Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
FIL-84-2004 Attachment
Notes
 

Guidance on Instant Messaging

This guidance identifies risks associated with public Internet instant messaging (IM)1 and how they can be mitigated through an effective management program. Public IM may be used by employees both officially and unofficially in work environments. The use of public IM may expose financial institutions to security, privacy, and legal liability risks because of the ability to download copyrighted files. Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communication. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.

Background

IM originated as a free software download for consumers in 1996. The technology provides the ability to chat on-line, as well as to share files. Public IM was not originally developed for commercial use and lacks standard security features. IM has become a popular communication channel because this software is free, easy to install and easy to use. If software is not permitted to be downloaded in a work environment, IM can still be accessed by sending messages directly from a Web browser, such as Microsoft’s Internet Explorer. Employees restricted by slow home dial-up connections may take advantage of faster networks at work to access public IM and share and download files. (See Technical Note 1: IM Types.)

Risk-Management Considerations

Viruses

The lack of built-in security, the ability to download files and the built-in “buddy list” of recipients create an environment in which viruses and worms can spread quickly. This threat has additional risks to the workplace network because public IM does not travel through a central server where traditional corporate anti-virus protection software is located. Instant messaging virus protection should include network desktop and laptop solutions to handle both IM methods of delivery (Server Broker and Server Proxy). Since effective virus protection specifically for IM is still being developed, senior management will need a comprehensive anti-virus program to detect the many blended threats that currently exist with the technology.

Privacy

Public IM transmits unencrypted information, so it should never be used for sensitive or confidential information. The information is on the Internet and may be accessed by anyone. In addition, file-sharing exposes the user’s Internet protocol (IP) address and increases the risk that unauthorized parties could gain access to the computer.

Hijacking

Information received by IM is not authenticated. There is no way to verify that a message really originated from the sender with whom the recipient believes he or she is communicating during the session. Chat sessions can be hijacked and users can be impersonated.

Firewalls

Firewalls should be configured to block incoming and outgoing public IM traffic. Senior management should also consider blocking known Web sites that broadcast nuisance material. This can be difficult to manage because Internet names and addresses may change and senior management may have other legitimate reasons for allowing activity based upon legitimate business purposes. (See Technical Note 2: Firewalls and Router Considerations.)

Intrusion Detection Systems (IDS)

An institution’s information security program should address preventing, detecting and responding to threats. Institutions should consider the use of IDS to detect the unauthorized use of IM.2 Intrusion detection software may be installed on primary computer systems that actively searches for and monitors Internet traffic.

Mitigating Risks Associated with IM

The numerous vulnerabilities inherent in IM dictate that senior management perform a risk assessment on the business benefit of allowing the use of public IM on financial institution networks. Financial institutions should consider the following practices regarding IM as part of an effective information security program:

Conclusion

The risks associated with the use of IM include revealing confidential information over an unsecured delivery channel, spreading viruses and worms, and exposing the network to backdoor Trojans which are hidden programs on a system that perform a specific function once users are tricked into running it. IM is vulnerable to denial-of-service attacks, hijacking sessions and legal liability resulting from downloading copyrighted files.

Financial institutions are required to design and implement a comprehensive written information security program.5 The security program should include appropriate controls and training to address the risks posed by the use of public IM.

Technical Notes:
 

1 Enterprise IM products are beyond the scope of this guidance.

2 Financial Institution Letter, “Risk Assessment Tools and Practices for Information Systems Security,” FIL 68-99, dated July 7, 1999.

3 Financial Institution Letter, “Guidance on Developing an Effective Virus Protection Program,” FIL64-04, dated June 7, 2004.

4 Financial Institution Letter, “Computer Software Patch Management,” FIL 43-03, dated May 29, 2003.

5 Financial Institution Letter, “Security Standards for Customer Information,” FIL 22-01, dated March 14, 2001.

6 Symantec Security Response, “Malicious Threats and Vulnerabilities in Instant Messaging,” dated September 2003.