Most Firms Are Clueless About Instant Messaging Risks

The instant messaging service many of us enjoy via our Internet service providers is a potential security weakness for businesses, but most companies seem blissfully unaware of the danger, experts say.

Instant messaging, which allows two individuals to have a “real-time” conversation by typing messages back and forth over the Internet, presents “hundreds of vulnerabilities,” states Robert Elliott, technical project administrator for eRiskSecurity, based in Burbank, Calif., “and each of them can be devastating.”

These vulnerabilities, says Elliott, may allow an intruder to execute “arbitrary commands, such as formatting your hard drive or controlling your computer [to launch] more insidious denial of service attacks.” Software applications that enable such attacks are freely available on the World Wide Web, he adds.

“A lot of companies have their heads in the sand, thinking that if they cant see a hacker, a hacker cant see them. Thats just not true,” asserts Elliott, whose company performs vulnerability analyses on computer networks.

While instant messaging isnt often regarded as a business tool, it is increasingly taking hold in business settings, “usually without managements knowledge,” says Elliott. This may happen when employees use instant messaging for personal communications. In addition, “a lot of IT pros themselves use it,” Elliott points out. In that case, even if proper firewall protection is in place, “IT staff might go around it or put a hole in your firewall” in order to use instant messaging themselves.

“ITs job should not be to allow instant messaging clients, unless its only internal,” says Elliott. “On a flat networkwhere every machine can be seen by every other machinemost computers are trusted. If a hacker gets hold of one of them, he has them all.”

According to Elliott, Trojans (A Trojan is a virus that, once it gets into a computer, will allow access to that computer from outside sources) and other viruses “are easy to deliver via the instant messaging client.”

Elliott notes that people may tend to trust instant messaging attachments more than they do e-mail, because the instant message is usually from someone they know and trust. Thus a hacker who has gained access to your friends computer can assume your friends cyber-identity and send malicious attachments to you at your business address.

Such risks are naturally of concern to those who issue business insurance, notes Philip Pierson, founder and manager of Swett & Crawfords cyber-insurance facility, e-Sher Underwriting Managers, Irvine, Calif., a wholesale brokerage owned by Aon.

“Studies say the prevalence of instant messaging is moving from personal to business usage,” says Pierson. “Were sure it will be utilized [in business settings] and were sure it will be [a security] issue. Companies must protect themselves, specifically againsta new breed of viruses and worms that target instant messaging applications.”

In response to this risk, Pierson says his company will now start asking potential insureds: “Is instant messaging in the game plan for your company? If so, how are you dealing with security?”

He adds that his company “wont isolate instant messaging when we underwrite,” but ” we will look at overall plans for protecting their networks.”

Inadequate network protection from instant messaging vulnerability and other threats may also become a legal issue, says Elliott. “Weak security of a company may actually subject that company to a lawsuit where an attack is involved,” he explains. “The courts still have to decide [on such cases].”

Overall, says Pierson, “insurance companies have significant risks in computer security.” Part of the problem is “a lot of old legacy systems that have been built on over the years.” Because insurance regulations vary from state to state, carriers have needed “complex, cumbersome systems to pull data out and compile it,” he notes. “Old legacy systems with patches and add-ons breed serious security concerns.”

The best way for companies to fight such risks, according to Elliott, is to “deny [access to] everything–inbound and outbound–except mail and approved Web access.” Most IT departments, he points out, dont block outbound traffic, but once a machine opens an outbound port, the outside responder–perhaps an instant messaging “friend”–can send in something malicious.

Elliott also recommends active virus scanning on every machine within an organization. “This can stop [malicious] scripts, even if they get through to the machine.” Most companies dont employ 24-hours-a-day, 7-days-a-week virus scanning for cost reasons, he notes, but the prevalence of viruses and hackers “raises the bar” on potential losses from intrusions.

“A lot of hackers just want to use your servers and your bandwidth for their own purposes,” says Elliott. Those purposes may extend to scams and other illegal activities that could be launched from a companys computers without the company ever knowing.

Finding such cyber-criminals, Elliott adds, is difficult, because the link is to the invaded companys computers, not to the hackers PC. “Its another hurdle for investigators to overcome.”

According to Elliott, “most companies are only paying lip service to security. Security is usually placed under IT, but the problem is that security may not be at the top of their priority list.”

Successfully addressing such risks, says Pierson, involves appointing a person to be completely in charge of information security. Companies must also develop a corporate policy with regard to network security.

With that in place, companies must also provide good physical security for their computing equipment and develop safety policies, such as requiring employees to turn off their computers when leaving the office. Computers that are left on, Pierson points out, represent easy access to the companys critical systems. “All it takes is the cleaning guy to go in there and start dancing in the system.”

Where a company maintains a Web site that is visited by customers and associates, it is also important to establish a strong DMZ (demilitarized zonea middle ground between an organization’s trusted internal network and the outside world), says Pierson.

He adds that his firm looks at system configuration, as well as the presence of security tools, such as intrusion detection, 24-hour monitoring, and frequent updates on virus protection software. “Based on that,” he concludes, “we determine good risk.”


Reproduced from National Underwriter Life & Health/Financial Services Edition, February 18, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.


Copyright 2002 by The National Underwriter Company. All rights reserved. Contact Webmaster