The Coming IM Threat

By Jesse Freund

"The more things change, the more they remain the same" goes the old French saying. Today, the ongoing battle between enterprises and viruses offers a vivid example. Last year, Reuters reported that virus outbreaks cost businesses $55 billion in damages annually. While staggering, the truth is, if not for diligent work and careful planning by IT departments, the number could have been a lot higher. By and large, enterprises have done a commendable job of implementing new technologies to thwart these email-based attacks and educating the workforce to guard against malware. Yet, just as organizations have begun to turn the corner on email-based viruses, a new threat has emerged: Instant Messaging (IM) attacks.

To get a sense of the threat presented by IM attacks, consider a few numbers. According to IDC analysts, the number of people using Instant Messaging is expected to grow to 450 million by the end of 2007. According to market research firm The Radicati Group, while 85 percent of companies have public IM in use, only 12 percent support the use with enterprise security technologies and IM-specific policies. Finally, during the first quarter of last year, security vendor IMlogic reported a 250 percent annual increase in the number of threats targeting IM and peer-to-peer networks. Simply put, IM attacks are on the rise.

Know the enemy

In form and function, IM threats are similar to email-based attacks. The goal of each is to get malicious code onto as many computers as possible. Also like email attacks, the most common method of infecting computers involves sending a message from a trusted party with a viral attachment or a link to a Web site that is able to install malicious code. Once a user opens the link or attachment, the virus is launched and the infected message is forwarded to everyone on the user's buddy list.

Other threats common to email are likewise becoming more popular in the IM realm. Chief among them: phishing. In a case last year, phishers posing as Yahoo! employees sent messages over the Yahoo! IM network asking users to log in via a fake Web page -- thereby allowing the phishers to capture usernames and passwords. What's more, common email schemes like buffer overflow attacks and denial-of-service attacks are beginning to surface, according to Nate Root at Forrester Research. And, not surprisingly, IM has caught the attention of spammers, who now regularly send out unsolicited instant messages - or spim.
 
IM's unique impact

With corporations becoming ever more adept at finding solutions for email-based attacks, it might seem tempting to dismiss IM attacks as no worse than earlier attacks. However, there are a host of factors that belie this assumption. The unique nature of IM makes attacks particularly debilitating for a number of reasons, including:

• IM is always on Since most IM applications automatically launch at startup and remain on throughout the day, a virus sent by IM can appear instantly on a desktop and be clicked on before a user has time to question its legitimacy.
• IM takes place on public networks Forrester claims that fewer than 25 percent of corporations use locked-down (or proprietary) IM software, meaning that 75 percent of corporate IM users are transmitting sensitive corporate data over insecure public networks.
• Buddy lists tend to be trusted Employees are much more likely to click on an IM from a trusted source that says "Check out this link" than a Visual Basic email attachment bearing the name Hot Steamy Sex.
• IM viruses propagate quickly Because IM is always on and buddy lists tend to be trusted, an IM virus can quickly infect an entire enterprise.

"Instant Messaging is going to be a much bigger security problem than e-mail ever was," says Forrester's Root. "So far, hackers have been focusing on email, but once they start to shift to IM, they will find new ways to propagate their viruses faster and more effectively. In the near future, someone's network is going to get taken down due to an IM virus."

An ounce of prevention

As with other threats, good security starts long before technology purchases. The biggest challenge with IM attacks involves social engineering -- getting employees to understand and respond to the threat regardless of the technologies in place. As such, experts recommend the following course of action for companies trying to stay one step ahead of IM risks:

• Understand current IM usage Learn how employees are using IM and whether that usage circumvents firewalls and other security products and policies already in place.
• Use the data to determine appropriate business use IM has a legitimate and valuable place in today's enterprise. Once the usage patterns become clear, businesses can begin to figure out how to support IM usage that adds business value.
• Develop policies that specifically address IM Review existing email and Internet use policies and determine the best way to extend the policies to cover IM usage.
• Consider archiving and compliance If IM is used to support business functions, businesses might be required to archive messages for compliance purposes.
• Implement appropriate technologies IM messages should be scanned for viruses at the gateway, just like email messages. Current technologies can also offer additional protection by including pop-up windows that remind employees of IM use policies, as well as providing a unified command and control center for responding to IM attacks.

Adopting a combination of appropriate policy and new technology can go a long way to ensuring that IM becomes a case study for vigilance instead of a massive case of business disruption.

Jesse Freund is a freelance writer in Oakland, California.