John Alexander Lockheed Martin
It doesn't start with headlines, but that's when it suddenly got interesting. One morning I awoke to headline news that plans for a US presidential helicopter had been leaked to an Iranian IP address via peer-to-peer (P2P) software from an unnamed defence contractor's computer. A few minutes of panicked reading and some level-headed critical thinking helped me to conclude that this news was not about my company nor one of our contracts. Others, however, were not as quick to reach such a conclusion; and thus started a project to review our policies, processes, and controls around P2P software.
It starts off simple enough: find and kill all instances of X within the company, if any. Well, X and Y. Make that X and Y and Z. Oh, just kill all P2P. Very quickly it expands and becomes a rabbit hole of questions. How do we define peer-to-peer (P2P) software? How do we build programmatic controls around it? How do we educate users to the risks? How do we track our progress? What counts as use? Just like defence in depth, how can we discover in depth and/or recycle data to find things that we may have otherwise missed? How can we shape our response process to meet human needs? This paper will describe some of the challenges and creative solutions we have found to these questions and more.