Preventing and Detecting Sensitive Data on P2P Networks
Recently, we’ve heard a lot of talk about P2P apps and data leakage concerning various members of Congress. It started with this article over at NetworkWorld, followed up by the guys at nCircle, directing criticism towards Congree from Techdirt, comments from LonerVamp, and lately a rambling from Alan Shimel on how NAC will solve the problem.
The problem is not so straightforward. It’s a mix of company policies, perimeter and endpoint protection, data protection, and culture. Alan fails to see the problem all the way through. Sure, your NAC might prevent P2P apps from existing on the network.. But what about on employee’s home networks? Many people are being issued laptops so they can work from home, on the go, etc. How is NAC going to stop P2P there? How do you stop people from installing P2P apps on their personal computers? From bringing or sending data home through email, thumb drive, cd-rw?
Besides Tiversa, has anyone actually tried to automate P2P network scanning looking for [their] sensitive data? One of the ways at trying to fix the problem is looking at/for the source of information leaks. Use honeytokens to weed out nosey people, spies, and people who are most likely violating policies. Use an IDS or other network monitoring solution to alert when it sees those honeytokens traveling out of the network.
So the issue is one we’ll be seeing a lot from now on as we move towards “protecting data.” Preventing information from leaking onto P2P networks and detecting it is going to be tough. There is no single answer, but many that require a lot of thought and planning. In addition to these latest news articles, check out Inadvertent Disclosure - Information Leaks in the Extended Enterprise. It’s the only paper I’ve come across that tries to analyze the extent of the problem and demonstrates the threat and vulnerability it poses to businesses.
Hi - in regard to the comment, my article said NAC is one way of dealing with this. It is not meant to be comprehensive. You can have IPS block p2p traffic. Also, NAC can test for p2p from home devices if they are getting on the lan. You can have other endpoint security as well. The bottom line is that I think p2p apps are on govt owned devices in the lan and this can be dealt with. Something is better then nothing here.
Hey Alan. It’s true something is better than nothing, but I’ve seen (I was the one who did it) how easy it is to bypass all kinds of network and endpoint security restrictions in place to get p2p apps working on a employee laptop.
The problem is there are sensitive government files on p2p networks. Whether there are p2p apps on the LAN is another issue that NAC and IDS’ do help to resolve.
There are exceptions, but it shouldn’t be too difficult to say no P2P apps are allowed on company laptops. You can get centralized deployment/monitoring solutions (like Altiris) to report on not just every piece of software installed, but even every executable run.
Of course, then you have to have people watching those logs on a regular basis and reviewing them. You can’t have little alerts that miss when I rename a P2P app to something else innocuous like cmd.exe….
I think a lot of people want automation in these things, but there comes a time when you simply cannot replace an analyst.