INSTANT MESSAGING POSES NEW RISKS

America On-line’s Instant Messenger isn’t just a teenage pastime. It’s enough of today’s office culture that the FDIC has issued warnings about its use. How instant messaging (IM) applications work, recent FDIC recommendations and methods for protecting your institution are the focus of this article.

Instant messenger applications closely mirror conversation with near instant feedback, enabling employees to maintain contact with multiple co-workers while performing other tasks.

Behind the scenes, each IM application connects the user to a separate instant messaging network on the Internet. There the user’s IM interactions are unbounded and unprotected, regardless of your institution’s restrictions on Internet usage.

What Can Happen
Features of IM applications work against financial institutions in many ways. Here are the major audit concerns:

  • Limited authentication. IM users can’t be sure who is responding to their messages.

  • No centralized ‘buddy list’ to control members and message transmissions. This places financial institutions, which must prevent sensitive information from falling into unauthorized hands, at risk.

  • Marginal message encryption. IM messages can be read by anyone “listening.” Current secure messaging features on major IM networks are neither required nor automatic, and few users bother.

  • Unsecure file transfer. File transfers are almost never encrypted, once again opening confidential information to any competent hacker. IM file transfers bypass all firewall or web filtering restrictions on content, opening an unmonitored ‘back door’ for viruses to infect your network.

  • Insecure IM applications. Recent vulnerabilities allow remote attackers to take over a PC running AOL’s Instant Messenger, even if it’s behind a firewall!

Because IM networks are owned by third parties, your institution has no control over their structure or use. Their design emphasizes ease-of-use over security, leaving IM applications open to security issues, just like web browsers.

In fairness, alternatives to the popular IM networks do exist. Unfortunately, the alternatives can cost more than $10,000 and may require expert implementation. The popular IM applications are free.

FDIC Recommendations

The FDIC recently took the unusual step of recommending specific technical measures to block IM traffic. The following describes how your institution can implement the FDIC’s seven recommended practices:

Require employees to acknowledge receipt of a policy restricting public IM usage. 

Clearly stated policies effectively deter most employees who contemplate IM usage. Of course, bureaucratic solutions don’t deter everyone. Reliable technical measures further limit your institution’s exposure should employees ignore your policies. These measures are discussed below.

Consider implementing an intrusion detection system to identify IM traffic. Assess the need for other IM security products.

Managed network security providers such as COCC have implemented comprehensive intrusion detection system (IDS) on their Internet networks. The IDS watches all traffic across the network and sends real-time alerts to the network and to security staff, who can immediately notify the institution of policy violations.

Create rules to block IM delivery.

Your firewall administrator or service provider should implement firewall rules to block access to known IM applications. Web filtering techniques should also be used to block access via to common IM websites to prevent users from downloading banned applications.

Blocking known firewall “ports” isn’t enough. For example, if AOL’s IM detects that its standard communications port has been blocked, it will automatically seek alternate ports until it finds one that works. Here’s how this ‘tunneling’ behavior can be stopped:

  1. Configure your firewall to block all Internet access other than known services.

  2. Block access to Internet servers associated with IM traffic.

  3. Use a web filtering server to create a ‘tunneling’ block list. While this is not a perfect solution, it reduces the chance of connection to the outside.

Consider blocking specific IM vendors.

As described above, firewall policies and web filtering are highly successful in blocking access to IM applications.

Ensure a strong virus protection program.

Install a full virus scanning solution for all incoming and outgoing emails on your network. Your institution should also run virus protection software on every desktop and update it daily.

Ensure a strong patch (software update) management program.

A patch management program helps you respond quickly to critical security updates, and is recommended by the FDIC. Automated patching services such as Microsoft SUS can help you manage the patch levels on all of your workstations and servers.

Include the vulnerabilities of public IM in information security awareness training.

For more information on these topics please see the following links:

http://www.fdic.gov/news/news/financial/2004/fil8404a.html

http://securityresponse.symantec.com/avcenter/reference/malicious.threats.instant.messaging.pdf

When used in combination, these options will provide a thorough defense against the threats posed by Instant Messenger applications.

 
> White Papers

  CONTACT US  |

TERMS/PRIVACY

 | DIRECTIONS