Kforce Takes Control of Instant Messaging and Gains 360° Security

The use of public-network instant messaging in companies around the world has exploded over the past few years, thanks to free access, easy downloads, and the value of networks reaching tens of millions of people. Just as introduction of personal computers, World Wide Web access, PDA’s, and email was driven by individuals rather than IT departments, use of instant messaging at work has grown almost entirely through the efforts of employees. And, just as adoption of those now-familiar technologies took place without IT oversight, the use of instant messaging at work has proliferated without security, compliance, or management from IT. Research conducted by Akonix Systems, Inc. in 2006 determined that only 11% of large and mid-sized corporations have an IM hygiene system in place, while 48% responded with “An IM hygiene solution never crossed my mind”. Among those same corporations, 73% have email hygiene in place. It is no surprise that the unprotected use of IM has made it a favorite vector for hackers and writers of spyware, viruses, and worms.

The threat to corporations of malware infection through IM is increasing along three separate lines: the number of distinct threats using IM to attack computers, the sophistication of attacks, and the criminality of attacks.

Since the beginning of 2004, the number of attacks using IM and P2P as principal vectors has increased an astonishing 16,633%. These attacks include documents, photos, and other files infected with trojans, worms, and spyware. They also include the “poison URL” approach, where a seemingly innocent message, appearing to be coming from a trusted “buddy” contains a URL which links the recipient to a web page that instantly downloads spyware, worms, or other code. Attacks over IM can be delivered over any of the major public IM networks, and can be launched in all leading operating systems, including Windows, UNIX, Linux, and even MacOS.

Most IM and P2P threats have been rather simple spyware or virus attacks. They may download spyware or adware that slows computers down, and they propagate back out through buddy lists, but for the most part, the threats of 2004 and 2005 have been fairly harmless. However, a disturbing trend has been identified over the past year, as sophisticated multi-stage trojans, worms, and spyware payloads have begun to be spotted on IM networks. For example, a recent IM attack known as “TROJ_BROWSAFE.A” uses multiple steps to infect and propagate, primarily over the Yahoo! network. When a person clicks on the URL contained in an instant message that appears to be from a buddy, a connection is made to a malicious web page, which downloads the Trojan. The Trojan creates subfolders on the hard drive and places a copy of itself and some other files into those subfolders. Most interesting, it also downloads its own browser and changes the start page of Internet Explorer to its own infected website. Finally, the Trojan propagates itself by spamming out through the infected person’s Yahoo Messenger buddy list. Although no harm is done to infected computers, this type of attack heralds a new age of highly sophisticated attacks that use multi-stage download, social engineering, and multi-vector propagation.

In addition to increased volume of attacks and increased sophistication, the threats to computers and companies are also showing the ability to be criminal in nature. For example, a Trojan identified at the end of 2005 called “PWSteal.MSNBancos” (also known as “Infostealer.MSNBancos”) was designed to infect people’s computers, disable security applications, and wait stealthily until the person visited specific banking websites. Upon connection to banking websites, the Trojan monitored and logged usernames and passwords. Similar trojans have targeted other banking websites and are used to harvest usernames and passwords on the computers of unsuspecting people.

Finally, a lesser-recognized but equally dangerous threat is the threat of loss of intellectual property through the public IM networks. Numerous studies over the years have shown that the biggest security risks to corporations are their own employees. Whether it’s a technology company whose engineering plans are being sent out of the company in IM file transfers, an entertainment company whose employees are innocently but illegally sending the latest unreleased song by a recording artist or clips from an upcoming movie, or a hedge fund firm whose analysts are offering insider tips over IM, the legal and financial liabilities represented by these “inside-out” threats are enormous.

Clearly, the risk to companies of having their networks and computers compromised by malicious code coming in to the network via IM is real, growing, and becoming more dangerous. Likewise, the threat of inside-out loss of intellectual property represents a huge liability. Meanwhile, companies face another liability from their employees’ use of IM: Non-compliance for electronic messaging.

Instant Messaging is simply another form of electronic messaging, just like email, fax, and even old-fashioned teletype. As such, the use of corporate assets for communications via instant messaging is governed by laws regarding appropriate use, security of use, message and document retention, message logging and discovery, and privacy laws. Yet, as we have mentioned earlier, only 11% of companies are utilizing IM hygiene products, and are at risk of violating numerous laws regarding their employees’ use of instant messaging, whether sanctioned or not.

The simplest way of addressing IM use in the corporation is to assume that “electronic messaging is electronic messaging”. Email, chat, IM, blogs, and portals running on or over corporate networks are all simply different applications that accomplish the same thing. Most companies have policy governing document retention, message retention, appropriate use, and privacy. Instant messaging is readily integrated into those policies and the technologies used to uphold them.

One company that has taken action to leverage the power of real-time communications while making it safe, secure, and compliant is Kforce Professional Staffing (NASDAQ: KFRC) of Tampa, Florida. Kforce is a professional staffing firm providing flexible and permanent staffing solutions for organizations in the skill areas of technology, finance & accounting, and health and life sciences. Backed by more than 1,600 staffing specialists, Kforce operates with 74 offices in 43 markets in North America.

Kforce had identified that hundreds of employees were using public instant messaging in their day to day work, and took the position that the use of instant messaging was valuable but needed to be brought under control and be managed in conjunction with their human resources policies and regulatory requirements. The Kforce legal department had previously considered instant messaging to be treated like telephone calls, i.e. reviewed but not logged. However, this position was changed as courts began to require the review of IM, and Kforce decided that instant messages must be logged for compliance.

Kforce set an objective of deriving maximum productivity from IM with minimum risk and overhead. The IT organization created an enterprise messaging strategy that included the evaluation of an enterprise IM platform so that the company can offer fully sanctioned use of IM across its entire nationwide employee base. The strategy included the desire to address compliance, security and risk management, and the protection of proprietary information, while giving Kforce the ability to manage and administer appropriate usage. Areas of concern for security included instant messaging and chat, peer-to-peer (P2P), and application sharing.

As the network security organization evolved its approach, they arrived at final criteria for evaluating vendors of IM hygiene and compliance. Attributes of the desired system included:

• Manage all public IM clients
  o MSN, AOL, Yahoo, ICQ, Google Talk
• Log and archive IM
  o Ability to log both public and enterprise IM
  o Integrate with leading email archiving systems
• Review and audit IM
  o SQL database access
  o Granularity on policy, control, reporting
• Privacy Protection and Confidentiality
  o Filter keywords and phrases
  o Encrypt access message logs
  o Control by user, group, and domain
  o Protect internal message content
• Security
  o Real-time protection and updates
  o Ability to block and/or AV-scan file transfers
  o Insulate users from viruses, worms, spam, phishing, other attacks
• Manageability
  o Flexible enough to customize to Kforce environment
  o Robust enough to manage everything Kforce needs
  o Policy based
  o Reporting capabilities
  o Ability to integrate with email archiving solutions
• Deployability
  o Quickly and easily installs
  o Integrates with my existing infrastructure
  o Minimal administration and overhead

After review of available options, Kforce selected an IM security appliance from Akonix, and easily integrated it with their email archiving system. With IM security appliances like the A1000 or A6000 from Akonix, companies like Kforce are able to take control of IM use, leverage it for business benefit, and provide security, compliance, and management for real-time communications. IT organizations choosing Akonix gain the benefit of 360° Security for Real-Time Communications™ with multiple layers of defense against external threats and internal liability.

As Kforce determined in their evaluation criteria, security and compliance must be solid at all levels to provide enterprise-wide defense. Akonix recommends that any firm’s best practices for IT security must encompass three levels: detection, protection, and containment.

At the detection layer, Kforce is protected by a global early warning system made up of security experts in partner companies, and by the IM Security Center (www.imsecuritycenter.com) where engineers identify new malware and push new protective filters out to the Kforce network security group in real time.

In the protection layer, Kforce’s network, computers, and employees are protected from infection by spyware, viruses, and worms by both perimeter and gateway defenses that recognize malicious code in file transfers, malicious web addresses in both incoming and outgoing instant messages, and attempts to use prohibited real-time apps like P2P, music sharing, and file sharing. Kforce is also protected from loss of intellectual property and from inappropriate use by the content filtering feature with Akonix’s L7 Enterprise™ product. The company’s regulatory and compliance needs are also served by logging, archiving, and reporting from L7 Compliance Manager™.

Finally, companies like Kforce are protected from day zero threats – new malicious code released into the IM networks before security firms have created protective filters – by the patent-pending containment layer of 360° Security. In the unlikely event that a new, unrecognized spyware, worm, or Trojan finds its way to an employee’s computer, L7 Enterprise’s containment features will stop it dead. First, any instant message containing any unknown URL within its content will be held until the sender correctly responds to a security challenge question. Answering “no” or any response other than the correct answer to the question will immediately terminate the sending of that message, and will place the offending URL into the system’s “disallow list”, which will immediately protect the entire network from any further propagation. Secondly, a mistaken (or malicious) correct answer by the employee may allow the offending message to be sent, but any attempt to propagate through multiple buddies in a short time will be contained by L7 Enterprise’s message rate throttling capability. Once again, the URL from these messages is immediately placed into the disallow list, protecting the entire network. Thirdly, working as a final defensive measure, the L7 IM Sentry™ sits as a silent spectator on the network until it receives any instant messages containing an unknown URL. The L7 Sentry is a patent-pending virtual buddy that assumes that any received messages with URL’s must be malicious, and immediately terminates the sender’s session and places the URL in the disallow list. With these three layers of interrelated technologies in place, Kforce and other Akonix customers are protected from all threats – known and unknown.

The benefits derived by Kforce have been many. Since deploying their IM hygiene platform, Kforce network security managers have the peace of mind of knowing that they have real-time IM security and visibility into employee IM usage. They’ve been able to provide an enabling opportunity for operational efficiency through the use of the latest real-time communications and collaboration technologies. And they’ve been able to do this while managing the technology in line with corporate guidelines and policies.

There is no doubt that a comprehensive policy and the means of enforcing it can deliver real business benefit to companies who want to improve productivity while reducing risk and liability. As Kforce has demonstrated, the overall approach to electronic messaging must encompass multiple applications (email, IM, chat, online collaboration), creation and enforcement of policy, clear objectives for security, compliance, and management, and a sound investment in purpose-specific, best-of-breed platforms for accomplishing those objectives. With these in place, communications via real-time applications like IM become enabling rather than risky, productive rather than unsafe, compliant rather than rogue.