Corporate data protection and peer-to-peer threats

Date: 13 May 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9267 Recently I came across an interesting headline - "Classified Hong-Kong watch-list leaked on the Internet". This caught my attention so I decided to have a quick review of the article. The summary - a staff member took home classified material to read, and this was picked up by the peer-to-peer program on the staff members home computer and distributed across the Internet. My question to you is, could this happen to your organisation? Before you quickly answer 'No!', think a little deeper. Most organisations have sensitive data that they would not want disclosed publicly for legal or competitive reasons. Many employees in todays merit based workplace are driven to take work home in order to 'perform'. Couple with their own (or their child's) use of peer to peer, this could be the scenario facing your organisation sometime soon. So, what can be done about this. Well, policy to prevent or restrict what is allowed to be taken off site is a start. Of course, banning (and blocking) the use of p2p from within the corporate network is an even better start. Given however that there is likely to be breaches in policy compliance - what else can be done? Providing education to staff on the threats posed in their home environment is probably a good start - staff may be more willing to listen to computer security information if it is about their home PC rather than work good practices. Perhaps another thing to consider is a corporate level Digital Rights Management approach. (Wait - don't get all up in arms yet!) A well managed DRM within the corporate could reduce the effectiveness (availability) of corporate information outside of the corporate environment. This isn't about protecting against music piracy and making life difficult for legitimate use - it is about protecting corporate data and reducing risk. The question is - is there currently a product available suitable to medium-large organisations to provide this type of protection. (If you know of something, please let me know!) The other, side point, in the article mentioned recent data loss due to loss of USB sticks and theft of servers. The USB stick issue is well understood but not as widely considered as it should be. Do you have a solution to either restrict USB use or encrypt data on them? If not, you really should consider this ASAP! With regards to protecting data at rest, this is often overlooked in organisational risk management. I am sure that most of those who recently had stolen from their data centres would only the day before told you it could never happen in their data centre because of ..... a long list of reasons, all proved false. Food for thought... Karl Hanmore Operations Manager AusCERT