Article

Companies take IM threats seriously

Mark Baard, Contributor

Wesabe is a brand new money management community, whose members share tips on everything from saving on organic produce to knocking down credit card debts.

It is also among the companies saying it now takes threats to IM as seriously as those targeting email and web applications.

Small businesses such as Wesabe, which has six workers, as well as those with thousands of workers, such as Richmond, Va.-based Media General Inc., are deploying IM-specific software and appliances designed to keep malware and phishers out, while letting trusted clients and friends in.

With their sales and creative teams reluctant to give up IM for the sake of security, the companies are using IM security tools to implement "no attachment" policies and to block the installation of unauthorized chat clients. Akonix, Facetime and Symantec are among those with the most popular--and some users said, the most effective--IM security products.

The threats to virtually all IM clients, including AIM, Jabber, and Skype, are mounting, according to the SANS Institute's 2006

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Top-20 list of internet security attack targets. The SANS report recommends establishing acceptable use policies for IM and considering the deployment of "products specifically designed for instant messaging security."

Those products can add to a security team's workload, however. The IM security software become "yet another silo of security policies to manage and alerts to monitor," said Trent Henry, an analyst at the Burton Group.

That's one why many organizations first try to use their web filtering appliances, such as those from WebSense, SurfControl, Secure Computing, or Blue Coat, to handle IM, Henry said.

But the Web filters "don't have an adequate degree of granularity to fully block IM," Henry said.

Wesabe's staff is distributed across Berkeley, San Francisco and Seattle. And because they need to keep in touch as if they were in the same room, the company uses IM for group chats and presence awareness. "It's replaced email for us," said Marc Hedlund, who heads the company's engineering group.

It is also easy with only six employees, to get everyone using a single IM system, Hedlund said.

Wesabe uses the Web-based business chat tool Campfire, from Chicago, Ill.-based 37signals, for IM. Campfire chats are logged and searchable. Authorized group members can see who's online and available and what conversations are taking place at any time. Wesabe staff can also share files through Campfire.

But Wesabe also chose Campfire for its security features, Hedlund said.

Campfire's paid versions can secure chats via SSL. A Wesabe employee must have SSL enabled on his Web browser to join a Campfire chat, said Hedlund.

Chat participants must also be invited into Campfire discussions, which can be password protected.

At Media General, which has 7,500 employees and owns newspapers and TV stations throughout the Southeast, weaning staff off their favorite IM clients seemed unrealistic to Mike Miller, the company's head of IT security.

The president of Media General's new Interactive division was an IM supporter and he didn't want to be cut off from clients outside the company, Miller said.

By 2003, Media General deployed IM Manager, now owned by Symantec. The software logs conversations and blocks attachments. It also integrates well with other antivirus applications, Miller said.

Miller uses IM Manager to limit access to only 300 people who he says have a business need. Workers in the Interactive division, salespeople, and meteorologists who use Yahoo Messenger and Jabber to receive alerts from the National Weather Service are authorized to use IM through the Symantec software, he said.

Since then, there have been few complaints about not being able to send attachments through IM.

"We tell them to use email for that," Miller said.