The right controls in the right place

The American media has been afire this week about some important data leakage events that appear to have occurred within the Defense Department and it contractors in the February time frame. Blueprints and other secret information on the Joint Strike Fighter and the President’s personal helicopter Marine One were leaked through P2P networks.

Congressman Edolphus Towns sent a letter about the incident (PDF) to the Attorney General expressing his concerns about the use of LimeWire and other P2P applications by government employees and contractors.

Much of the media reaction has been the traditional response to these types of events… “Firewalls need to be reinforced” and “Why do these users have permissions to install such dangerous applications on their desktops?”. I prefer to look at the problem a slightly different way.

Firstly, more and more applications in this mobile Internet, highly social age have defined themselves by simply working. To work simply means these applications do not expect home users, nor office drones to have the ability to adjust firewall rules to make their sharing application or VOIP program work. The designers of these applications – for better or for worse -have found creative, and occasionally subversive methods to defeat our best defenses. They mimic web browsing, FTP, and a whole host of other applications in their attempts at “getting out.”

Secondly, most of the IT world is unfortunately running a host of legacy applications, often requiring that administrative rights be granted to all users.

Recently Microsoft has begun implementing controls to draw attention to the use of these rights, as well as informing the end user of the potential danger of their actions. Of course, we all become numb to it after awhile, and start blindly clicking “Accept” like trained rats.

Even if all this were possible, many applications need not be installed to run. Most users’ favorite dangerous applications are available in the portable flavor. Portable Firefox, Portable Skype, etc. are not difficult to find and are freely available without requiring any administrative rights. Which ultimately brings me to the point…

You can’t trust your users to be your trusted partner in protecting the desktop

Your users aren’t (usually) being malicious; they simply don’t see it the way we do, nor understand the risks involved in ignoring our guidance.

One approach we have taken at Sophos is to introduce the concept of Application Control. This technology allows IT administrators to load virus-like identities from Sophos that define legitimate applications that you do not want to run on your network.

By using the anti-virus product in this manner we can identify versions of Firefox, Skype, LimeWire, Kazaa, etc before they are ever published. Legitimate applications do not try to obfuscate themselves the same way as actual malware, making them much easier to detect – reactively or pro-actively. Helping users do the right thing in the simplest way possible should be in all of our best interests.

Because this is a blog, and not a novel, I will stop now. Perhaps next time I will have the opportunity to talk about properly protecting this data in the first place, so it cannot be leaked in its naked glory.