As senior network manager of a large Maryland-based DNA-testing company, Adam Plummer has several reasons to worry about the popularity of instant messaging (IM) among employees. People are using a mix of programs that include AOL, MSN and Yahoo. The bigger the mix, the tougher it is to control the programs from within the IT shop. Then there's the prospect of people trading sensitive files with the outside world using a program few consider secure.
The company's main product is a DNA-based test for the human papilloma virus, often the precursor to cervical cancer. The test could eventually replace the Pap smear, and the damage would be incalculable if competitors were ever able to access the product data. The company must also adhere to regulations from the Food and Drug Administration, among others.
While he sees IM as a potential threat to data integrity, Plummer has no plans to ban it. It's too late, anyway.
"It's too integrated into the culture now," he said. "So many people are using it, including our executives. We're not trying to take things away, but we want to be able to control and secure these programs. We're an enterprise now, not a mom-and-pop store. There's data we don't want competitors to get their hands on. We have four patents and that's what floats this company."
While Plummer is at least able to filter traffic to and from the outside, his continued uneasiness is justified, if new research from San Diego-based Akonix Systems is any indication. The security vendor's research lab tracks IM-based threats on a monthly basis and has seen attacks blossom at a breathtaking pace this year. The August numbers actually show a 33% dip in attacks from the previous month. But Akonix CTO Francis Costello said that figure can be deceiving when you look at the big picture.
"In all of 2004 we saw only a handful of unique IM threats," he said. "So far this year we've seen hundreds of them. The Kelvir worm alone has had over 100 mutations since February and Kelvir-HI was able to spread in different languages. In July we saw the Rants worm, which has the ability to attack through both AIM and MSN. And with the increase in numbers, the social engineering is improving."
As IM malcode grows smarter, Costello also sees the potential for attacks designed to shut down IM content filters, just as some worms are able to disable antivirus software.
New and improved malcode
Akonix logged 28 IM network attacks in August, down from the 42 attacks recorded in July. But August also saw the arrival of several new viruses on top of the multiple variants already in the wild. New viruses included Pinch, Aolog, Guap, Rbot-AJS, and Landis. Older worms like Kelvir and Chode continued to reinvent themselves with new messages and malicious URL links, Akonix found. August also marked the first time a virus -- Kelvir-HI -- queried the configuration of the client software to determine the language setting, then sent a message in the language of that client. Languages used by the worm included English, Dutch, French, German, Greek [English alphabet], Italian, Portuguese, Swedish, Spanish and Turkish.
Despite the dip in August, Costello said month-by-month research still points to a significant increase in the number of IM threats over the year before. But for him, the more troubling piece of the picture is the growing cleverness of worms like Kelvir-HI.
"Last month we saw a new phase in the quality of the social engineering," he said. The social engineering that goes into e-mail-based attacks is also easier to recognize, so the damage tends to be more limited, he said. "With e-mail, users are instinctively suspicious of messages asking them to click on links or download files. But IM viruses are sent to that IM user's buddies and as a consequence the IM user believes the message and link is from a trusted source." This type of social engineering, combined with the real-time nature of IM, means a quicker spread across the targeted IM network, Costello said.
More data is available at the Akonix Security Center.
If you can't stop IM, control it
Even with these threats, Plummer thinks it'll be an uphill battle to control IM use in his company. He likens the challenge to when he had to make employees use more complex passwords. "There were lots of groans about having passwords that were more than six characters," he said. "No more using three consecutive letters from your name and you have to change the password every 45 days."
More groans are sure to follow if he gets the green light to only support one IM program. "We'll probably try to mandate that people only use one IM service for business purposes," Plummer said. "I'm pretty much set on MSN Instant Messenger. AOL is impossible to talk to and Yahoo has a lot of garbage bundled with it. MSN is already in the DOS. We wouldn't have to install any extra garbage. And Microsoft is at least making an effort to improve security."
While he knows he can't take away the other programs people are using, he said, "We can refuse to support everything but MSN."
Things that help
For now, Plummer uses Websense to block files coming in via IM and peer-to-peer (P2P) networks. He uses McAfee IntruShield as well.
"Using Websense, we allow internal file transfers through IM but no file transfers to and from the outside," he said. "We're still grappling with if we even want inside file transfers through IM. But for now, the internal part is easier to manage."
The other big piece to consider is how to log IM activity, he said. After all, keeping activity logs is a vital part of regulatory compliance. "IMlogic, Facetime and Akonix are among those who do offer products for this task, but it's a matter of weighing who's devices best suit our needs," Plummer said.
The IT department is already debating these matters, and soon the solution they propose will be considered by a change advisory board. In the end, though, executive support will be vital to any plan they adopt.
"Whenever something changes the company culture, you need executive buy-in," he said.
This article originally appeared on SearchSecurity.com