In Depth

How 2 Luv IM!

Seven steps to keeping your employees' instant messaging secure.

By Todd Datz

Page 4

5. Develop rules.

One best practice to consider is not allowing file transfers. You could do it in the we-trust-our-employees kind of way and create a rule that bans them; or you could use technical means to enforce the ban, which is what Amerex has done. "We shut down the file transfer capability of all instant messengers. We try to block down through file names and file extensions and shut those ports down for file transfer," says Trudeau.

Montgomery says that file transfer is one of two primary methods of IM attacks (the other, he says, is malicious URLs). A user downloads a file that appears to come from a buddy, which launches some piece of insidious code, which propagates.

"From a regulatory standpoint, we had to have that IM archiving software in place or prohibit the use of IM."

 Steve Rubinow, CTO, NYSE Group

DeSouza recommends a rule outlawing games: "There's no real business reason for games to be allowed," he says.

CSOs may want to create rules for different levels of users. Montgomery says you could block file transfer capabilities for all except for those in the executive or financial or legal ranks, for example. Or you could say that executives and customer support people can have access to videoconferencing or VoIP, but no one else can, says deSouza.

6. Educate and train users.

When asked what the most common IM vulnerabilities are in companies, John Rittinghouse, senior VP of commercial professional services at SecureInfo and coauthor of a book on IM security, points to lack of user awareness and training. "Most of the damage we see is done on the inside when people do dumb things," he says. He cites clicking on a link from a spam message as an example. "Bam, you get a payload or rootkit put on your box. The next thing you know it's propagating on the network or going through all of your contacts, causing a denial of service," he says.

Rittinghouse says security execs need to educate users to be acutely aware of the risks IM can bring and reinforce that it's part of their job to protect the business. Employees also need to understand that IM communications are archived. "One of the things that killed Enron is employees not understanding that IM was part of the record. Some of the IM communications were very embarrassing, very damaging. Sexually explicit things were in there from employees to other employees. It's just ignorance," he says.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors