Rothke Using Kazaa To Test Your Security Posture


Published on

An effective corporate information security policy will completely ban the use of peer-to-peer (P2P) file sharing software,
such as Morpheus and Kazaa.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rothke Using Kazaa To Test Your Security Posture

  1. 1. 4 September 2003). This is a serious problem when the computer being used contains confidential and proprietary corporate data. Port and vulnerability scanning is a required part of a security TOOLS & TECHNIQUES assessment. Now with the ubiquitous use of P2P file sharing, checking to see if your corporate files are being shared should now be part of that assessment. Using Kazaa to Test Using Kazaa as an example, do a search on your company name. Make sure to highlight the Auto Search More button. Your Security Posture This gives Kazaa the ability continuously search for the file from more and more places, rather than a single search and stopping. Besides searching on your company name, the following key- words should be searched: Ben Rothke, CISSP ❏ Specialized project names An effective corporate information security policy will com- ❏ Project codes pletely ban the use of peer-to-peer (P2P) file sharing software, ❏ Product names such as Morpheus and Kazaa. Rightly so, as such software poses ❏ Manufacturing sites numerous security and privacy risks. The fact that P2P software ❏ Employee ID numbers are some of the most downloaded files on the Internet should ❏ Financial forms give information security managers pause. As of October 15, ❏ Backups of entire email boxes 2003, reported that the Kazaa Media Desktop has been downloaded over 285 million times. What can you expect to find? Anything that an employee can Since P2P networks open the shared computer to millions of store on their hard drive can be uploaded via P2P. Companies computers worldwide, even an inadvertent mistake can have that have done such P2P searches have often found treasure huge repercussions. troves of information. Just some of the risks associate with P2P software include: The danger is that information on P2P networks quickly mul- tiplies. If a file is loaded and its sharing commences, it can easily ❏ Spread of worms and viruses. There are scores of reported be on a thousand hard drives within a few hours. cases of files downloaded being trojaned or virus-infected. ❏ Hogging of bandwidth. P2P networks are notorious for Countermeasures bringing networks to their knees. If you don’t like what you find (or fear what you may find in ❏ Legal issues/copyright infringement. Copyright laws are of- the future), you’re not without options. Some countermeasures ten violated on P2P networks. include: ❏ Bypasses internal controls. Sharing files over P2P eliminates the file-size restrictions of many email systems Port blocking. For Kazaa, block TCP sessions on ports 1214, ❏ Spyware/Adware. P2P software is replete with Spyware and 1285, 1299, 1331, 1337, 3135, 3136 and 3137. This is not a in- Adware, which is software that reports back to a vendor site a fallible method, but a start. user’s usage habits and patterns. Usually this information is used in an advertising context. Policies and procedures. Let users know that they should not ❏ Misconfigured File Sharing. Users very often misconfigure have P2P software on corporate computers. If they have corpo- their P2P software and end up sharing their entire hard drive. rate data on their home computers, and are running P2P soft- ❏ Launching pads for social engineering attacks. Once an at- ware, additional controls must be put in place. tacker has internal information, he or she can use that to their advantage in a social engineering attack, since internal infor- Software monitoring. Software from Vericept and SilentRunner mation provides access to authentic-sounding corporate ver- can be used to see exactly what users are doing on the network. nacular and nomenclature. In short, P2P programs are hugely popular and can’t be stopped. Most users in your organizations know that P2P is great for get- But by being aware of the real security and privacy issues, users ting music, but are often completely unaware of the security risks can be more vigilant in their use of such systems. Companies with the software. The risks are huge, and all users need to be that are not proactive with regard to P2P file sharing will find made aware of them. that much of their supposed competitive advantage is quickly From an information security perspective, it can be quite valu- shared with the masses and thereby lost. able to use it yourself to see just how much of your proprietary and confidential data is available on P2P networks. The reason for this is that while the P2P software is meant to share music Ben Rothke, CISSP is a New-York based security consultant files, users often incorrectly configure their software and rather with ThruPoint, Inc. McGraw-Hill has just published his than sharing their My Music folder, they often share their entire Computer Security: 20 Things Every Employee Should Know. hard drive (for examples, see “Identity Theft Made Easy,” Alert He can be reached at ATTENTION: COPYRIGHTED MATERIAL. It is unlawful to photocopy this page without express written permission of Computer Security ALERT.