Audit
Programs
AuditNet Links
AuditNet Library
Sarbanes-Oxley
Page
AuditNet
Newsletter
Ask
the Auditor
Audit
Jobs
Partner
Discounts
Search the Site
Our
Sponsors
Advertise
Sign
the Guestbook
AuditNet
Home Page
AuditNet® Information Security
Protect Yourself: Instant Messaging (IM) Risks
by Rey LeClerc,
PhD, CISSP, CISM
Chief Information Security Officer
Case Western Reserve Company
According to research from anti-virus company F-Secure, instant messaging (IM) security threats are growing by 50% per month and could potentially spread across the globe in seconds. F-Secure says virus writers are targeting IM due to its capacity to spread malicious code more quickly than e-mail. Experts say instant messaging worms could potentially infect all vulnerable IM computers in a little over ten seconds, and F-Secure says it has detected 200 IM worms and more than 700 trojans, backdoors, and keyloggers.
Use care when using IM. It is inherently insecure. Once sent, you no longer have control of distribution and there is no assurance of a message’s authenticity. You can do some simple things to lessen these risks:
- Be cautious about what you send. You should assume that someone other than the intended recipient can read your message. Although IM messages appear to be person-to-person, they in fact all go through central servers outside the company, even when you are communicating with someone within the company. By default, IM communication is not encrypted, so don't give out information about yourself, the company or other employees.
- Don't discuss company confidential information through instant messaging, including computer hardware, software or environment. IM is better suited to quick information about project status, meeting times, or a person's whereabouts. Whenever possible try to avoid using the company name, our trademark names and the names of our executives over IM. It's like when you overhear a juicy conversation on an airplane, if there are no reference points - you don't know what company and you don't know the people, it is hard to do anything with the information.
- Don't share personal information through IM. Even if you have the utmost trust in the person or people you are messaging, including personal information such as a password or credit card number, even a phone number you'd rather keep confidential, is not a good idea. That's because the text of your chat is relayed to a Web server en route to your contact. If anyone, such an IM provider employee, or even a hacker, is on the connection and can see that traffic, they can see the personal information.
- Be wary about the actual source of received messages. They can be forged, so you should consider this fact at all times and treat each one cautiously.
- Be aware that instant messages can be saved. You may think IM is great because you can let your guard down, make bold statements, chastise a boss, employee or co-worker, and have it all wiped away from the record when you are done. What you aren't realizing is that one of the parties to your conversation can copy and paste the entire chat onto a notepad or Word document. Some IM services allow you to archive entire messages. Bottom line: Be careful what you say, just like you would in an e-mail.
- Don't compromise Company's liability, or your own reputation. The courts are still be figuring out where instant messages stand in terms of libel, defamation and other legal considerations. It's likely that any statements you make about other people, the company or other companies probably aren't going to land you in court but they could damage your reputation or credibility, or the company's. Again, be careful what you say.
- Be aware of virus infections and related security risks. Most
IM services allow you to transfer files with your messages. IM file
attachments carrying viruses penetrate firewalls more easily than e-mail
attachments.
Disclaimer: The views expressed in the above article do not purport to represent the views of AuditNet, any professional association or the views of any employer.
