As part of our continued effort to provide you with information to help use technology as a tool to help you grow your business we ask experts to contribute to Smallbiztechnology.com. This week we Steve Yin, Executive Vice President of Global Sales and Marketing, St. Bernard helps us understand the dangers of peer to peer networks. St. Bernard provides web security solutions.
Since the inception of the Internet, users have sought a convenient and effective way to share data – particularly large files that aren’t easily transmitted via email. FTP (file transfer protocol) technology, which was created in 1971, emerged as the standard in the mid-80s and is still used today, particularly when sharing large volume files between businesses. It’s safe because the file is uploaded from one user and held on an FTP server, before being downloaded by the recipient. Because files are centrally located, it is easier to secure them against viruses, malware and other threats.
With the introduction of Napster in 1999, the transferring of data over the Internet took a dramatic turn. Now, instead of going to a designated FTP site and downloading data from a secure server, users could instantly transfer data peer-to-peer (P2P) – from one computer to another, and ultimately to the world, because anyone who had the service could access all the data. As Napster gained in popularity, other services followed suit and today there are scores of file-sharing protocols such as KaZaA, LimeWire and Morpheus, to name just a few.
More importantly, social-networking sites such as MySpace and Facebook have helped file sharing among its users grow exponentially, while camouflaging the threats that can accompany it. Many users on these sites try to be conscientious, but would not hesitate to download files from a friend, which is where exploits often start. In most cases, users are totally unaware that their actions could be exposing their personal data, not to mention corporate files, to criminal hackers. The consequences of P2P file sharing can be dangerous and costly, as these recent examples illustrate:
It was recently revealed by Tiversa, a US security company, that a security breach last summer exposed military information to an IP address in Tehran, Iran. This information included engineering upgrades, aviation blueprints and financial data for Marine One, the President’s official helicopter. Tiversa traced the security breach to a defense contractor in Maryland and believes the files were exposed via P2P file sharing. In addition to the leaked classified information, the contractor’s internal email communications, calendar and contact data were also exposed.
Over 5,000 Citigroup mortgage customers were exposed via P2P sharing when a Citigroup employee joined a file-sharing P2P network online and exposed corporate files held on her personal computer. The customers who were jeopardized had their social security numbers and other personal information accessed through this unintentional security breach.
Another incident involved current and former Pfizer employees, 17,000 of whom had their social security numbers exposed by the spouse of a Pfizer employee. The incident happened when an employee took home a Pfizer-owned laptop that had the personal data on it. When the spouse downloaded a P2P program, the data became vulnerable.
Unfortunately, these incidents are not uncommon and each of the cases cited here were likely accidents, not intentional criminal actions. However, they point out how easily an intentional exploit could be launched via P2P. As the economy continues to struggle, we can expect direct malicious attacks to increase.
The opportunity for disgruntled ex-employees to do harm cannot be ignored and yet, whether deliberate or inadvertent, the risk for companies remains the same. As these illustrations show, the risks aren’t restricted to exposing personal data. Corporations invest heavily in their proprietary technologies and other data, going to great lengths to secure their intellectual properties. Yet, as in the case of Marine One, these assets can be easily exposed via negligent or criminal P2P file sharing.
What is the Answer?
Fortunately, there are measures organizations can take to reduce the likelihood of network attacks via P2P activity. Experts seem to agree that a multi-layered approach is critical. It’s not enough to have a firewall, antivirus software and an airtight acceptable use policy. In order to mitigate the myriad of P2P threats existing and emerging, companies must employ concerted defenses, including intrusion prevention, data loss prevention and comprehensive Web security. Protecting sensitive corporate data, including intellectual property, financial information and employee personal data, can only succeed if all portals are secured, particularly Internet P2P protocols.