P2P as a corporate persona non grata

John Alexander Lockheed Martin

  download slides

It doesn't start with headlines, but that's when it suddenly got interesting. One morning I awoke to headline news that plans for a US presidential helicopter had been leaked to an Iranian IP address via peer-to-peer (P2P) software from an unnamed defence contractor's computer. A few minutes of panicked reading and some level-headed critical thinking helped me to conclude that this news was not about my company nor one of our contracts. Others, however, were not as quick to reach such a conclusion; and thus started a project to review our policies, processes, and controls around P2P software.

It starts off simple enough: find and kill all instances of X within the company, if any. Well, X and Y. Make that X and Y and Z. Oh, just kill all P2P. Very quickly it expands and becomes a rabbit hole of questions. How do we define peer-to-peer (P2P) software? How do we build programmatic controls around it? How do we educate users to the risks? How do we track our progress? What counts as use? Just like defence in depth, how can we discover in depth and/or recycle data to find things that we may have otherwise missed? How can we shape our response process to meet human needs? This paper will describe some of the challenges and creative solutions we have found to these questions and more.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.