Tuesday, July 31, 2007

Information Leaking via P2P

There are a couple of Blog posts about classified/sensitive information leakage via P2P. Original article is here.

Blogs I read about it on here #1 & #2

Page 3 of the networkworld article is the best when it describes how some of these leakages occurred, thankfully it seems mostly through family members downloading and installing P2P software on the company computers, which is refreshing from the company idiot leaving the laptop in the car waiting for it to be stolen and contribute more to identity theft.

The fix for this in my opinion is not some fancy network appliance. Most networks if they don't want to allow P2P traffic can block the traffic, its not that hard. What you cant block is what that "road warrior" employee does when they leave the work network and plug into the hotel wireless or the cable modem at home.

So what's the fix?

1. (Most Importantly its) User Education: when that person signs for a laptop to use, give them some education(pamphlet, talking to, tattooed on their head, etc) and make them sign an user agreement that specifically states what that person can and cannot do on that company laptop (seems like now you have to remind them not to let your spouse/kid play on that laptop too). Yearly education is another good option if the organization supports it but its got to be worth the user's time and actually be beneficial, aka not a check the block thing and not the same stuff every year.

2. Configuration Management: If you allow that laptop to connect back to your network it should be scanned, patched and the AV updated before it gets back on the network, hopefully at that time you can catch unauthorized software installed.

While it wouldn't help the P2P problem, encrypting data at rest will help with those stolen laptops as well.

The Continous Compliance mentioned in the ncircle blog (link #2) also seems like a good idea, havent looked at any solutions that do that though. Guess you have to balance the risk of a new remote application that you allow access into your network (mmmm yummy) against knowing sooner that someone installed unauthorized software on your company laptop.

3. Actually Punish Rule Breakers: those people that lost the laptops with the VA data should have been hung out to dry, especially the one that wasn't authorized to take data home to work on. If TJ Maxx can be held liable for millions for using WEP instead WPA, the jackass that takes a laptop or data home when they aren't supposed to (especially with PII) should be fired if the data loss can be attributed to negligence on their part. The guy who's daughter installed lime-wire...canned, next time pay attention to what your kid/spouse is doing on the company laptop and don't let them do it. If you are too technically inept or just plain don't care about security then shouldn't be able to check out laptops with corporate data

I'm a big believer in that if you punish people when they do something wrong, others will be inclined NOT to do what that person did in the interest of self preservation. It serves two purposes. First, if the punishment is severe enough it should curb repeat offenses and second, it shows the public (if you answer to them) that you care and you did something to the offender to "right the wrong." I'd be alot (well maybe not that much) less pissed if they fired the guy that lost the data with my PII than if they just got a slap on the wrist.


No comments: