« Ethical Hacking School in Session | Main | Attack on SuperBowl Site »

For the past 5 years, instant messaging has gone from the home to the enterprise. A number of companies focused on tackling corporate IM security emerged, only to find that the going much rougher than expected. The market simply isn't materializing as expected. IM security, while attracting attention in the press, didn't really register in the minds of security managers as a threat of highest priority.

Meanwhile, many of the IM security companies have sold out, closed up or limped along. It turns out that security for IM is melding into existing security solutions as a feature rather than a separate product. This doesn't mean there aren't threats associated with IM or that IM security should be ignored.

I've put together the Top 10 IM security best practices for your edification -

#10 - Treat IM Communication as Untrusted. IM is great for informal communication but when used in a corporate environment, it must be viewed as an "untrusted" communication medium. This means no communication of corporate sensitive information

#9 - Separate passwords for IM. If you're going to take #10 seriously, then ensure that you don't use thhe same passwords for trusted communication channels as you do for unofficial, untrusted channels like IM.

#8 - Host your own IM server. It's not always feasible for every company but if IM is to be used extensively as a corporate communication medium, hosting your own IM server and securing it is essential

#7 - Keep current with patches - Like any software, IM security starts with keeping patch currency on both client and server side software

#6 - Define and adopt user policies. - Educate users on what's appropriate to communicate on IM and what's not. Also, the security policies associated with the use of IM - see # 5

#5 - Reject all attachments from untrusted sources. This is not your father's IM. Today, IM can transmit files, stream video, audio and other content.

#4 - Do not click on links from untrusted sources. We're accustom to this policy on email but sometimes let our guard down in other mediums.

#3 - Use encrypted IM for sensitive info. If you're using IM for anything sensitive, use an encrypted IM channel

#2 - Link IM to corporate directory. It's a layer of security and makes it easier to switch IM systems, if you ever want to do so.

#1 - Mitigate risks through security tools. Having a corporate IM system is one thing, securing it is another. Make sure you have tools to filter out SPIM (IM Spam), firewalling and intrusion prevention tools with specific IM security packages to protect against IM specific attacks.

Posted by andreyee in Network Security |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1218