An effective corporate information security policy will completely ban the use of peer-to-peer file (P2P) sharing software such as Morpheus and Kazaa. Rightly so, as such software poses numerous security and privacy risks. The fact that P2P software are some of the most downloaded files on the Internet, should give information security managers pause. As of September 1, 2003, Download.com reported that the Kazaa Media Desktop has been downloaded over 275 million times.
Since P2P networks open the shared computer to millions of computers worldwide, even an inadvertent mistake can have huge repercussions.
Just some of the risks associate
with P2P software include:
- spread of worms and virus - there are scores of reported cases of files downloaded being trojaned or virus infected.
- hogging of bandwidth – P2P networks are notorious for bringing networks to their knees
- legal issues/copyright infringement - Copyright laws are often violated on P2P networks
- Bypasses internal controls – sharing files over P2P eliminates the file size restrictions of many email systems
- Spyware/Adware – P2P software is replete with Spyware and Adware, which is software that reports back to a vendor site a user’s usage habits and patterns. Usually this information is used in an advertising context.
- Misconfigured File Sharing - Used very often misconfigure their P2P software and end up sharing their entire hard drive
- Launching pads for social engineering attacks – Once an attacks has internal information, they can use that to their advantage in a social engineering attack, since they know the corporate vernacular and nomenclature.
Most users in your organizations know that P2P is great for getting music, but are often completely unaware of the security risks with the software. The risks are huge, and all users need to be made aware of them.
From an information security perspective, it can be quite valuable to use to see just how much of your proprietary and confidential data is available on P2P networks. The reason is that while the P2P software is meant to share music files, users often incorrectly configure their software and rather than sharing their My Music folder, they often share their entire hard drive. This is a serious problem when the computer being used contains confidential and proprietary data.
Port and vulnerability scanning is a required part of a security assessment. Now with the ubiquitous use of P2P file sharing, checking to see if your corporate files are being shared is should now be part of that.
Using Kazaa as an example, do a search on your company name. Make sure to highlight the Auto Search More button. This gives Kazaa the ability continuously search for the file from more and more places, rather than a single search and stopping.
Besides searching on your company name, the following fields should be search on:
- Specialized project names
- Project codes
- Product names
- Manufacturing sites
- Employee ID numbers
- Financial forms
- Backups of entire email boxes
What can you expect to find? Anything that an employee can store on their hard drive can be uploaded via P2P. Companies that have done such P2P searches have often found treasure troves of information.
The danger is that information on P2P networks quickly multiplies. If a file is loaded and its sharing commences, it can easily be on a thousand hard drives within a few hours.
Countermeasures
Some countermeasures include:
Conclusion
P2P programs are hugely popular and can’t be stopped. But by being aware of the real security and privacy issues, users can be more vigilant in their use of such systems. Companies that are not proactive in regards to P2P file sharing will find that much of their supposed competitive advantage is quickly taken away.