An article was highlighted in a LinkedIN Group (that spawned a discussion) published by SC Magazine entitled, “First lady’s safe house location leaked on P2P“. The article breaks down the concern that lawmakers and regulators have with P2P networks due to the recent release of sensitive data.
You can find the article here, and the U.S. Committee on Oversight and Reform transcriptions & webcast here. The chairman’s closing remarks (short) are here on “predator-to-prey” networks.
I strongly advise reading through these to understand the current risks and perception of risks that exist.
The article is a good overview of a problem, but I would contend that the attack / threat / vector is not as described by the testimony or highlighted in this article. They state the problem is the P2P technology that lead to the disclosure of the sensitive data. That is similar to blaming the highway to causing an accident. Professionals within the business of protecting assets and managing operations must have safeguards for the data that transcends the risks of the technology.
Safeguarding data begins with a few simple efforts (a good initial start…):
- Identify what is worth protecting (this definition allows for PII, PHI, Top Secret, Competitive importance)
- Determine the flows of data (i.e., the Rabbit holes… follow where the data from origination to retirement)
- Introduce process efficiencies (i.e., reduce the rabbit hole dead ends; add automation where possible; simplify the process to reduce the final assets requiring protection)
- Develop and define the necessary Safeguards to protect these assets
- Compare existing controls (for the remaining rabbit holes or “business processes”) and eliminate duplication
- Finally define performance metrics of these controls, a timetable, and deploy
It is dangerous, and unfortunate that the committee seems to be hunting for a culprit that can be regulated, to assume and believe that P2P is the simple problem. When in fact it is the current state of security within the Nation’s critical infrastructure, and this is as much an internal people problem as an internal technology compliance problem. I do agree with the elimination of software that is known to be at risk to attack, but in the client-browser attack world we live in today that would include things such as Internet Explorer! Removing access to Torrents and other p2p networks only stifles innovation and increases costs. A more risk aware and intelligent method needs to be devised that allows the government to gain access to valuable resources without placing sensitive information at risk.
I look forward to anyone’s take and experience on solving this challenge,
James DeLuccia IV