Instant Messaging, Spam Issues Linger


Two of the more perplexing security issues that solution providers will increasingly face in the coming months are how to block spam and control instant messaging.

Businesses are looking for ways to eradicate spam messages that clog their e-mail systems,making them vulnerable to viruses,and to manage the often renegade instant-messaging activity cropping up all over corporate America. However, very few security policies have been developed to deal with either issue, said security integrators and VARs at the CRN Security Roundtable.

"I saw something that said one of the largest growing markets is spam. I hadn't really thought about it, and then I did think about it. We're a security company, and I get spam [messages. I wish I could stop them all," said Gary Fish, president and CEO of FishNet Security.


'We're actually looking at some different standards, such as actually attaching [digital certificate "postage" to e-mail.' > Michelle Drolet, Conqwest

Michelle Drolet, CEO of Conqwest, said several of her clients in the legal community have hired administrative help just to control the influx of spam. "They have some admins that are sitting there for two to four hours a day just cleaning up [the e-mail garbage," Drolet said.

Indeed, some companies appear willing to spend dearly for a spam solution, roundtable panelists said. "We had a conversation with a [chief security officer from a bank who said he would spend at least a million dollars on a spam solution tomorrow if there was one that wouldn't get rid of all the executives' mail that they really wanted to get," said Dan McCall, executive vice president and co-founder of Guardent.

The consensus among roundtable participants was that existing e-mail filtering technology can't completely control the spam problem. Several solution providers said they're studying the possibility of using digital certificates, which could help confirm the identity of the sender.

"We're actually looking at some different standards, such as actually attaching 'postage' to e-mail," Drolet said. "It would have to be almost like a grassroots effort in which you put [digital certificates on e-mail, and then if I say, 'Yes, you can talk to me,' you create a white list to start out with, put postage on [messages to people on the list and only communicate with people that have your stamps."

Paralleling the proliferation of spam has been the use of instant messaging, which some businesses are adopting to save the time wasted wading through junk e-mail, roundtable executives said. That's spawning new security concerns. "Check Point just came out with a [firewall patch that digs into the packet and can tell if it's instant messaging," Fish said. "So it's a big, huge issue for corporations."

Chris Ellerman, vice president of professional services at Meridian IT Solutions, a full-service network integrator, agreed that instant messaging must be brought under control. "There's an absolute business need," Ellerman said.

The biggest problem with instant messaging,aside from potential productivity drains when employees choose to chat with friends or family instead of doing work,is that the technology could make a company's network more vulnerable.

"I think the fact that the stuff is going out of your network and it's coming back in is something that people don't realize intuitively. And that's something where there's a huge information problem," said Chris Wysopal, director of research and development at @Stake.

Companies only now are starting to recognize the security pitfalls of instant messaging, said Guardent's McCall. "I don't now if there have been any huge compromises like the Code Red-type things that have come from [instant messaging yet, but I think they're certainly worried about that," he said. "And then the other piece of it is the productivity lost when people are chatting with their kids and their friends."

Guardent has been studying several different digital certificate and identity management technologies to help control instant messaging without blocking it entirely, McCall said. FishNet, meanwhile, has deployed technology it refers to as "Sniffer on steroids" that provides instant-messaging traffic reports.

But Kenneth Cavanagh, vice president of professional services at Vigilinx, a security services firm, said solution providers may not be able to convince corporations that instant messaging should get a share of their limited security budgets. "Forget it," Cavanagh said, explaining that from the corporate security officer's point of view, "protecting the application layer of my online reservation, e-commerce system or e-banking system,those are the things I need money for, not to get rid of instant messaging."