IM security best practices for SMBs

More on IM Unified messaging comes of age for SMBs IM and blogs next target for litigation

But that external connectivity, if not configured securely, can come with a heavy price. IM allows viruses, Trojans and other malware to piggyback into your networks far easier than email attachments. IM messages can contain links to malicious Web sites, and confidential data can be compromised. Spam over IM (SPIM) is also a threat.

Thus, security for IM is essential. Here are some suggestions and best practices for securing IM without breaking the bank:

• Designate one IM tool. For internal IM, make sure to use a single enterprise software application. More vendors are offering IM products for SMBs, such as IBM's Lotus Sametime. It installs on its own dedicated server, which is tucked deep inside your company's firewall. Harden that server as you would any other: limit access to authorized users, turn off unnecessary services, install antivirus software and keep patches up to date. Install the client piece of the product only on desktops that have been equally hardened with up-to-date antiviral protection and host-based firewalls.
• Restrict external IM usage. Allow usage only for employees who have to communicate real time. Don't use consumer IM products from America Online, Yahoo Inc. or Microsoft. Use enterprise instant messaging (EIM) software such as Jabber or Akonix.
• Make sure your EIM provider offers some kind of encryption. You can always encrypt with Secure Sockets Layer at no extra cost. Remember, IM messages are conventional HTTP traffic, whether the messages go over port 80 or not.
• Restrict access. Like your internal IM servers, those hosting your EIM should be locked down with restricted access, hardening and updated patches and antiviral protection. They should be hidden behind your company's firewalls, but unlike your internal IM servers, they will need access to the Internet. Make sure to add rules to your firewall allowing access only to your EIM and blocking common ports for consumer IM products.
• Restrict communication. Configure buddy lists on your EIM to restrict communication to only known and trusted parties. This will prevent a malicious user from trying to access your network via IM.
• Log and monitor all IM traffic. This can be used to detect malicious inbound traffic, or inappropriate outbound traffic, like someone trying to send out confidential company data or files.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He also runs The IT Security Guy blog at http://www.theitsecurityguy.com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program Security for the midmarket Information security program revamp adds outsourcer oversight and more Your IT security budget: How to get more bang for the buck Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.