This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
IM applications have rapidly become accepted by businesses as viable employee communications tools. IM is more instant than email, obviously easy-to-use, and provides the real-time collaboration organizations need to ensure quick judgments and decisions.
Using Instant Messaging (IM), organizations and their business partners can make a conference and share files and information easily over the Internet. Furthermore, within the organization, IM conversations among project team members can resolve issues and questions in an instant—something that might have taken a series of emails, telephone calls, or face-to-face meetings to carry out. IM can be used to provide immediate replies to requests. It can also help promote personal relationships with customers and remote employees, and assist customers in completing transactions with Web-based businesses.
Nowadays, Instant messaging (IM) is used in the corporate environment which is rising rapidly, as organizations welcome to accept IM as a business communications tool. IM promotes cooperation and real-time communication among employees, business partners, and customers. It also brings new threats to local area network security and makes organizations to have a potential risks when employees share illegal or inappropriate content over the internet.
Organizations are also faced with reduced employee productivity when IM is used arbitrarily and for personal communications. When use of IM is unmonitored and uncontrolled, it can lead to a significant drain on IT resources, as the IT staff attempt to identify which IM applications are being used and by whom. Moreover, when instant messaging is used to send and receive files, not only can the resulting drain on bandwidth negatively impact network performance, but the files themselves can pose a serious security threat. This report is shown the concern of security of IM and gives some countermeasure to deal with these threats.
This report provides information to better understand threats of IM and mitigate its impact to business. The threats of IM are investigated. The trend in growing targets and number of cases are related to IM threats are analyzed. The impacts to business are assessed to identify areas of security management require great concern. Finally, measures are introduced to improve security management such that IM threats become manageable and their impact is reduced.
2. Findings and Analysis
2.1 What threats are related to Instant Messaging?
A worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do without any user participation. In case of instant messaging, antivirus software does not currently monitor traffic at OSI Model-network layer. If a worm starts to spread via instant messaging, it cannot be stopped before it reached the remote's computer. Dissimilar a virus, it does not need to attach itself to an existing application or program. Worm almost always causes damage to the network when it drains the network bandwidth, on the contrary, almost always corrupt or modify files on a targeted computer.
The number of instant messaging worms is rising steadily. This is made clear when one considers the list of recent IM worms:
- dubbed Pykse.A (16 April 2007)
- W32/Rbot-GRS (26 June 2007)
However, a few antivirus applications can plug in to instant messaging clients for scanning files when they are received. The lack of applications scanning instant messaging network traffic is partly due to the difficulty in monitoring instant messaging traffic so that the antivirus product running at the desktop level can catch the worms on the OSI Model-application layer.
- Backdoor Trojan Horses
Instant messaging clients allow peer-to-peer file sharing, the instant messaging client to share all files on the system with full access to everyone can be configured by a Trojan Horse and in this way gain backdoor access to the computer. Moreover, the victim computer is on-line; a notification will be send to hacker automatically. So hacker can keeps track and accesses the infected computer easily. Besides, the hacker does not need to open new suspicious ports for communication in that hacker can instead use already open instant messaging ports.
Classic backdoor trojans open an outgoing listening port on the computer, forming a connection with a remote machine. If the trojan operates via the instant messaging client, it does not open a new port. as the user has usually already created an allow rule for instant messaging traffic to be outbound from their machine, therefore, allowing the backdoor trojan horse using the same channel to go unblocked.
- Hijacking and Impersonation
Users can be impersonated in many different ways by hacker. The most frequently used attack is solely stealing the account information of an unsuspecting user using the instant messaging or IRC application.
Hacker can execute a password-stealing trojan horse to obtain the account information of a user. If the password for the instant messaging client is saved on the computer, the hacker could send a trojan to an unsuspecting user. When trojan executed, it would find the password for the instant messaging account used by the victim and send it back to the hacker.
- Denial of Service
Instant messaging may make a user's computer vulnerable to denial of service (DoS) attacks. These attacks may have different outcomes: some DoS attacks make the instant messaging client crash; others will make the client hang, and in some cases consume a large amount of CPU power, causing the entire computer to become unstable.
There are many ways in which a hacker can cause a denial of service on an instant messenger client. They can be used in combination with other attacks, such as the hijacking of a connection and form a Bot network to attack other systems or servers.
- Unauthorized Disclosure of Information
Information disclosure could occur without the use of a trojan horse. Once the data that is being transmitted via the instant messaging network is not encrypted, a network sniffer can sniff data on most types of networks and can be used to capture the instant messaging traffic. Also, a hacker could sniff the packets from an entire instant messaging session. It can be very dangerous as hacker may gain access to privileged information. It is especially dangerous in the corporate environment in that confidential information may be transmitted along the instant messaging network.
2.2 Recent Incidents
Case 1: New IM worm targets Skype users
Affected: The IM worm affects Skype users running Windows.
Threat Type: Worm
Description: ‘A new instant-messaging pest that spreads using the chat feature in Skype has surfaced, security firm F-Secure warned. The worm, dubbed Pykse.A, is similar to threats that affect instant-messaging applications. A targeted Skype user will receive a chat message with text and a Web link that looks like it goes to a JPEG file on a Web site, F-Secure said on its Web site. Clicking the link will redirect the user to a malicious file. The file, after executing, will send a malicious link to all online contacts in a Skype user's list and will show a picture of a scantily clad woman, F-Secure said. In addition, it sets the user's Skype status message to "Do Not Disturb," the security firm said. Pykse also visits a number of Web sites that don't host any malicious code and a site that appears to count infected machines, F-Secure said. The Finnish security company doesn't list any particular malicious payload for Pykse other than it spreading and visiting Web sites.'
Status: Skype also recommends using antivirus software to check the files received from other people.
Case 2: Next-generation Skype Trojan hits web
Affected: Warezov Trojan horse to target Skype users
Threat Type: Trohan Horse
Description: ‘Miscreants have again adapted the Warezov Trojan horse to target Skype users . The attack is similar to threats that target instant-messaging applications. A targeted Skype user will receive a chat message with the text "Check up this" and a link to a malicious executable called file_01.exe on a website. Once infected, a computer will be at the beck and call of the attacker and the Trojan horse will start sending messages to the victim's Skype contacts to propagate.'
Status: Skype warned users against opening the malicious file, take caution in general when opening attachments, and also recommends using antivirus software to check incoming files.
Case 3: AIM bot creates "fight combos" to spread
Affected: Online attackers have created an instant-messaging bot program for AOL instant messaging that chains together a number of executable files, similar to the combination moves in fight games.
Threat type: Worm and Bot
Description: ‘The software, dubbed the AIM Pipeline worm, uses modular executable files to infect machines with different functionality but also to make the bot network's growth more robust: if a Web site hosting one of the components gets shutdown, the other pieces of the worm can still spread.'
Status: America Online has blocked the URLs used in the messages sent by the AIM Pipeline worm
- Increase in IM threats
There are two reports shown the trend of instant messaging threats are as below:
- ‘Research also indicates that there are more targets affected by IM threats' (SANS Institute 2006)
- ‘IM Security Center researchers tracked 33 malicious code attacks over IM networks during the month of September, bringing the 2007 total to 297. This is a 20% increase in IM threats compared with the same time period last year.' (SAN DIEGO -- Akonix Systems, Inc)
- New type of IM virus
‘New IM worms identified include Agent-GCG, Ataxbot, Exploit-VcardGadget, Focelto, MSNFunny, IMBot, MsnSend, MSN-WhoBlocked, Neeris, Pykse, Skipi, STRATION and Yalove. IRCBot was the most common with four variants, followed by Imaut and Neeris with two, respectively. Akonix tracked 16 attacks on P2P networks, such as Kazaa and eDonkey' (SAN DIEGO -- Akonix Systems, Inc)
- Evolution of IM threats
According to Microsoft report, ‘Microsoft labeled bot nets and backdoor Trojan horses as the most serious threat its users face. They can through the vulnerabilities of IM - file sharing for spread of virus to other computers. Bots generally are programmed to allow for easily adding new ways of compromising machines, such as the recent flaw in the Windows Server service. Recognizing the threat, law enforcement officials have increasingly focused on tracking down the people who create and spread bot software, such as the writer of the Zotob worm and a man whose bot software caused malfunctions at a Seattle-area hospital.'
2.4 Factors for growth of IM threats
The growth of Instant messaging usage within the organization, vulnerabilities in public IM networks occur during the process of transferring files. When a user transfers files or uses other IM features like file sharing or voice chat, user's IP address is revealed. Using this IP address, hackers can have ability to attack the system. Some organizations configure their firewalls to block ports used by IM applications or block the external addresses of IM network servers. But IM applications can be configured to change ports automatically and are capable of penetrating firewalls through ports used by other applications. (For example: port 80). So policy control management is required.
3. Impact to Business
Once the IM threats occur in the organizations, Organizations face a significant security risk from disclosure of intellectual property or business-critical information using IM's file attachment capability. As IM is a highly informal means of communication, employees can unintentionally send critical company-confidential information, such as product specifications, code, and blueprints, or private customer data, to friends, colleagues, and competitors.
There are four main concerns of using the IM which are identified as below:
- Legal Liability concerns
The danger of allowing employees to use IM at work under the lack of security management, it is very easy to exposure to viruses and worms. On the other hand, organizations face legal and compliance risks when employees share copyrighted, illegal, or inappropriate content via instant messaging. Unmonitored IM applications allow employees to openly transfer files and information that could lead to significant corporate liability. For example, transferring copyrighted MP3 files, movies, and software using IM is common among friends and bypasses the file size restrictions of email.
- Employee productivity loss
Many employees have adopted IM as their preferred means of personal communications with friends and family, because it is not as obvious as using the telephone and conversations cannot be overheard. Employees can appear to be working, typing away at their keyboards, all the while exchanging personal communications with friends and family.
- IT resource abuse
Most organizations have no idea which IM clients are installed on desktops, which employees are using IM, or how often. Nor do they know how employees are using IM—to communicate for business, to communicate for personal use, or to send or receive files, applications, videos, etc. Unsanctioned IM applications can increase the support costs of employee desktops since they are not centrally managed. In addition, it is not uncommon for intensive file sharing via IM applications to negatively impact network performance, resulting in poor performance of business applications.
4. Dealing with IM threats
The security management can be improved in area of prevention, detection, incident response and controls to deal with IM threats.
- Ensure that vendor patches are promptly applied to instant messaging software, interrelated applications, and the underlying operating system.
- Create secure communications paths when using instant messaging with trusted business partners
- Do not rely on external IM servers for internal use of instant messaging;Provide a commercial grade IM proxy or internal IM server.
- Monitor using an Intrusion Detection/Prevention system for users creating tunnels for IM or bypassing proxies. Live Communications Server
- Employ antivirus and antispyware products.
- Filter all http traffic through an authenticating proxy server to provide additional capabilities of filtering/monitoring instant messaging traffic.
- Appropriately configure intrusion detection/prevention systems. Understand that many instant messaging applications are capable of enabling associated communications to masquerade as otherwise legitimate traffic (e.g. http).
- Some product like as Trend Micro IM Security for Microsoft Office and Symantec IM Manager 2007 seamlessly manages can be used for mitigation of the potential risks associated in that they acts a filter and detector between internal and external.
4.3 Incident Response
- Block popular instant messaging ports.
- Block access to known public instant messaging servers that have not been explicitly authorized. (Note: Offers only partial protection due to the number of potential external servers.)
- Consider deploying products specifically designed for instant messaging security.
4.4 Management & Policy Controls
- Establish policies for acceptable use of instant messaging and ensure that all users are aware of those policies and clearly understand the potential risks.
- Standard users should not be permitted to install software. Restrict Administrative and Power User level privileges to support personnel acting in their support capacity. If a user must have Administrative or Power User privileges, create a separate account to be used for his/her daily office functions, internet surfing and on-line communication.
Instant messaging has clearly taken off as a means of communication. The ability to communicate in real-time makes it an ideal medium for both business and personal communication. Unfortunately, threats that affect instant messaging already exist today, including worms and vulnerabilities that can give hackers remote access to vulnerable computers and can replicate in seconds can affect more than just instant messaging.
Therefore, end users and corporations should employ basic security countermeasure.
However, update the patch of product can mitigate the occurrence of threats, but these measures are not enough to prevent the network security. Corporations should have other measures for security such as prevention, detection and incident response. Furthermore, management controls are available to less the impact of IM threats. Once these measures get implement, IM threats must become management as a result of reducing the damage of business.
- Michael E. Whitman and Herbert J. Mattord (2004), Management of Information Security, Boston, Mass.; London: Thomson/Course Technology
- Joris Evers (2007) New IM worm targets Skype users on CNET, [Online], Available: http://www.zdnet.com.au/news/security/soa/New-IM-worm-targets-Skype-users/0,130061744,339274904,00.htm (17 Apr 2007)
- Joris Evers (2007) Next-generation Skype Trojan hits web on Silicon, [Online], Available: http://software.silicon.com/malware/0,3800003100,39166534,00.htm (26 Mar 2007)
- (2006) AIM bot creates "fight combos" to spread, [Online], Available: http://www.securityfocus.com/brief/305 (18 Sep 2006)
- San Diego (2007) Akonix Intros IM Security Appliance on Dark Reading, [Online], Available: http://www.darkreading.com/document.asp?doc_id=125041&WT.svl=wire_2
(29 MAY, 2007)
- San Diego (2007) Akonix's Threat Center tracks 33 IM attacks , [Online], Available: http://www.darkreading.com/document.asp?doc_id=135045
(28 Sep 2007)
- SANS Institute (2006) SANS Top-20 Internet Security Attack Targets [Online], Available: http://www.sans.org/top20/ (15 Nov 2006)
- Symantec (2006) Protect Your Business from Instant Messaging Threats [Online], Available: http://www.symantec.com/business/library/article.jsp?aid=instant_messaging_threats (11 Jul 2006)
- Symantec (2007) Internet Security Threat Report 2007 [Online],
Avalable: http://tc.imlogic.com/threatcenterportal/pubIframe.aspx (13 Jun 2007)