Thursday, July 3, 2008

Security: Instant Messaging and Enabling Business

I recently had a colleague ask me about the inherent risks in using Instant Messaging (IM) for business. Certainly, IM is an extremely effective way to communicate with team members and customers who may not be in close physical proximity. However, if used incorrectly, negative impact to the business can be massive.

There's consumer grade and business grade IM solutions. Services such as Yahoo IM are considered consumer grade. All text based IMs can either be routed through a core set of central servers and then on to the recipient, or through peer-to-peer connections. When you combine consumer grade IM services with traffic flowing in the clear (i.e., unencrypted) through central servers outside of the organization's control, you end up with a significantly elevated set of risks. Are these risks worth accepting?

Here are some of the more obvious risks that I see with using consumer grade IM for business:

  • Vulnerable Clients -- advisories for vulnerabilities in chat clients are announced fairly often. Many of these vulnerabilities allow for the remote execution of code on the vulnerable client system
  • Traffic can be viewed ("sniffed") -- by default, consumer grade IM clients send all of their traffic in the clear. There are plugins to provide encryption for some clients, however, all parties involved in the chat will need the crypto plugin enabled and configured correctly
  • Data theft -- a nefarious employee could potentially move critical/restricted data to a location offsite
  • Identity Theft -- The mechanism for consumer grade IM user authentication is weak. Grab the weak authentication traffic and an attacker now has valid login credentials. The stolen credentials can then be used to impersonate the victim and be used as a launch pad to further identify theft
  • Provides IP info to attackers -- if an employee decides to go to an external chatroom with their IM client, their IP is now known to anyone else in the chatroom who may be interested...including a potential attacker. With the IP the attacker can focus their attack to a specific system
  • Privacy...or lack thereof -- see all points above
  • Social Engineering -- more likely to happen if an employee engages in conversations in non-business specific chatrooms
Another risk is in employees using IM for business on their home computers. Imagine, for just a moment, that an employee commits a crime against the business from their home and used IM to enable them to commit the crime. Your business won't have the authority or right to confiscate their home computer for investigation - your hands are tied behind your back. I'm sure you can start seeing where the dangers and risks start to go up.

Additionally, many chat clients will log all conversations to disk. What if confidential or restricted data is logged and stored on an individuals home computer? Other family members, or friends, may have access to that system, or perhaps the home computer is already compromised and under someone else's control (think botnet). Now the attacker can pull the chat logs and have unauthorized access to confidential or restricted data. The impact could be titanic to the business! Of course, confidential or restricted data should never be sent over IM in the first place.

In addition to having policies, procedures, and perhaps even guidelines on the proper use of IM for business, I believe the return on investment by providing an internal and redundant IM service to enable business is compelling and certainly worth considering strategically.

Steve Zenone

No comments: