Your Data And The P2P Peril

What might have been a minor breach of IT policy at Pfizer last year cascaded into a serious security incident when the personal data of 17,000 employees and former employees leaked onto a peer-to-peer network. Connecticut's state attorney general, concerned that state residents were at risk, launched an investigation. At least one former employee filed a lawsuit against the company.

It all started when the spouse of a Pfizer employee used file-sharing software on a company laptop, presumably to swap music or other content with other P2P users. Unknowingly, the laptop user also exposed 2,300 work files, including those containing sensitive Pfizer employee data--names, Social Security numbers, addresses, and bonus information resident on the laptop.

Pfizer isn't the only company to have its sensitive data exposed in this way. A former employee of ABN Amro Mortgage Group last year exposed spreadsheets with personal data on 5,000 customers from a home computer loaded with the BearShare file-sharing program. And last fall, a terrorist threat assessment of Chicago's transit system, completed by Booz Allen Hamilton under contact to the Federal Transit Administration, surfaced on a P2P network.

DIG DEEPER

An End To Data Leaks

Find out about extrusion-prevention systems that can drop attackers in their tracks.

Download this
InformationWeek Report

>> See all our Reports <<

The problem of business data being leaked onto P2P networks by unsuspecting users isn't new, but it's getting worse. Researchers with the Center for Digital Strategies at Dartmouth College's Tuck School of Business, pointing to a rise in P2P usage and the decentralized nature of P2P networks, have concluded that file sharing is a growing security threat to business. File-sharing programs account for three of the top 10 apps on CNET's Download.com. And it's not just an internal issue; customers and business partners are frequently the sources of P2P data exposure.To gauge the seriousness of the situation, we launched an investigation to see what kind of corporate data could be found on the popular Gnutella network. We discovered spreadsheets, billing data, health records, and more. (See our full report, "Our P2P Investigation Turns Up Business Data Galore".)

Used as intended, file-sharing programs and P2P networks can be a cheap, easy way for people to share content, and they're a popular channel for distributing open source software. Despite their association with illegal music sharing, not all P2P networks are equally dangerous when it comes to business data. The BitTorrent client and protocol, which employ centralized servers, are less prone to inadvertent file sharing than decentralized networks like Gnutella.

It's the improper or careless use of P2P that should worry IT departments. What can go wrong? Users sometimes mistakenly file a spreadsheet in the same folder they store music files or check the wrong box when configuring the P2P client and, voilà!, their corporate documents are out there for everyone to see.

(click image for larger view)HOW TO FIGHT BACKThe first line of defense for IT departments is to set parameters for the use of file-sharing apps on company PCs--some ban them entirely--and use tools to monitor and manage those policies. Effectiveness, however, is only as good as IT enforcement and employee compliance. Look no further than Pfizer to see what happens when someone breaks the rules. Harder still: getting customers and business partners to exercise the same degree of caution that you mandate internally.

"You know not everyone is going to do the right thing. It's the law of averages," says Craig Shumard, chief information security officer with Cigna. After discovering six months ago that a few user IDs and passwords to one of its portals had been inadvertently leaked onto a P2P network by a partner, the health care insurer scrambled to reset them.The potential for abuse has risen as so-called information concentrators employ file-sharing clients to scour P2P networks for data that can be used for ID theft, fraud, and other illicit activities. Last September, authorities in Seattle arrested 35-year-old Gregory Kopiloff on charges that he used LimeWire to amass federal tax returns, student financial aid applications, and credit reports, then used them to open accounts in other people's names. Kopiloff pleaded guilty and is due for sentencing March 17.

IT departments must be proactive because once business data pops up on a P2P network, there's no pulling it back. By the time you learn of the breach, your spreadsheets and documents may have spread to dozens of computers, including ones outside U.S. legal jurisdiction.

Step 1 is to ensure that IT policies address P2P usage and that management tools are in place to enforce them. Products from Audible Magic, Cisco, Cymphonix, FaceTime, and St. Bernard Software let IT administrators restrict, monitor, and otherwise manage P2P network access. Jump on any users caught breaking the rules.

It's not unusual for IT administrators to think there are no P2P clients on a corporate network when in fact there are, says FaceTime VP Frank Cabri. That's because P2P apps can make themselves look like browser traffic. "They're very evasive. They find a way to connect," says Cabri. FaceTime's Unified Security Gateway gives admins fine-grained control over 130 P2P applications.

Step 2 is to watch P2P nets for data leaks. IT departments can periodically monitor major networks using the search function in a file-sharing application, but it's laborious, hit-or-miss work. P2P clients let you search only one network at a time and, even then, they show files from only some nodes. Security service companies such as Cyveillance will do the grunt work for you, but face the same challenge: limited visibility.If you do find business data on a P2P network, identify the source of the leak to shut it off and to gauge how and why the P2P application was being used.

Test Your P2P ExposureA step-by-step approach to using LimeWire to search for your company's data in the wild

1

Build a list of keywords from the names of important files. Be specific; unique industry or company jargon makes for ideal searches.

2

Keep search phrases short -- LimeWire has a limit of 30 characters -- and search only for documents so you won't get inundated with media files.

3

Go to Tools > Options > Sharing to be sure you're not sharing confidential materials. Safer yet, run LimeWire in a VM with no data on it.

4

Once you find a file that looks like it belongs to your company, select it and choose Browse Host to examine other files that user is sharing. Note its IP address, so you can track down the user later.

5

After a search, select all listings under the Servers tab and click the Remove button. This will drop those connections and add different servers. Then right click on your search tab and choose Select More > Get More Results to extend your search. Repeat this many times, to search as broadly as possible.

What more can be done? Tiversa, a 5-year-old company in the Pittsburgh area, has developed proprietary algorithms that monitor P2P networks in real time. The company establishes its own nodes on popular P2P networks, including Gnutella, eDonkey, FastTrack, and WinMX, giving it visibility into the files being shared across them. The vendor uses that information to provide P2P monitoring and risk assessment to business customers, including investment banks, credit card issuers, banks, and insurers.

Government agencies were early adopters of Tiversa's services. CEO Robert Boback says the feds took notice when, in the spring of 2004, the company demonstrated that people outside the United States were searching P2P networks for information on explosives, detonators, ricin, anthrax, and more. By the end of that year, Tiversa was working with the CIA, FBI, Homeland Security, and the U.S. Secret Service. During the '04 presidential campaign, the company detected searches related to Jenna Bush, Air Force One, and White House security and was able to determine that the same user also had files on sniper tactics. Within days, the Secret Service was knocking on that person's door; he lived within an hour's drive of President Bush's Crawford, Texas, ranch.

Tiversa's advantage is its ability to trace keyword searches across entire P2P networks, giving it a more comprehensive view of file-sharing activity than IT departments can get on their own. The company puts the number of file-sharing searches at 1.5 billion per day--several times the number of keyword searches handled by Google. It maps probe terms, which describe the types of files people are looking for, and search-match terms, which are the ones they find.

A sampling of the corporate data Tiversa has come across includes salary histories, termination records, nondisclosure agreements, board meeting minutes, and merger and acquisition plans. There are gobs of IT-related documentation available, too: encryption keys, network diagrams, user IDs and passwords, and disaster recovery plans.Tiversa conducts searches for customers to see if it can find their data on P2P networks, then shares what it turns up so they can take corrective action. In fact, one way it gets the attention of potential customers is to conduct a search for information related to those companies, then request an appointment with the chief security officer or CIO to present its findings.

Tiversa has about 20 business customers. That's not a lot, but they're blue chip accounts, some paying upward of $1 million annually for its services, which include conducting searches in a variety of languages, doing forensic analysis of its findings, and assigning risk levels to content. It has begun aiming at a wider range of industries and at midsize companies. Tiversa even offers a consumer version of its P2P-monitoring service for an annual fee of $24.95 to protect against identity theft.DANGER EVERYWHERECigna has been using Tiversa's services since last year. Cigna prohibits use of file-sharing software on company PCs, but CISO Shumard knows that's not enough to stop the problem. With 10 million health plan members and 550,000 partners, Cigna has to worry about file sharing outside its firewall as well.

Cigna used to do its own P2P monitoring, and Shumard's done a bit of the investigative work himself. "I was shocked by some of the information I've seen out there," he says. But Tiversa casts a wider net, and its search-term data can be revealing. Shumard was surprised to learn that an anonymous P2P user was searching for information on an obscure Cigna business interest. "Why would someone be searching for one of those names?" he says. "Somebody's obviously fishing for something." He suspects a competitor was trying to dredge up information on the company.

To better understand the movement of private data over P2P networks, Tiversa has conducted a series of "honey pot" experiments in which it exposed files, then waited to see what would happen. One test involved a $50 cash card with the file name creditcardnumbers.doc. Within a day, the file was grabbed 28 times and the funds depleted. Other honey pots were set up with executive documents, HR files, IT-related material, and consumer data. The end result was always the same--wide and rapid file distribution on P2P networks around the world.

Researchers at Dartmouth's Center for Digital Strategies last year published the results of their investigation into inadvertent data disclosures on P2P networks, which involved a seven-week study of P2P search terms related to 30 major banks. The study was done with funding from the Department of Homeland Security and assistance from Tiversa. Factors influencing a bank's vulnerability included global brand recognition and number of employees and customers.The researchers collected 114,000 bank-related files. Their biggest catch was a spreadsheet with 23,000 business accounts, including names, addresses, account numbers, and titles.

They also assessed each bank's "digital footprint," a measure of the words and phrases associated with a bank that might turn up documents in a P2P search. Not surprisingly, banks with names that have something in common with popular song titles or musicians are at increased risk of an internal document surfacing during a P2P search. For example, PNC bank shares an abbreviation with a rapper who goes by the same initials, making it more likely that a bank document might appear in search results for the rapper's work.

The Dartmouth researchers offer some useful advice to IT departments looking for answers to the P2P problem:

The evidence shows that not everyone is using P2P networks for music and video sharing. Shady characters are searching for financial records, Social Security numbers, personal data, and even documents that could be used to knock out a subway or undermine a company. "We see thousands of information concentrators. They're specialists," says Chris Gormley, chief operating officer at Tiversa.

Just what are these people doing with the treasure trove of digital content they collect? That's an open question, says Gormley. And it's one your company would be better off not having to answer.Photograph by Erica Berger

Continue to the sidebar:
Our P2P Investigation Turns Up Business Data Galore