IM: An Underestimated Security Threat

Focused on email security, many network managers are overlooking the dangers presented by IM (instant messaging) technology. After all, IMing your sister-in-law an impromptu dinner invitation from your office cubicle seems pretty harmless. But IM in the enterprise is exploding, as 85 percent of organizations in North America report IM use, according to The Radicati Group Inc.

In the past, the security threat from IM was seen as an additional gateway to the enterprise as well as a concern for securing private corporate data. But that’s not the issue anymore. Studies estimate that IM worms and viruses are growing exponentially. In fact, Akonix Systems Inc. tracked 297 malicious code attacks over IM networks in 2007 – a 20 percent increase in IM threats over the previous year. And while 60 percent of organizations monitor and secure email, studies estimate that 90 percent of organizations lack any form of IT sanction or control for IM. That equals exposure to a rash of security threats, data leakages and legal liabilities.

James Quin, a senior research analyst with Info-Tech Research Group said, “The vast majority of companies really aren’t even aware that there’s an issue associated with IM malware. … But when you look at the fact that IM is increasingly being used as a distribution platform for malware – viruses, worms, Trojan horses – and is also a very serious threat in terms of data leakage, organizations simply can’t continue to take the track that IM is not something they need to worry about.”

Flying Under the Radar

Quin said one of the greatest dangers posed by IM is data leakage. Unlike email which is typically logged, tracked and blocked by an organization, IM communications tend to exit an enterprise outside of the watchful gaze of an IT manager. “If I’m sending something through IM on a server that’s not maintained by the company and it goes out through a generic traffic port, as far as the firewall is concerned, it’s plain old Web traffic,” he said. “It’s a bit of a sneaky way to get information out of the enterprise.”

Taking Action

There are steps companies can take, however, to wrest control of enterprise IM and to minimize exposure to security and legal threats. Here are just a handful of precautionary measures:

1. Sure, IM lends itself far more easily to informal conversation than email, rendering it a faster and lighter alternative. But is it really necessary? What business value does it deliver? The first step, said Quin, is “determining if IM is something you feel is an appropriate part of your business communication strategy.”

2. By preventing IM from being sent over public networks, companies can better manage security challenges. “Organizations should look at deploying an internal IM capability rather than using one of the freely available ones outside of the enterprise,” said Quin. Microsoft Corp.’s unified-communications suite, for example, delivers messaging capabilities, which enables companies to manage IM on internal servers and restrict communications to in-house usage.

3. Many public IM networks offer patches to protect against the latest program vulnerabilities. Network administrators need to install and update these IM patches regularly.

4. Turn to a third-party provider for high-level security protection. Symantec Corp., for example, offers an IM-management tool that secures, logs and archives corporate IM traffic on both public and enterprise IM networks.

5. “No technology should ever be deployed without a policy,” said Quin. IM is certainly no exception. Companies must establish best practices for the uses of IM and any restrictions that apply. In addition, organizations should educate employees on the dangers of IM and inform them of important precautionary measures such as storing IM passwords, communicating with unauthorized sources and refusing file transfers and attachments.

Encryption 101

Unfortunately, many businesses fail to take advantage of encryption technology, fearing that it’s too complex and difficult to use on a routine basis. In reality, encrypting vital data isn’t much more difficult than running a virus scanner or a data-backup program. Here’s how to get started.

The Basics

There are two basic ways to encrypt data. One approach is to use asymmetric PKI (public-key infrastructure) encryption. PKI cryptography is based on a pair of cryptographic keys: One is private and known only to the user, while the other is public and known to the opposite party in any exchange.

PKI technology provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support. While most security vendors currently incorporate some type of PKI technology into their software, differences in design and implementation prevent interoperability between products.

The other method of encrypting data is symmetric key protection, also known as “secret-key” encryption. Generally speedier yet less secure than PKI, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it’s primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time.

Applying Encryption

The easiest way to use encryption is to purchase a business application or a hardware product that incorporates some form of encryption technology. Microsoft’s Outlook Express email client, for example, provides built-in encryption support. Meanwhile, vendors such as Seagate Technology LLC and Hitachi Ltd. have started incorporating encryption technology into their hard drives.

Since most software applications and hardware products don’t include any type of internal encryption technology, business owners and managers need to look for stand-alone encryption products. This can be a confusing process, one that’s best approached by first determining the business’s precise security requirements, then finding an encryption product that fits each need.

Microsoft Vista Enterprise and Ultimate users can take advantage of BitLocker Drive Encryption, a full disk tool that offers powerful 1024-bit encryption. Another Windows offering is EFS (Encrypting File System), which uses symmetrical PKI technology to provide file encryption.

Beyond Microsoft, leading encryption vendors and products include PGP, open-source TrueCrypt, DESlock+, Namo FileLock and T3 Basic Security.

What to Encypt

So how do you know what to encrypt? Here are some places to start:

• Hard Drives: A business may choose to encrypt entire hard drives as a way to reduce or eliminate data theft.
• Individual Files: In cases where full disk encryption is overkill, file-by-file encryption provides added security on an “as-needed” basis. Many leading encryption products offer drag-and-drop encryption capabilities.
• Laptops: Unlike office systems, laptops are easy to lose and are prone to casual theft. By ensuring that the system’s data content is unreadable, a business can limit its loss to the cost of the laptop. A growing number of government regulators and insurance companies are demanding that businesses encrypt any data that leaves their premises.
• Removable Media: Memory sticks, thumb drives and similar portable storage technologies provide portability, convenience, and an opportunity for data loss and theft. As with laptops, encryption limits a business’s loss to the cost of the device itself. A growing number of removable-media devices come with built-in encryption support.
• File Transfers: Sending files over unsecured wired or wireless links can expose sensitive information to data thieves. Encryption provides an additional layer of security, even when a secured network is used.
• Email: Encrypted email is kept secure during the transmission process and while sitting in its recipient’s mailbox.
• IM (Instant Messaging): A growing number of businesses are using IM to swap confidential business information. Encryption helps secure these critical transmissions.

Encryption’s Limitations

Like any technology, encryption software isn’t perfect. Even the best products consume both processor speed and storage space. Users can also lose or forget passwords, thereby potentially locking systems forever.

Before purchasing any encryption tool, carefully research the product. Make sure that the offering addresses your company’s needs, is compatible with your systems and has a good track record concerning reliability and support. If possible, check with your friends and colleagues for their opinions on various encryption tools.

International Hackers Redirect Their Efforts from Government Secrets to Personal Health Information

 

According to a story by Nancy Ferris of Government Health IT, the Department of Homeland Security believes Russian, Chinese and other off-shore hackers are trying to gain illegal access to health care records of American citizens.

Early last year, a virus made its way to a web site run by the Centers for Disease Control and Prevention in Atlanta. In April, a Military Health System server holding Tricare records was hacked. Mark Walker, of DHS’ Critical Infrastructure Protection Division, revealed the breaches during a recent security workshop at the National Institute of Standards and Technology but added that the department does not know why it is happening.

“The hackers’ primary motive seems to be espionage,” Walker said. “We don’t know why they are attempting to exfiltrate health care data but we want to know why.” He offered a theory that medical information of a nation’s leaders might be of interest to potential enemies. “They have been focused on military data but now are spreading out into the health care private sector.”

Urging the NIST audience to spread the word that healthcare providers should be vigilant and report data breaches to the authorities, Walker said DHS is increasing its analysis staff to monitor such threats and will be issuing more alerts about cyber threats to health care data.

“Today, only the Veterans Affairs Department consistently reports health data breaches,” he added. “As a result, our understanding of the cyber threat to health and human services is vague at this point.” One thing DHS does know, he concluded, is that poor security practices among those who use health information systems and disgruntled employees are as much of a threat as foreign cyber intruders.

Not the first time
There are echoes here of a similar incident that led the government to accuse one of its multi-million dollar contractors of sloppy security practices just last September.

A Congressional probe found that the Department of Homeland Security (DHS) and Transportation Security Agency (TSA) systems run by government contractor Unisys were hit by 844 cyber-security incidents between 2005 and 2006. Lawmakers at that time accused Unisys of incompetence and possible illegal activity related to its handling of Department of Homeland Security network security and hacks originating in China.

Unisys, based in Blue Bell, Pa., won a $1.7 billion contract with the DHS in 2002 to build, manage and protect networks at TSA and DHS headquarters. Since then, according to a report by the House Committee on Homeland Security, the systems have been hit by 844 cyber-security incidents in the 2005 to 2006 time period.

“Dozens of DHS computers were compromised by hackers. These incidents were not noticed until months after the initial attacks,” Rep. Bennie Thompson (D-Miss.), chairman of the Committee on Homeland Security, wrote in a Sept. 21 letter to DHS Inspector General Richard L. Skinner. Thompson asked Skinner to initiate an immediate inquiry into the issue and, if necessary, refer the matter for criminal investigation.

Thompson wrote, “Hackers exfiltrated information out of DHS systems to a Web hosting service that connects to Chinese web sites.” Thompson’s committee became involved in the security of government networks after a series of 2006 hacking incidents that targeted the systems of the Departments of State and Commerce. Thompson said the attacks were “most likely” from China.

Thompson said the hackers used a rootkit program that allows hackers to mask their presence while gaining privileged access to the system. “Although IT specialists discovered the incident in October 2006, they could not determine the date of the initial hack or the amount of information that was exfiltrated out of Commerce systems,” he wrote.

“Although DHS contracted for network intrusion detection systems … these systems were not fully deployed at the time of the initial incidents,” Thompson wrote. “If network security engineers were running these systems, the initial intrusions [might] have been detected and prevented.”

Thompson further claims contractors provided “inaccurate and misleading” information to DHS officials about the source of the attacks and “attempted to hide security gaps in their capabilities.” Unisys said in its statement, “We believe that a proper investigation of this matter will conclude that Unisys acted in good faith to meet the customers security requirements.