2. Installing Unauthorized Applications
What do you mean, "no IM?"
If you're like many organizations today, prohibiting instant messaging is out of the question. IM is rapidly becoming a standard corporate communication tool, even as the number of IM exploits rises. Like any other peer-to-peer application, instant messaging comes with some serious risks, but once your users are hooked on IM, they are hooked.
"IM is too useful to completely restrict. If you try to lock it down, but don't provide any outlet for employees to stay in touch with the outside world, users will find a way around your security policy," says Thomas Ptacek, a researcher with Matasano Security. "It's 2006. Your users are going to use IM."
IM isn't the only peer-to-peer app your users may be installing on their desktops. There's Kazaa and other free file-sharing utilities that let users share documents, software, and music. But this freedom has its cost. "These applications can increasingly be the source of new viruses," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy.
And like other unauthorized or unregulated communication, P2P apps create the risk of bad stuff coming in and sensitive corporate or personal stuff going out.
It's safest to standardize on one of the popular IM platforms, such as AIM and MSN, for instance, says Ptacek. "The only question is whether you're going to be able to monitor and control it or not."
The best defense is to ensure users have only user -- not admin -- privileges on their machines, says Daniel Peck, a security researcher with SecureWorks. And have a written corporate policy about what users can and can't do with these apps.
"And never install programs unless you know what they do, whether they are 'comm' programs or otherwise," says Gary McGraw, CTO of Cigital.
Your desktop firewalls can block specific ports, for instance, and a host-based IPS can also help you lock down your desktops. "But that's not foolproof," warns Peck. If your organization can't live without instant messaging, you can require IM sessions to be encrypted, he says.