I thought a good start to the "re-invigoration" of this blog would be to post a couple articles that have been written for other publication. Enjoy...
Internal Network policies
Part 1: File Sharing
Your company has the convenience and accessibility once thought to be science fiction. Files can be transferred to the other side of the planet within seconds. Communication is a snap. Even within the past five to ten years the speeds available in certain areas for Internet have doubled, tripled or even more in speed. But with this convenience as with anything comes abuse. Could your network at this moment be being used for something other than what you intended it?
Does your company have an internal network policy?
A recent national survey of U.S. white-collar workers commissioned by ISACA found that more than one-third (35%) of employees have violated their company’s information technology (IT) policies at least once and that nearly one-sixth (15%) of employees have used peer-to-peer file-sharing at least once at their place of business, opening the door to security breaches and placing sensitive business and personal information at risk. Do you have a policy in effect to prevent this?
What exactly is the risk?
Many file sharing programs are just that, they “share” files. How so? In many popular easy-to-use file sharing applications, during the initial setup the application may look for files, primarily media files, to allow other users of that particular file sharing network to access. With that in mind think of the following scenario:
Bob wants to install a file-sharing program on his computer at work for something relatively harmless. He just wants some music to listen to at work. During the setup of the file-sharing application the program installs wonderfully and Bob is ready to get some music and get productive at work. But, there is a problem. During the setup, the file-sharing application found a few media files in a directory to share, one is named “widget-demo.avi” and another is “jingle-music.mp3”. The major problem in this is not the fact that it may have shared your commercial video or jingle music, but that, when this file-sharing program shares those files, it shares the entire contents of that file folder. What else could be in that folder? Perhaps “Q4-earnings.xls”, “Board_of_Dirs_minutes.doc” or maybe “CompanyFinancial.qbb”. You get the point, this can be very dangerous.
Conclusion
File sharing is very useful in some aspects of legitimate business. But, this is only one of the various security risks in allowing a file-sharing application to be installed on an unattended client machine. The fact is most file sharing applications can bypass any firewall security you may have in place negating any steps or investments you may have made to stop network attacks.
This is one of the many parts of a full network policy that your company should have. In upcoming articles we will discuss other aspects of a network policy and how to enforce these without restricting productivity.
Nick Hitchcock,
OSCP, CEH, CHFI, MCP
NHT Consulting
Posts
