Getting a Handle on Peer-to-Peer Applications
Watch out for security pitfalls, such as increasingly popular instant messaging apps.
The business of securing
- By Ari Tammam
- August 01, 2007
clients' networks is always changing, with new types of threats constantly emerging as few dangers ever fade away. One threat that's growing in importance for clients is peer-to-peer (P2P) applications-and it's important for security-focused solution providers to be able to help mitigate that problem.
There are definite benefits to some P2P applications that account for their popularity among business users and IT teams' willingness to tolerate them in company networks. Probably the most popular, and most useful, P2P application is instant messaging (IM). IM's communication advantages over e-mail, most obviously its ability to allow users to gauge a colleague's presence and generate immediate response, drive its widespread adoption in organizations. Some other P2P applications, such as file-sharing applications that are designed to allow users to share movies, pictures and music files, have found legitimate business uses as well.
Aside from raising obvious questions about lost productivity, P2P applications pose security threats. Less-secure IM systems can be vectors for malware (and it's difficult to know which IM systems a client's users have actually installed). With file sharing, the malware threat exists, but there's another, potentially more serious problem. If the application opens a shared folder, any information in that folder can be accessed by any user subscribed to that file-sharing application. Such a file-sharing vulnerability caused a problem in 2006 for the Japanese Maritime Self Defense Force, when secret military documents on one officer's computer wound up being uploaded onto another person's computer through a file-sharing application that is popular in Japan.
Promisec Ltd. recently completed an audit to determine the extent of unauthorized P2P applications on corporate networks in the United States. We audited 32 organizations with 193,000 corporate endpoints in a search for unauthorized P2P applications and other security threats. About 4 percent of the corporate PCs, or 7,720, had unauthorized P2P applications such as Kazaa installed. Some 1,579 (0.82 percent) carried unauthorized remote-control software, such as GoToMyPC. (The audit also found more than 25,000 unauthorized USB devices attached to the endpoints, another area of security concern.)
It used to be enough to just check the firewall log and have a bandwidth-control device in place, but P2P applications are becoming smarter and most of them now use common protocols.
Following are some proven methods for helping your clients get control over any P2P applications on their networks:
- Ensure that your client's users only have the permissions they need for their desktops and laptops. If a user's productivity doesn't improve with the use of a P2P application, blocking installation of that application reduces the likelihood of a problem.
- Work with your client's key decision-makers to develop a comprehensive endpoint security document that clearly spells out policies governing such issues as access to files, anti-virus updating and the use of unauthorized applications or attachable devices.
- Help your client communicate those policies and train its employees about the potential risks these applications pose to the company's network security. Proper education is necessary before companies can hold users accountable for their actions. One best practice: Provide users with copies of the company's policies and require them to sign a document confirming that they have read and understood the rules.
- Assist your client in implementing a strong endpoint security solution to enforce policy and monitor installed applications. Remediate by removing unwanted applications; implement measures to prevent them from being re-installed. Ultimately, companies must have an enforceable follow-up mechanism that can accurately identify misuse and single out rogue users without creating too much additional work for the IT department.
Ari Tammam (firstname.lastname@example.org) is vice president for channels at Promisec Ltd., a provider of agentless endpoint security management software. Promisec, a Microsoft Certified Partner, is based in Israel with U.S. headquarters in New York.