September 2003). This is a serious problem when the computer
being used contains confidential and proprietary corporate data.
Port and vulnerability scanning is a required part of a security
TOOLS & TECHNIQUES assessment. Now with the ubiquitous use of P2P file sharing,
checking to see if your corporate files are being shared should
now be part of that assessment.
Using Kazaa to Test Using Kazaa as an example, do a search on your company
name. Make sure to highlight the Auto Search More button.
Your Security Posture This gives Kazaa the ability continuously search for the file from
more and more places, rather than a single search and stopping.
Besides searching on your company name, the following key-
words should be searched:
Ben Rothke, CISSP
❏ Specialized project names
An effective corporate information security policy will com- ❏ Project codes
pletely ban the use of peer-to-peer (P2P) file sharing software, ❏ Product names
such as Morpheus and Kazaa. Rightly so, as such software poses ❏ Manufacturing sites
numerous security and privacy risks. The fact that P2P software ❏ Employee ID numbers
are some of the most downloaded files on the Internet should ❏ Financial forms
give information security managers pause. As of October 15, ❏ Backups of entire email boxes
2003, Download.com reported that the Kazaa Media Desktop
has been downloaded over 285 million times. What can you expect to find? Anything that an employee can
Since P2P networks open the shared computer to millions of store on their hard drive can be uploaded via P2P. Companies
computers worldwide, even an inadvertent mistake can have that have done such P2P searches have often found treasure
huge repercussions. troves of information.
Just some of the risks associate with P2P software include: The danger is that information on P2P networks quickly mul-
tiplies. If a file is loaded and its sharing commences, it can easily
❏ Spread of worms and viruses. There are scores of reported be on a thousand hard drives within a few hours.
cases of files downloaded being trojaned or virus-infected.
❏ Hogging of bandwidth. P2P networks are notorious for Countermeasures
bringing networks to their knees. If you don’t like what you find (or fear what you may find in
❏ Legal issues/copyright infringement. Copyright laws are of- the future), you’re not without options. Some countermeasures
ten violated on P2P networks. include:
❏ Bypasses internal controls. Sharing files over P2P eliminates
the file-size restrictions of many email systems Port blocking. For Kazaa, block TCP sessions on ports 1214,
❏ Spyware/Adware. P2P software is replete with Spyware and 1285, 1299, 1331, 1337, 3135, 3136 and 3137. This is not a in-
Adware, which is software that reports back to a vendor site a fallible method, but a start.
user’s usage habits and patterns. Usually this information is
used in an advertising context. Policies and procedures. Let users know that they should not
❏ Misconfigured File Sharing. Users very often misconfigure have P2P software on corporate computers. If they have corpo-
their P2P software and end up sharing their entire hard drive. rate data on their home computers, and are running P2P soft-
❏ Launching pads for social engineering attacks. Once an at- ware, additional controls must be put in place.
tacker has internal information, he or she can use that to their
advantage in a social engineering attack, since internal infor- Software monitoring. Software from Vericept and SilentRunner
mation provides access to authentic-sounding corporate ver- can be used to see exactly what users are doing on the network.
nacular and nomenclature.
In short, P2P programs are hugely popular and can’t be stopped.
Most users in your organizations know that P2P is great for get- But by being aware of the real security and privacy issues, users
ting music, but are often completely unaware of the security risks can be more vigilant in their use of such systems. Companies
with the software. The risks are huge, and all users need to be that are not proactive with regard to P2P file sharing will find
made aware of them. that much of their supposed competitive advantage is quickly
From an information security perspective, it can be quite valu- shared with the masses and thereby lost.
able to use it yourself to see just how much of your proprietary
and confidential data is available on P2P networks. The reason
for this is that while the P2P software is meant to share music Ben Rothke, CISSP is a New-York based security consultant
files, users often incorrectly configure their software and rather with ThruPoint, Inc. McGraw-Hill has just published his
than sharing their My Music folder, they often share their entire Computer Security: 20 Things Every Employee Should Know.
hard drive (for examples, see “Identity Theft Made Easy,” Alert He can be reached at firstname.lastname@example.org
ATTENTION: COPYRIGHTED MATERIAL. It is unlawful to photocopy this page without express written permission of Computer Security ALERT.