Guidance on Instant Messaging
This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.
Background
IM originated as a free software download for consumers in 1996. The technology provides the ability to chat on-line, as well as to share files. Public IM was not originally developed for commercial use and lacks standard security features. IM has become a popular communication channel because this software is free, easy to install and easy to use. If software is not permitted to be downloaded in a work environment, IM can still be accessed by sending messages directly from a Web browser, such as Microsoft’s Internet Explorer. Employees restricted by slow home dial-up connections may take advantage of faster networks at work to access public IM and share and download files. (See Technical Note 1: IM Types.)
Risk-Management Considerations
Viruses
The lack of built-in security, the ability to download files and the built-in “buddy list” of recipients create an environment in which viruses and worms can spread quickly. This threat has additional risks to the workplace network because public IM does not travel through a central server where traditional corporate anti-virus protection software is located. Instant messaging virus protection should include network desktop and laptop solutions to handle both IM methods of delivery (Server Broker and Server Proxy). Since effective virus protection specifically for IM is still being developed, senior management will need a comprehensive anti-virus program to detect the many blended threats that currently exist with the technology.
Privacy
Public IM transmits unencrypted information, so it should never be used for sensitive or confidential information. The information is on the Internet and may be accessed by anyone. In addition, file-sharing exposes the user’s Internet protocol (IP) address and increases the risk that unauthorized parties could gain access to the computer.
Hijacking
Information received by IM is not authenticated. There is no way to verify that a message really originated from the sender with whom the recipient believes he or she is communicating during the session. Chat sessions can be hijacked and users can be impersonated.
Firewalls
Firewalls should be configured to block incoming and outgoing public IM traffic. Senior management should also consider blocking known Web sites that broadcast nuisance material. This can be difficult to manage because Internet names and addresses may change and senior management may have other legitimate reasons for allowing activity based upon legitimate business purposes. (See Technical Note 2: Firewalls and Router Considerations.)
Intrusion Detection Systems (IDS)
An institution’s information security program should address preventing, detecting and responding to threats. Institutions should consider the use of IDS to detect the unauthorized use of IM.2 Intrusion detection software may be installed on primary computer systems that actively searches for and monitors Internet traffic.
Mitigating Risks Associated with IM
The numerous vulnerabilities inherent in IM dictate that senior management perform a risk assessment on the business benefit of allowing the use of public IM on financial institution networks. Financial institutions should consider the following practices regarding IM as part of an effective information security program:
Conclusion
The risks associated with the use of IM include revealing confidential information over an unsecured delivery channel, spreading viruses and worms, and exposing the network to backdoor Trojans which are hidden programs on a system that perform a specific function once users are tricked into running it. IM is vulnerable to denial-of-service attacks, hijacking sessions and legal liability resulting from downloading copyrighted files.
Financial institutions are required to design and implement a comprehensive written information security program.5 The security program should include appropriate controls and training to address the risks posed by the use of public IM.
Technical Notes:
1 Enterprise IM products are beyond the scope of this guidance.
2 Financial Institution Letter, “Risk Assessment Tools and Practices for Information Systems Security,” FIL 68-99, dated July 7, 1999.
3 Financial Institution Letter, “Guidance on Developing an Effective Virus Protection Program,” FIL64-04, dated June 7, 2004.
4 Financial Institution Letter, “Computer Software Patch Management,” FIL 43-03, dated May 29, 2003.
5 Financial Institution Letter, “Security Standards for Customer Information,” FIL 22-01, dated March 14, 2001.
6 Symantec Security Response, “Malicious Threats and Vulnerabilities in Instant Messaging,” dated September 2003.