It’s no surprise that instant messaging (IM) is gaining in popularity. The often-free communication feature lets people interact instantly, make decisions on the fly, and provide immediate contact, as opposed to the delays that can occur when using e-mail.

But what may be surprising, especially to today’s IT leaders, are the serious security issues posed by IM usage. Add that to the fact that most IM applications are used without corporate IT’s knowledge or approval, and it’s not a pretty picture for network security.

Popularity soaring
According to Jupiter Media Metrix, a New York City-based research firm, IM use has doubled in just two years. In September 1999, IM gobbled up 2.3 billion user minutes for the month. In September 2001, IM grabbed 4.9 billion user minutes.

“We’ve seen a rise in instant messaging use by individual departments where employees have taken matters into their own hands and set up informal IM groups to supplement our corporate e-mail system,” said William McGee, vice president of operations at a plastics manufacturing company in New Jersey. “All of this is being done without the IT department’s approval or oversight.”

McGee and his company are not alone. Gartner, Inc., a consulting and research firm based in Stamford, CT, predicts that 70 percent of enterprises will be using IM by 2003.

Such explosive growth, coupled with today’s ad hoc adoption approach, should have CIOs trembling in fear according to security experts, as IM opens up a company to many potential security and legal problems.

Potential for disaster is multipronged
Most commercial IM services use port 80, the port that carries most HTTP traffic. But, because port 80 is used for HTTP traffic, there is no good way to keep an eye on IM traffic alone. IM traffic can open up port 80 thousands to tens of thousands of times a day, which can significantly increase a company’s exposure to security breaches.

Messages exchanged using Yahoo, MSN, or AOL IM services are not usually scanned by enterprises for viruses or malicious programs. This means hackers can exploit this security lapse by sending attachments holding viruses, worms, and other malicious software. Any of these could then enter a corporate network undetected.

Identity theft is another security issue associated with IM. Anyone can set up an account at Yahoo, AOL, or MSN using any name. An unscrupulous person could, for example, set up an account taking the name of the head of a major company. No one would be able to know for sure if that person is who he or she claims to be.

While there have not been any major outbreaks due to IM hacking or infected files sent via IM (the main source continues to be e-mail), the potential threat of malicious activity still exists.

“The widespread adoption of instant messaging has made it a new conduit for the spread of malicious code,” said Pete Cafarchio, vice president of marketing at security software vendor PestPatrol, Inc., based in Carlisle, PA.

Cafarchio recommends that users only share files with trusted and known sources and that they scan all files for pests and viruses.

Help on the way
To help reduce an enterprise’s exposure to security and legal risks, messaging outsourcing provider United Messaging, Inc., based in Malvern, PA, will launch Enterprise Instant Messaging (EIM) this January. EIM is a new managed service aimed at securing IM within the corporate enterprise.

Because EIM uses specific ports for its service, and not port 80, it is easier to monitor IM traffic in and out of a corporation. The service lets network admins save all IM “conversations” as a text file. This feature could come in handy if the corporation is working under specific industry regulations.

For instance, the National Association of Securities Dealers, Inc., and the Securities and Exchange Commission mandate that e-mail and IM traffic must be monitored and archived by companies. If employees use IM on their own, without company approval, the IM communications could be considered a securities violation.

The EIM service avoids possible identity theft by linking IM accounts to existing e-mail accounts. Specifically, EIM uses Lightweight Directory Access Protocol (LDAP) to tie into a corporate directory for authentication purposes.

Additionally, the service encrypts communications between the corporate site and United Messaging’s hosting centers. And although this may not seem like a big deal, this encryption is quite critical, as many companies fail to realize the vast exposure inherent in electronic eavesdropping.

In standard internal corporate e-mail systems, the traffic carrying messages between employees is housed on a corporate network and afforded some privacy because the network is protected by a firewall. But this scenario does not apply to IM communications.

Even if two people are working in adjacent offices, IM traffic between the two first traverses the firewall, then travels over the Internet to the IM provider’s server. At that point, the IM provider’s server then forwards the message back over the Internet to the recipient. All of this communication is done in clear text (meaning it is not encrypted). So a hacker listening in on traffic to and from a corporation can potentially read everything messaged between employees. The EIM encryption feature ensures that IM traffic has a higher level of confidentiality.

Interested in EIM?
EIM is currently being offered in limited trials and will be widely available in January 2002. Pricing is $30 per user per year.

How prevalent is IM in your enterprise?

What, if any, guidelines or rules have you established to make IM as secure as possible for your network? Share your experience and insight with fellow TechRepublic members by starting a discussion below.