Webmail and IM more risky than Facebook

Safer than IM?

Long-established communication applications such as webmail and instant messaging present more of a direct security risk to organisations than Facebook despite all the hype to the contrary, say security experts.

This is because webmail and IM are still being used in a largely unmonitored and uncontrolled manner, according to a report by security firm Palo Alto Networks.

The authors found that applications like webmail and IM flank traditional defences, whereas most Facebook usage was passive.

"These applications are being used in a way that flanks many of the mechanisms (email AV, anti-spam, anti-phishing, etc) that were designed to defend the enterprise from email-borne threats," Chris King, director of product marketing at Palo Alto Networks told Computing.

"While perhaps not as topical as the social networking risks, they represent a significant risk that is underreported and underestimated by enterprises."

The report based on real-world traffic analysis from 723 organisations worldwide found that these applications either hop between comms ports or use fixed ports that are not TCP/80 or TCP/443. This means that they cannot be monitored easily to control the related inbound business and security risks.

Furthermore, 60 per cent of webmail and IM applications discovered in use by the report are capable of transferring files.

"Most of the IM applications can port hop, and many of the webmail applications can use HTTPS and in either case, that traffic isn’t being scanned for threats in most enterprises," said King. "Even basic port 80 HTTP webmail traffic isn’t scanned for threats in many enterprises."

This opens organisations up to outbound risks of data leakage and the delivery of malware via attachments, but just blocking them isn't a viable option.

"These applications represent significant value for many organisations, so blindly blocking doesn’t work, and blindly allowing opens up organisations to significant risks," said King.

Despite the recent furore about Facebook’s security, PAN’s analysis of social networking traffic patterns found that the bulk of traffic (88 per cent) is users viewing pages. Facebook apps (including popular games such as FarmVille) only represent five per cent of the site’s traffic and postings represent just 1.4 per cent.

"The usage patterns suggest that most of the use is passive," said King. " The active aspects (apps, posting, social plugins) represent a small fraction of social networking bandwidth."

Loss or productivity – which has earned browsing social networks the moniker ‘social not-working’ – is an overblown risk to business, says the report, and organisations should focus on other aspects of risk.

"An unproductive employee doesn’t need Facebook to be unproductive," said King.

Users posting confidential data, such as current projects, travel plans and company status, to a social site poses a small risk, but not one that should be ignored, the report says.

PAN’s report is the second recently to point out that social networking is less of a security threat than was first feared.