IT Governance, Risk, and Compliance » Password-Protected Share http://itknowledgeexchange.techtarget.com/it-governance Mon, 20 May 2013 00:56:50 +0000 en-US hourly 1 Peer-to-Peer Networking – Part 2 http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-2/ http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-2/#comments Tue, 03 Mar 2009 04:05:51 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=84 Maybe, experientially, the small branch office with a P2P network has escaped a security incident since deployment. Even so, a functional P2P network unintentionally presents itself as a potential target waiting for someone capable of pulling the threat trigger to introduce a potent security disaster. For instance, at the infrastructure level, attacks can originate from hackers taking advantage of a P2P enabled application to assist spyware or malware in slipping past perimeter defenses and lodging in the background of user devices. In particular, a P2P-agent utilized in communications software can include or hide spyware that collects information about the target system as well as user, then subsequently send compromised information to unauthorized individuals without the legitimate owner’s knowledge. High-Level Data Link Control, Frame Relay, and X.25 protocols have P2P communication modes that can be spyware enabled. Consequently, a P2P network should not be deployed unless effective compensating and mitigating security controls are implemented.

As operational baseline countermeasures to P2P risks, management should document and monitor P2P file-sharing technology to ensure that this capability is not utilized for unauthorized information distribution, display, processing, or reproduction. Furthermore, management should ensure the appropriate encryption is implemented to sustain an adequate telecommunications defense. Lastly, meticulous proactive security risk assessments of P2P networks can prevent inherent IT vulnerabilities from becoming threats requiring incident response resolution.

]]> http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-2/feed/ 0 Peer-to-Peer Networking – Part 1 http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-1/ http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-1/#comments Thu, 26 Feb 2009 18:49:52 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=81 There are a variety of networking architectures available for deployment. Potential candidates include Peer-to-Peer, Client/Server and Master/Slave. However, Peer-to-Peer (P2P) architectures present unique governance issues to the information security manager when comparable network configurations are considered. Flawed implementations, poor legacy security standards, limited user awareness, as well as lax technical security and administrative practices can form especially lethal combinations that may decimate a positive assertion regarding P2P network access protection.

Focusing solely on access vulnerabilities, as most information security professionals are acutely aware, P2P is normally restricted to share-level security (also known as Password-Protected Share). Archetypical share-level assigned password security provisions two mutually exclusive access attributes (read-only and full) to a file, printer or other network object. Share-level security also normally lacks centralized access control capabilities. Specifically, a user ‘access matrix’ is usually absent from P2P architectures for granular authentication or authorization arbitration. Therefore, increased security risks are inherent with P2P deployment compared to other adoptable network configurations.

]]> http://itknowledgeexchange.techtarget.com/it-governance/peer-to-peer-networking-part-1/feed/ 0