IT vs. IM
Instant Messaging (IM) makes tactical communication a snap, but too often IM serves as a doorway for hackers. Here's how IT can wrestle with the problem.
In October 2006 Instant Messaging reached an ignominious milestone. Security
vendor Akonix Systems Inc. reported a record-high 88 IM-based attacks, a mark
that still stands almost six months later.
While it hasn't gotten any worse, IM threats have hardly gone away. Most are
in the form of worms usually spread as attachments. They have wacky names such
as Geezo, NotYou and Tellsky. IT staffers have to clean up these messes, and
they're not laughing.
Besides worms and other viruses, IM is also a conduit for phishing, spyware
and social engineering attacks. "I fight daily with pesky spam, malware,
viruses and back-doors. Every computer I clean has some type of IM client or
a residual," complains one IT professional.
While IM is often seen as stripped-down messaging, the viruses it carries are
no lightweights. Take the W32/Sohana-C worm. This nasty little germ first shuts
down your anti-virus protections, then modifies the registry and can install
software from the Internet. It can also change the user's start page and duplicate
itself via IM.
It's no wonder that many in IT aren't fans of IM. "I'm not an IMer and
I don't see the business case for it. Employees can state their cases all day
long but in the end, everyone knows what they use it for most of the time --
[and] it's not work-related," says Dave Zeininger, a network engineer and
administrator for The Computer Merchant Ltd, a computer consultancy.
Just Say No
One solution that may please IT -- but not end users -- is to ban IM completely.
"We just say no [to IM]," explains John Montgomery, MCSE, president
and CEO for IMC Studios Inc.
Blocking can be a fairly simple procedure. "In our enterprise, IM protocols
are blocked by filtering software at the Internet gateway, and all known IM
client software is prevented from running by a combination of group policy --
blocked by path and hash -- and our AV software," explains Marc Cote, a
network manager in Lenexa, Kan. "So far, I have the CIO onboard with these
actions in the name of security," he says.
Others in IT are taking a similar tack. Charlie Jarman, a system administrator
and Microsoft Certified Professional with Loris Healthcare System Inc., says
he simply uninstalls MS Messenger on all Windows XP Pro-based PCs when they
come in the door. He then uses Websense to block all IM clients and all ports,
as well as using Group Policy to disallow running the popular IM clients.
"This strategy works pretty well for our small hospital system with about
1,000 employees," he says.
Blocking isn't always enough, however. The fear of God (or at least HR) can
also help, argues Dwayne Sudduth, network administrator for Bulova Technologies
LLC in Lancaster, Pa. Sudduth says he blocks all the ports for the major IM
clients at the firewall.
"All of about three users would know how to circumvent that anyway, and
we're all in the same department [IT]," Sudduth says. "It's a well-known
policy that the use of IM is forbidden and is a disciplinary offense, [with
penalties] up to and including immediate termination."
If IM is essential to your business, there are two main choices. One is to
install a private IM network based on tools from Microsoft, IBM Corp. or Jabber
Inc., among others. These private networks tie users to a directory, or let
you create a directory that ensures users are who they say they are and have
proper password protection.
These tools can also archive IM messages that fall under compliance regulations,
giving IM the same status as traditional e-mail. These systems also generally
include virus blocking, attachment control, the ability to manage and block
users, and filters to safeguard confidential data.
Another option is to install a gateway that works with existing public IM services
like Yahoo! and AIM. These types of tools filter content, detect and block viruses
and control what users can do with IM. They can also help with compliance by
reporting on IM use and archiving traffic. Gateway tools can also discover just
what kind of IM is installed and where.
Down the IM Hatches
Understand what you have and do an inventory to see what IM
clients are in use and by whom.
• Create an enforceable IM policy.
Users should not open attachments or click links. Get legal
involved in approving the policy so it's in line with compliance
• Think about creating a standard
IM solution, or blocking IM.
• Patch your IM software, if
you have it, regularly.
• Protect your network with a
good Intrusion Protection System.
• Users should not use names
that appear to be someone else, such as GeorgeBush, and IT
should not allow false names on the network.
• Consider encrypting IM messages.
The Trillian Advantage
One problem with most IM clients is that they don't know how to talk to other
clients. For Timothy Carroll and many others, Trillian is the answer. "We
use Trillian for all IM: It operates with all the popular networks including
AOL, MSN and Yahoo!," says Carroll, who is a network engineer for XS Inc.,
an IT-based application development shop.
Carroll says he first created a default installation, configured it so it looks
for profiles in "Documents and Settings," and then created his own
MSI installer with Visual Studio, which duplicates the default installation.
The product, however, is not without its shortcomings.
"Sadly, Trillian does not respect Windows' limited-user security out of
the box. By default it stores all profiles under Program Files. Its default
installer is not an MSI and cannot be deployed. To me both reasons are grounds
for immediately uninstalling the product," Carroll says.
But since the company gave him a way around the problem, as well as promising
in the next release to permanently fix it by automatically storing everything
in documents and settings, Carroll has decided to stick with it.
Others are looking to Microsoft for business-oriented solutions. "We're
looking for ways to facilitate the use of IM for business, but in a secure manner.
IM will continue to cause issues unless businesses, decision makers, managers
and users identify the security risks and address them," says Michael Esquia,
an IT pro with the Florida-based law firm Fowler and White.
Esquia says he sees the issue as two-sided. On one side there are the users
and their lack of education. On the other side are the IM software companies
and the lack of manageability they offer in their products. He says it's not
as if he's asking vendors to develop complete management consoles, but simply
to make it easier to manage features using the registry.
"Microsoft is leading the way with Live Communications Server [LCS], but
it's still expensive for something that most people view as free to use. If
we go with LCS, we'll keep other IM software from running on workstations,"
The Microsoft Way
One public radio station, which asked not to be identified, faced an internal
IM battle. The station's former IT director says its news department, radio
shows, Web team and key executives all used IM personally and expected the IT
department to offer it with no regard for security risks, or for how the existing
business logic would support the increased demand.
"After initially demonstrating the dangers of unlimited open IMing involving
AIM and Yahoo! IM, we were able to get the critical users and execs to understand
the problem of security breaches. The AIM virus disaster was the clincher,"
The station's IT department then proposed a secure solution. They were able
to convince the powers that were that IT wasn't refusing to help, but only wanted
to comply with the demand in a secure fashion, according to the source. Once
they proved the risks and dangers to the corporate network and resources, they
made a pitch for the special funding of the project. The CFO then approved the
purchase of a small, dedicated server for internal messaging, he says.
The specific solution came in the form of the Windows Message Server, which
supported all the departments and their users that required the service. According
to the former IT director, the productivity improvements were immediate because
different departments could communicate significantly faster when, for instance,
news was breaking.
Despite the Microsoft solution, other clients are sometimes tolerated. "External
IM was approved for select individuals or departments but was screened against
hitting the main network. This was a very rare permission and had to wait for
us to move to Windows 2000 Server, [which had] tighter and more discrete control
over user account security," says the station's former IT manager.
The DBabble Alternative
Years ago end users at The Computer Merchant Ltd. had free rein and could install
any IM client that came down the pike. That all changed when the company moved
to Windows XP Pro and took away end user admin rights.
"Because of their demand for IM, stating that their clients required it
for quick communication, we deployed DBabble on our network and clients, totaling
about 125 users," The Computer Merchant's Zeininger says.
Because Zeininger's IT manager was a "real nerd," he was able to
download the manual for the product, read the entire manual, deploy the server
and test it out on selected users -- all in one day. This allowed the company
to deploy the product companywide the following week.
The only problem -- and it was no small one -- was network access, according
to Zeininger. He says the major issue for the next couple of years will crop
up when the IM companies block communication with the public jabber servers
his firm would normally connect through. Most of the time, he notes, it takes
several attempts to get connected through a valid jabber server in order to
communicate with the IM Servers.
"It's got to the point where, when we lose the communication for AIM or
Yahoo! due to their blocking the jabber server, we may be a week or more before
we bother to reconfigure another public jabber server for DBabble," he
With such inconsistency, users are starting to give in on IM, and Zeininger
says he couldn't be happier. There are alternatives to DBabble, he says, but
he has yet to see a real business case that justifies the cost associated with
these options -- nor does he have the resources to manage such a system properly.
IM doesn't have to be a minefield. Through blocking or a more secure IM solution,
your network can be protected from the likes of Geezo and Sohana.