Peer-to-peer (P2P) software causes super-sensitive documents to accidentally and unknowingly be leaked into the Internet. Few organizations have legitimate reasons for P2P software running on their endpoints. How does P2P software get there and what can an organization do to keep from being reported as yet another data leak horror story?

Recent hearings by the House Government Oversight & Government Reform Committee on the problem of inadvertent sharing of files via P2P software revealed some new horror stories that ought to scare the hell out of decision-makers running any enterprise with information worth stealing. As fantastic as a few are, ultimately, they’re the same story with different characters.

Problem solvers ought to worry less about the latest stories and more on prevention. However, when it comes to justifying the tools and policies that will be necessary, by all means, highlight some juicy ones. I often find examples at Privacy Rights Clearinghouse.

Quick tangent: a lot of the files traversing P2P networks are infested with malware.

How Does P2P Software get onto Enterprise Computers?

Some P2P software installations on enterprise computers may be installed by malware. P2P software has evolved to operate more discretely within enterprise walls and it removes a single point of failure by providing a decentralized file transfer capability.

Even so, I believe that most P2P installations are due to an end-user voluntarily installing the software. Whether these end-users have or do not have local admin rights is important. Yes, users without local admin rights can install P2P software (btw, this article on installing software without admin rights was one of the most Googled posts of 2008 for this blog). In short, they can install software in user-space (My Documents, Desktop, extra hard drives, etc.).

How Does P2P Software Stay on Enterprise Computers?

P2P software features have been added to make it harder for network administrators to detect P2P software use. As for desktop administrators, how often do they audit what software runs on their computers? And, do the tools they have and KNOW HOW to use operate off-enterprise. I’ll wager that an awful lot of P2P traffic from enterprise computers originates from off-enterprise. Yet, the sensitive documents on these computers remain when they are off-enterprise. And btw, any malware they pick-up off-enterprise, remains with them when they are on-enterprise. Continuous policy compliance monitoring and enforcement is essential to preventing most enterprise information security risks.

EdgeGuard Protects, Controls, and Audits Computers On and Off the Enterprise Continuously

EdgeGuard can prevent enterprise computers run by end-users without local admin rights from running P2P software in a fire and forget manner. EdgeGuard will suppress all executable launches from user-space. It can be set to allow only software that it “guards” to launch from user-space. And since IT administrators determine what applications EdgeGuard places under guard, end-users cannot launch unauthorized software from user-space. Compare this with the effort required to employ a white list security software system. I recommend using a logarithmic scale for those that wish to quantify the difference. BTW, examples of legitimate software that IT administrators might choose to allow and thus “guard” may include Google Chrome and GotoMeeting.

For end-users with local admin rights, EdgeGuard policies supersede an end-users local admin rights. However, as EdgeGuard is not a white list system, one must populate a “Red List” that tells EdgeGuard what applications it is to snuff-out. This is where the regular audit comes into play: identifying forbidden software not already on the “Red List”. Should end-users rename forbidden software, EdgeGuard continues to snuff it out because of its deep header inspection technique.

For those organizations that must attest to their having implemented countermeasures to reasonably foreseeable threats, the EdgeGuard agent on each computer uniquely digitally signs its outbound audit logs ensuring that all reported observations are irrefutable.

Posted: Thursday, July 30th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback