Network lockdown checklist

NetworkWorld reports that numerous classified government documents along with corporate confidential information is being leaked by use of peer-to-peer networks. Included in the list of documents found are: "The Pentagon's entire secret backbone network diagram, complete with IP addresses" and "physical terrorism threat assessments for three major U.S. cities". The fright night doesn't end there, many corporate documents were also discovered, including: board minutes; launch plans, growth targets and patent information.

Their networks are setup well, but their configuration management is Swiss cheese

Too much energy is being placed on network perimeter defenses. Those who still believe that a good perimeter wall solves the problem need not look any further for proof to the contrary.

Eric Johnson is a professor at the center for Digital Strategies from Dartmouth College who testified at the House Committee on Oversight and Government Reform regarding this issue of inadvertent information disclosure.

Quoting from the NetworkWorld article:

"I spend a lot of time with CISOs and CIOs who think they have locked down their networks and made it difficult for people to join P2P networks," Johnson said. But those controls fail when employees take work home and then connect their systems to a P2P network. "CISOs can do a great job hardening their own networks but controlling what thousands and thousands of individuals do is impossible," he said

Mr. Johnson paints the picture perfectly; the problem is not with the networks, but with the overall configuration and compliance strategy. There is a classic use case when it comes to managing PCs that prove the difficulty of the situation.

The use case

The IT department configures and deploys systems based on a common operating environment. This includes hardware, an operating system and software all configured to a known gold standard. When that device leaves the hands of IT, it instantly changes and it changes in so many unpredictable ways. Even with a good set of centralized administrative controls like Group Policy Objects on Windows, extraneous business needs lead to weaker controls. For example, many enterprises permit the user local administrator access to the system in order to install patches or run legacy applications. Not to mention that not every organization is running Windows 2003 server with Vista on the end points. These reasons and many others open the door for persons to install applications, make changes and overall quickly divert from the IT gold standard.

Continuous Compliance

Beginning with the gold standard is a must, but more importantly once the device leaves the nest of IT, it must be continuously monitored. This is one job of the vulnerability, configuration and compliance strategy.

According to the story at hand, the information was inadvertently leaked using peer-to-peer file sharing applications. If the device were under continuous configuration monitoring, then the application such as LimeWire, Kazaa or other would have been discovered and reported to the security operations team for investigation.

This is the latest security challenge and every organization must tackle the possibility of loss of confidential information and intellectual property. Continuous monitoring has to be addressed as a component of a layered proactive strategy.