity, discriminating language, and spim. Administrators also have
the ability to configure file filtering rules that block file types that may
contain malicious content (for example, .exe) or expose organizations to legal
liability (for example, .mp3).

Server Optimization

Antigen for Instant Messaging integrates closely with Live
Communications Server, optimizing server
performance and ensuring that protection does not overtax server resources. With features like in-memory
scanning, multi-threaded scanning processes,
and performance bias settings,
businesses can achieve the benefits
of multiple-engine scanning without introducing additional processing time or server performance degradation.
IM is rapidly becoming a staple in corporate
communications, enabling employees to share information and documents in
real-time. However, as IM introduces new collaboration capabilities and
productivity gains, it also has the potential to introduce new threats to
corporate computer security. Be­cause of growing IM use, organizations need to
address the security concerns associated with IM-specific malicious code as well
as undesirable content.

By leveraging best practices and the appropriate technology
solutions, today’s organizations can create an enterprise IM system that adds
significant business value while enabling consistent policies and threat
protection across their networks. Enterprise-class collaboration tools such as
Microsoft Office Live Communications Server and Antigen for Instant Messaging
provide a high degree of management and security, enabling organizations to
adopt these new collaborative technologies with confidence.

See the following resources for further information:

For in-depth information on computer security, including the
latest updates, best practices, and tips for IT professionals and businesses,
visit www.microsoft.com/security
For information on enterprise IM solutions built on Microsoft
Office Live Communications Server, visit

For more information on Antigen for Instant Messaging, visit

No comments: