Organizations are not paying enough attention to securing instant messenger (IM) services, with existing policies centering more on legal protection when information is leaked rather than safeguarding the corporate network against malware delivered via these services.
According to Jonathan Andresen, director of product marketing at Blue Coat Asia-Pacific, not many companies have policies on third-party IMs such as Windows Live Messenger and Google Chat as they usually adopt and deploy their own communication clients.
However, users rarely adopt the corporate-endorsed app, choosing to use their preferred IM clients such as Facebook Chat instead. As such, corporate policies are not able to control these applications and would negatively affect the overall IT security status of the organization, Andresen noted.
Another industry watcher, Kapil Raina, director of product management at Zscaler, added that when it comes to social applications such as IMs, many companies have general policies toward liability and legal protection. These policies, however, do not focus enough on safeguarding the tool from malware but more on preventing sensitive information from leaving the organization, he said.
"At the end of the day, the organization needs to protect the user and create appropriate policies--since the user has so many applications and platforms available for use," Raina said.
It's not the lack of corporate security policies for IMs that undermines companies, either. Andresen said corporations tend to underestimate IMs as a conduit for malware, not knowing cybercriminals adopt a similar strategy in attacking social networking sites whereby a hacked user account is used to build trust.
"The trust model is a very powerful tool in cybercrime and garners great success, which makes instant messengers an impactful security threat to enterprises," he stated.
The analysts' comments come after a number of Yahoo Mail accounts, which are linked to its IM tool, were compromised in January this year. Cybercriminals exploited a flaw in the company's YDN blog page to sent a malicious URL link to unsuspecting victims' inboxes, as well as DOM-based, cross-site scripting (XSS) vulnerabilities exploitable in all major Web browsers, according to The Next Web.
One such company affected by this hack was Telecom New Zealand, who used Yahoo Xtra e-mail services and found 1,500 accounts compromised in February.
To mitigate such threats, organizations should update their corporate policies to include Web security tools such as URL filtering, Andresen noted.
With instant messengers, many attacks are triggered with a URL which starts a "bait" process by bringing users to an infected site, he explained. These Web solutions will not only scan these URLs but also analyze all content and outgoing traffic associated with it, he added.