Messaging techniques spawn new security policies

As people use a growing variety of messaging programs in the workplace, companies are being forced to create new policies to minimise crossover threats.

As messaging technology overlaps and more employees communicate using a variety of tools, IT shops will have to respond with new user policies to lock down corporate data.

Enterprises increasingly need outbound content monitoring and encryption for compliance and risk management.
Arabella Hallawell,
vice presidentGartner Inc.

Gartner analyst Arabella Hallawell delivered that message during a presentation at the Gartner IT Security Summit Tuesday. She noted that messaging technologies are converging, with people using instant messaging (IM), Web mail and blogs to communicate. On the Voice over Internet Protocol (VoIP) side alone, Skype, IM, videoconferencing and chat programs are being used in combination, she said, adding that companies need to make sure proprietary information isn't being sent through these channels.

"Blogs are an example of how proprietary information can be sent out," Hallawell said. "Corporate blog use policies will probably become necessary at some point, and companies need to be thinking about what should be in those policies."

Attackers can also take advantage of the technology convergence, finding holes to gain access to sensitive information.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International, delivered a similar warning on blogging threats during a luncheon presentation to a group of IT security professionals  last month.

Messaging security:
Special Report - Messaging insecurity fuels data leakage fears: The proliferation of messaging technology means more opportunity for malware to take root and sensitive data to be lifted.

Special Report - IT pros look for ways to lock down IM: To control growing IM threats, administrators are trying to limit which programs can be used or ban the technology altogether. But that's not always possible.

Special Report - Messaging Security podcast: Burton Group analyst Diana Kelley discusses the latest threats to messaging security and where the solutions are.

Messaging Security School:'s Messaging Security School has brought together some of the most knowledgeable experts in the messaging security field to offer you personal instruction on how to secure the information handled by your organisation's employees.

He noted at the time that there are approximately 100 million blogs across cyberspace and some of them are used by organised criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Hackers can use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, Ulsch said.

Hallawell said IT shops will also have to consider what kinds of controls they want in place to deal with the convergence.

One of the biggest messaging-related problems is spam, and Hallawell sees no end to it. Image spam in particular is on the rise. That trend is illustrated in a warning the Bethesda, Md.-based SANS Internet Storm Center issued Monday about a new round of malicious spam that has been circulating of late, attempting to trick users with such bogus subject lines as "Re: U.S. violent crime up again, more murders, robberies," and "Man Awakens From 19-Year Coma."

"Enterprises increasingly need outbound content monitoring and encryption for compliance and risk management," Hallawell said. "Most companies don't want to buy new tools to deal with [messaging threats] and they are looking to their email security vendors for help. But many are not up to the challenge."

She offered some figures to illustrate the scope of the problem. Image spam is up 30-40%, she said, and botnets are the main source of 80% of the spam flooding inboxes today.

Meanwhile, there's a flip side to messaging security -- messages from legitimate companies are getting blacklisted. To minimise the problem, Hallawell said companies need to ask their vendors how they make decisions on what they decide to block; what the geographical reach is and how often data is refreshed. It's also important to ask what kind of reporting capabilities exist to see who and how much is being blocked.

To stay off the blacklists, she recommended IT pros get an inventory of sending domains from their marketing departments, including a list of who sends emails on the company's behalf. She also suggested companies be careful not to overuse a single domain.

Companies also have to be careful about the lists they choose to buy.

"Buying a bad list gets you on blacklists," she said.

Read more on IT risk management