Published in the September 2008 edition of Greater Owensboro Business Magazine
Controlling an uncontrollable security risk
By Eric Dever
Peer-to-peer networks are compromising company data at epidemic levels
Think your company data is secure? Think again. The problem of business data being shared onto
peer-to-peer (P2P) networks by unsuspecting users isn't new, but the stakes are getting a lot higher. More companies have employees working from home or on the road and corporate data is being accessed and stored on computers outside of company network boundaries more than ever. Employees are installing applications on their company computers at home and storing videos and music that is shared and downloaded from popular P2P file-sharing applications. The problem is that not everyone is using P2P file-sharing just for music and videos. Shady characters are searching for financial records, Social Security numbers, personal data or worse. P2P file-sharing programs have been around for a while and by nature aren’t very difficult to use. The easiest to use, such as Kazaa or LimeWire, generally appeal to those who are looking to grab a quick song or two and might not have the most advanced computer skills. These users often miss-configure the settings on such applications resulting in the entire content of their computers including the “my documents” e-mails, naughty pictures and the family pet being shared over the P2P network.
If you go onto any of these to use P2P networks and conduct a search for a personally oriented file such as “resume” there’s bound to be hundreds – if not thousands – of results. Try searching for more corporate oriented data such as “W2”, “minutes”, “audit”, “password list”, and “report” or “proposal” and you will turn up similar results. Most P2P applications allow you to browse the host computer if you do find a particularly interesting file.
Although many enterprise level organizations have policies forbidding P2P applications most admittedly do not monitor P2P network traffic and understanding the risks of P2P is so far down the scale of concern for executives that the issue is largely ignored. This problem was underscored recently by several massive high profile security breaches.
An employee of the pharmaceutical manufacturer Pfizer had a file-sharing application on her company laptop, which she brought home regularly, that allowed outsiders to access over 17,000 past and current Pfizer employees personal data. The employee’s spouse had installed the P2P software to swap music and inadvertently shared over 2,300 sensitive company documents and Pfizer isn’t alone. An employee of Citibank’s ABN Amro Mortgage inadvertently shared the personal information, including name, address, birth date and Social Security number of more than 5,000 customers with a file-sharing application on a company laptop. A terrorist threat assessment of Chicago's transit system, completed by the consulting firm of Booz Allen Hamilton under contract to the Federal Transit Administration, was recently widely available on a P2P network.
Companies that do recognize the scope of this vulnerability and take security measures to prevent such breaches from taking place within their own corporate network are still at risk from outside sources no matter how strict the policy or aggressive the controls. Studies have found that 60% of disclosed files originate from outside the corporate network perimeter, such as suppliers, contractors, attorneys, partners, and employees working from home or on the road.
This is one issue that IT departments can’t simply purchase a product or change settings to remedy. It will require a company culture change starting with educating users on the dangers of P2P sharing and creating home-use policies to lower the risk of leaks from home-office PCs.
Clearly it is time to add P2P file-sharing to your list of security threats.