IM Instant Messaging Security (eBook)

front cover 1
copyright 5
table of contents 6
front matter 14
List of Figures and Tables 14
Acknowledgments 16
Foreword 18
body 24
1 Introduction 24
1.1 Purpose and Audience 24
1.2 What to Expect from This Book 25
1.3 What Is IM? 25
1.3.1 IM and Its History 26
1.3.2 IM as an Integrated Communications Platform 29
1.3.3 Common IM Application Approaches 30
1.3.4 Who Uses IM? 30
1.3.5 What Are the Advantages of Using IM? 34
1.3.6 What Are the Risks of Using IM? 38
1.4 Summary 50
1.5 Endnotes 50
2 How Does IM Work? 54
2.1 High-Level View of IM 54
2.1.1 The Presence Service 55
2.1.2 The Instant Messaging Service 61
2.2 Basic IM Features 63
2.3 Enterprise Instant Messaging Considerations 65
2.3.1 Operating System 65
2.3.2 Database 66
2.3.3 Directory Services 66
2.3.4 Interoperability 66
2.3.5 Schema Change Requirements 66
2.3.6 Standards Based for Third-Party Support 67
2.3.7 Compliance Management 67
2.3.8 Remote Access 67
2.3.9 Cost Considerations 67
2.4 An Enterprise EIM Nightmare Scenario 68
2.5 An Overview of Mobile and Wireless Instant Messaging 69
2.5.1 What Is Mobile Instant Messaging? 69
2.5.2 What Is Wireless Instant Messaging? 70
2.5.3 Short Message Service 70
2.5.4 Wireless Application Protocol 70
2.5.5 General Packet Radio Service 71
2.5.6 The Future of WIM 71
2.5.7 The Future of MIM 72
2.6 Selecting and Securing a WIM Solution 72
2.7 Summary 74
2.8 Endnotes 75
3 IM Standards and Protocols 76
3.1 Extensible Messaging and Presence Protocol - RFC 2778 76
3.1.1 Jabber and the IM Community 80
3.2 Jabber Protocol and XMPP 81
3.2.1 Architectural Design 82
3.3 Instant Messaging/Presence Protocol - RFC 2779 88
3.4 Session Initiation Protocol 89
3.4.1 SIP Security 91
3.4.2 Existing Security Features in the SIP Protocol 92
3.4.3 Signaling Authentication Using HTTP Digest Authentication 92
3.4.4 S/MIME Usage within SIP 92
3.4.5 Confidentiality of Media Data in SIP 93
3.4.6 TLS Usage within SIP 93
3.4.7 IPsec Usage within SIP 94
3.4.8 Security Enhancements for SIP 94
3.4.9 SIP Authenticated Identity Body 94
3.4.10 SIP Authenticated Identity Management 94
3.4.11 SIP Security Agreement 95
3.4.12 SIP End-to-Middle, Middle-to-Middle, Middle-to-End Security 96
3.4.13 SIP Security Issues 96
3.5 SIP for IM and Presence Leveraging Extensions 98
3.6 The Future of IM Standards 99
3.7 Endnotes 101
4 IM Malware 104
4.1 Overview 104
4.1.1 Instant Messaging Opens New Security Holes 106
4.1.2 Legal Risk and Unregulated Instant Messaging 108
4.2 The Use of IM as Malware 109
4.3 What Is Malware? 110
4.3.1 Viruses 111
4.3.2 Worms 111
4.3.3 Wabbits 111
4.3.4 Trojan Horses 112
4.3.5 Spyware 113
4.3.6 Browser Hijackers 113
4.3.7 Blended Threats 114
4.3.8 Backdoors 114
4.3.9 Exploits 116
4.3.10 Rootkits 116
4.4 How Is IM Used as Malware? 118
4.4.1 As a Carrier 119
4.4.2 As a Staging Center 122
4.4.3 As a Vehicle for General Hacking 123
4.4.4 As a Spy 127
4.4.5 As a Zombie Machine 130
4.4.6 As an Anonymizer 132
4.5 Summary 134
4.6 Endnotes 134
5 IM Security for Enterprise and Home 136
5.1 How Can IM Be Used Safely in Corporate Settings? 139
5.1.1 Understanding IM and Corporate Firewalls 139
5.1.2 Understanding IM File Transfers and Corporate Firewalls 142
5.1.3 Blocking and Proxying Instant Messaging 143
5.1.4 IM Detection Tools 145
5.2 Legal Risk and Corporate Governance 145
5.2.1 Legal Issues with Monitoring IM Traffic 147
5.3 Corporate IM Security Best Practices 147
5.3.1 Start from the Firewall 148
5.3.2 Consider the Desktop 148
5.3.3 Install Patches to IM Software ASAP 149
5.3.4 Enforce Client-Side IM Settings 149
5.3.5 IM Proxy Gateways 149
5.3.6 VPNs 150
5.3.7 Antivirus 151
5.3.8 Set up Containment Wards 151
5.3.9 Secure Information with Encryption 152
5.3.10 IM System Rules, Policies, and Procedures 153
5.3.11 Monitor to Ensure IM Client Policy Compliance 154
5.4 Security Risks and Solutions for Specific Public IM Clients 155
5.4.1 MSN Messenger 155
5.4.2 Yahoo! Messenger 160
5.4.3 America Online Instant Messaging 168
5.4.4 ICQ 176
5.4.5 Beware of IM Third-Party Clients and Services 179
5.5 Home IM Security Best Practices 181
5.6 Summary 184
5.7 Endnotes 184
6 IM Security Risk Management 188
6.1 IM Is a Form of E-mail 188
6.2 IM Security and the Law 189
6.3 Cybersecurity and the Law 192
6.3.1 The 1996 National Information Infrastructure Protection Act 193
6.3.2 President's Executive Order on Critical Infrastructure Protection 193
6.3.3 The USA Patriot Act of 2001 194
6.3.4 The Homeland Security Act of 2002 198
6.4 IM Must Be Managed as a Business Record 211
6.5 IM Risk Management 212
6.6 Summary 214
6.7 Endnotes 214
7 The Business Value of IM 218
7.1 Ubiquitous Presence and Workflow 218
7.2 It's All about Culture 223
7.3 Overall ROI for IM 225
7.4 The Choice Is Yours 227
7.5 Endnotes 228
8 The Future of IM 230
8.1 The Pervasive Network 232
8.2 Peer-to-Peer Instant Messaging 234
8.3 Peer-to-Application (the Human-Computer Interface) 234
8.4 Machine-to-Machine (Application-to-Application) 235
8.5 Jabber 237
8.6 Security and Government Compliance 238
8.7 The Business Impact 240
8.8 Endnotes 241
back matter 242
A General Network Security 242
A.1 Threats to Personal Privacy 243
A.2 Fraud and Theft 244
A.3 Internet Fraud 245
A.4 Employee Sabotage 247
A.5 Infrastructure Attacks 248
A.6 Malicious Hackers 248
A.7 Malicious Coders 249
A.8 Industrial Espionage 250
A.9 Social Engineering 253
A.9.1 Educate Staff and Security Personnel 254
A.9.2 Crafting Corporate Social Engineering Policy 256
A.9.3 Prevention 257
A.9.4 Audits 257
A.9.5 Privacy Standards and Regulations 257
A.9.6 NAIC Model Act 258
A.9.7 Gramm-Leach-Bliley Act 260
A.9.8 HIPAA 261
A.10 Summary 263
A.11 Endnotes 264
B Managing Access 266
B.1 Access Control 266
B.1.1 Purpose of Access Control 266
B.1.2 Access Control Entities 267
B.1.3 Fundamental Concepts of Access Control 268
B.1.4 Access Control Criteria 269
B.1.5 Access Control Models 269
B.1.6 Uses of Access Control 275
B.1.7 Access Control Administration Models 275
B.1.8 Access Control Mechanisms 277
B.1.9 Internal Access Controls 278
B.1.10 Techniques Used to Bypass Access Controls 283
B.2 Password Management 284
B.2.1 SmartCards 284
B.2.2 Biometric Systems 285
B.2.3 Characteristics of Good Passwords 285
B.2.4 Password Cracking 286
B.2.5 Windows NT L0phtCrack (LC4) 287
B.2.6 Password Cracking for Self-Defense 287
B.2.7 UNIX Crack 289
B.2.8 John the Ripper 289
B.2.9 Password Attack Countermeasures 290
B.3 Physical Access 290
B.4 Summary 291
B.5 Endnotes 292
C Security Management Issues 294
C.1 Organizational Security Management 295
C.1.1 Perceptions of Security 295
C.1.2 Placement of a Security Group in the Organization 296
C.1.3 Security Organizational Structure 296
C.1.4 Convincing Management of the Need 297
C.1.5 Legal Responsibilities for Data Protection 297
C.1.6 DHS Office of Private Sector Liaison 298
C.2 Security Management Areas of Responsibility 300
C.2.1 Awareness Programs 300
C.2.2 Risk Analysis 301
C.2.3 Incident Handling 303
C.2.4 Alerts and Advisories 304
C.2.5 Warning Banners 305
C.2.6 Employee Termination Procedures 305
C.2.7 Training 306
C.2.8 Personnel Security 306
C.2.9 Internet Use 307
C.2.10 E-mail 307
C.2.11 Sensitive Information 308
C.2.12 System Security 308
C.2.13 Physical Security 309
C.3 Security Policies 310
C.4 Basic Approach to Policy Development 310
C.4.1 Identify What Needs Protection and Why 311
C.4.2 Determine Likelihood of Threats 311
C.4.3 Implement Protective Measures 312
C.4.4 What Makes a Good Security Policy? 313
C.4.5 Review and Assess Regularly 315
C.5 Security Personnel 316
C.5.1 Coping with Insider Threats 316
C.5.2 How to Identify Competent Security Professionals 317
C.5.3 How to Train and Certify Security Professionals 319
C.5.4 Security-Related Job Descriptions 322
C.6 Management of Security Professionals 328
C.6.1 Organizational Infrastructure 329
C.6.2 Reporting Relationships 330
C.6.3 Working Relationships 330
C.6.4 Accountability 331
C.7 Summary 332
C.8 Endnotes 333
D IM Policy Essentials 334
D.1 ABC Inc. Information Security Acceptable Use Policy 335
D.2 ABC Inc. E-mail/IM Use Policy 341
D.3 ABC Inc. E-mail/IM Retention Policy 344
E Glossary, References, and Policy Issues 348
E.1 IM Specific Glossary 348
E.2 General Security Glossary 354
E.3 References 383
E.4 Wireless LANs and WLAN Security Policy 389
E.4.1 Purpose and Goals of WLAN IM Security Policies 390
E.4.2 Basic Approach to WLAN IM Security Policy Development 390
E.4.3 Identify What Needs Protection and Why 391
E.4.4 Determine Likelihood of Threats 391
E.4.5 Implement Protective Measures 392
E.4.6 Definition of a Security Policy 393
E.4.7 Purposes of a Security Policy 393
E.4.8 WLAN Risk Management 395
E.4.9 Risks to Wired Networks from Wireless Networks 400
E.4.10 Security Issues for Wireless Public-access Network Use 401
E.4.11 Sample WLAN IM Security Checklist 402
E.4.12 Creating WLANs in Public Space 406
E.4.13 Virtual Local Area Networks (VLANs) 407
E.4.14 Designs for Scalable and Secure WLAN Solutions 408
E.4.15 VLANs and Wireless DMZ Configuration 408
E.5 Endnotes 410
index 412