More stringent measures are required to combat Instant Messaging security threats.
The main threats surround the potential ease and speed with which IM can cause infections to be passed on. Reuters took its IM system down as soon as the presence of a new variant of the W32/Kelvir worm was identified, causing problems for all of the organization’s IM systems users, but hopefully ensuring that only minimal damage will ensue.
The worrying thing from a security management perspective is that this was supposedly a secure enterprise-class financial IM system, providing a mature messaging service (in use since 2002) for the company’s users. Most organizations do not have this level of protection.
However, with the combined volume of IM and P2P traffic flows now exceeding that of e-mail for the first time, firmer action needs to be taken to prevent, or at least contain, the threat of future, cross-industry IM-driven virus and worm epidemics. IM and its derivatives should not be dismissed as just another range of communications channels that need to be regulated, as there is quite a complex set of operational and business issues that need to be addressed.
There is a need to start to understand what providing appropriate IM services, and protection against IM misuse, really involves. Getting a grip on organizational use would be a good starting point, especially as the whole marketplace appears to be opening up alongside Microsoft and AOL’s latest interoperability initiatives. For Reuters, shutting down direct communications services to around 6,000 users for an unspecified period of time must have been a very difficult decision to make, and serves to highlight the potency of the threat to business services presented by the open nature of IM and P2P.
Regular usage of unauthorized IM services is far more widespread than most organizations believe. The provision of protection facilities lags way behind, and until the problem is properly addressed organizations will be vulnerable to further security threats.
Source: OpinionWire by Butler Group (www.butlergroup.com)