Coping with the unseen greynet threat
(06/04/2008)

Instant messaging (IM) applications have been around since the early 70s, but it was the introduction of programs such as ICQ and AOL Instant Messenger in the late 90s that brought IM into the mainstream. Since then real-time communications has grown considerably from a handful of companies offering IM networks, to over six hundred real-time communication applications. However, despite the fact that research shows that IM is the vector for five new security incidents everyday, many organisations fail to see the threat.

Research shows that eight in ten employees are using some type of greynet application at their workplace, and four in ten are using unauthorised applications. One of the reasons companies do not see real-time communications as a threat, is just that – they don’t see it. These types of applications, also referred to as ‘greynets’ because of the highly evasive techniques they use to traverse the network, are able to easily circumvent traditional security methods used to control the network. Real-time communications is big business and companies such as Yahoo!, AOL and Skype develop their applications to get as many users signed up to their network as possible, rigorously testing client applications against standard enterprise security infrastructures to ensure their application can tunnel through.

Many applications use encrypted protocols, making it impossible for an Intrusion Protection System to detect or to control them. In addition, they use Peer to Peer connections. Skype, for instance, uses a peer to peer connection and is encrypted end to end, often even tunnelling through HTTP if that is the only port that it finds open on the firewall, negating the use of an URL filtering solution to control it. Consequently, many organisations don’t even realise that their users have installed them.

However, even those companies that have implemented real-time communications in the workplace frequently fail to see the threat and implement technology to mitigate the risk. While an enterprise grade IM system, such as Microsoft OCS or IBM Lotus Sametime will provide a robust platform, they do not natively provide the tools to meet security, compliance and legislative requirements. Aside from the obvious hazard of malware subversively entering the network – research shows that 80% of enterprises have experienced a greynet-related attack within the last six months, there is also the danger that organisations are not monitoring what is being sent out.

Despite the associated risks, greynets do have their place in today’s business world. Financial services have been using IM successfully for a while now, to help speed up transactions and close deals. Probably because the industry is so highly regulated, most organisations have recognised that they need to be able to monitor and archive real-time communications that have been installed by the company, as well as the unauthorised ones installed by the users themselves.

An example of this is the recent case of Société Générale, press reports show that the review of thousands of pages of instant message conversations revealed that the rogue trader may not have acted alone, alleviating concerns that bank managers had knowledge of the trader’s activities. The reports note that much of the trading scheme was discussed over IM, as opposed to more traditional e-mail channels. Société Générale’s ability to retrieve these messages provided a clear trail for investigators.

In order to mitigate the risks associated with instant messaging in the workplace, organisations should consider three vital areas – security, management and compliance. But since many real-time applications go to extraordinary lengths to circumvent traditional methods of security, the first step must be for the organisation to recognise the likelihood that they are already on the network and to establish visibility.

FaceTime Communications is exhibiting at Infosecurity Europe 2008, on the 22nd – 24th April 2008 in the Grand Hall, Olympia, www.infosec.co.uk