Employees continue to get around corporate controls by installing Internet-facing applications that go unchecked, uncontrolled and unmanaged by the company's IT staff. Among the most popular apps: instant messaging, Web-based e-mail, Web logs, video logs, MP3 files, P2P, VoIP and remote access programs like PCAnywhere.
Though these applications can provide some benefit to a business, they all also pose technical and business risks. For instance, their chatty nature could lead to data leakages. And, as Bank of America's Todd Inskeep notes, "Any of these applications also become an alternative method for distributing malicious software."
- Are P2P applications worth the risk?
- IM and file-sharing top the SANS Top 20.
- Disconnecting desktops is one alternative for dealing with unauthorized applications.
Almost all these apps support Port 80 and Port 443 connections, but instant messaging in particular is "port agile," and many proprietary programs such as AOL Instant Messenger work aggressively to send and receive messages between networks, said Inskeep, the financial giant's VP and senior information security architect.
Inskeep recommends first teaching employees what is acceptable to download, then installing any number of software management tools to detect and remove unwanted apps from desktops. To gauge these apps' pervasiveness and determine how best to block them, consider setting up Internet connections within a DMZ to analyze the protocol- and port-changing nature of vendors' software, often done to avoid antivirus or antispyware detection. In addition, consider expanding the DMZ to leverage both an internal and external firewall: one to lock down ports; the other to analyze packets.
"What choices you make depends on your business requirements," Inskeep noted. Bank of America, which has 175,000 employees worldwide, has developed its own corporate IM system, partly to allow such communications while also meeting regulatory mandates. To improve productivity and help prevent the accidental leak of proprietary information, BoA employees are discouraged, but not prohibited from messaging friends and family.
Want a real eye-opener? Inskeep suggested installing Skype, a free encrypted Internet telephony system known to aggressively scan for open connections on an internal, isolated machine. "Skype will go through it like holes in Swiss cheese," he said.
Other options include:
- Locking down desktops so users don't have admin access to download Web applications.
- Using URL filtering to block specific sites used to access messaging or file-sharing programs.
- Analyzing protocols used by Web apps to determine which ports need to be closed to Web traffic.
- Inspecting traffic using conventional and/or application-level firewalls.
- Adopting stronger policies that outline clear use or abuse of instant messaging, blogs, etc.
- Enforcing use of remote access controls, such as VPNs, for devices outside the corporate network.
- Enhancing employee awareness training so users understand which apps are allowed and under what circumstances.
Each application needs its own risk analysis. "The cost of implementation in most cases is pretty low. Your employees are downloading it for free," Inskeep said. But adding security will add to the bottom line. Failing to secure these applications could cost a company as well.