Is Someone in Your Company Publishing All Your Confidential Files? How Do You Know?

I've written about IT security, in one form or another, for almost a decade now, so I've seen more than my fair share of stories about virus and worm attacks, employees stealing confidential information, malware being used to extort money from large companies, and other nefarious acts of theft and sabotage. But I have to say that a pair of articles—one by John Foley and another by Avi Baumstein—in a recent issue of InformationWeek managed to rattle even me.

The topic is data leakage caused by peer-to-peer (P2P) file-sharing applications. P2P applications enable users to share and transmit files over a vast network of computers all running the same P2P software. In some P2P networks, a node simply makes files available for other nodes to discover and download. For example, I might put a bunch of documents in a sharing folder. You might use the P2P application to search for these documents, discover them, and copy them from my system to yours.

Another model of P2P network is specially designed for handling large media files, such as software distribution packages and movies. These networks use a "swarming" protocol such as BitTorrent to disassemble very large files, transmit them as hordes of little files, and then reassemble them into a copy of the original on the other end. Because there are hundreds, thousands, or even millions of computers functioning as nodes in the network, this type of P2P network offers a convenient solution for efficiently distributing large files, such as 150 MB software packages, without putting excessive load on any one CPU or segment in the network.

Sounds clever and convenient, right? But P2P file-sharing applications can also be dangerous, because many of them allow anonymous remote users to browse and transfer a lot more content that the computer owner may realize. Here's a typical example: Joe comes home from a long day's work at a large accounting firm. He wants to download a song he heard on the radio. He uses a P2P network to find a bootleg copy of the song. He downloads the song. What he doesn't realize is that when he's installing the P2P application and clicking Next, Next, Next, to get through the installation, he's making the entire contents of his laptop accessible to the P2P network. Other users of the network can now browse his laptop and download whatever they find.

His company's firewall? Bypassed. His company's security policies? Moot. Joe is not intending to do harm (well, other than perhaps grabbing a pirated version of a song), but by using P2P software, he's effectively negating the millions of dollars of security controls his IT has developed and implemented to keep their business data confidential and in compliance with regulations such as SOX and Gramm-Leach-Bliley. He's publishing all the confidential materials he has on his laptop. Chances are, he's got quite a few.

When InformationWeek reporters investigated P2P networks to find out just how much confidential data was being accidentally leaked by P2P networks, they were shocked at what they found. Users were inadvertently publishing "spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes . . . files with the home and cell phone numbers of senators, confidential meeting notes, and fund-raising plans [for a state political party] . . . spreadsheets listing patients' names along with their HIV and hepatitis status . . . [and] a slew of court documents regarding a sticky divorce."

Limewire, the most popular client of a P2P solution called Gnutella, is supposedly installed on over 18% of all computers.

Three suggestions, then:

1. Read the full InformationWeek articles (here
   and here) and encourage your managers and employees to do the same.
   
2. Forbid or tightly control the use of P2P programs such Limewire on your business computers.
   
3. Have an IT engineer use one of these programs immediately to discover if your business is already exposed.