As part of our continued effort to provide you with information to help
use technology as a tool to help you grow your business we ask experts
to contribute to Smallbiztechnology.com. This week we Steve Yin,
Executive Vice President of Global Sales and Marketing, St. Bernard helps us understand the dangers of peer to peer networks. St. Bernard provides web security solutions.
Since the inception of the Internet, users have sought a convenient
and effective way to share data – particularly large files that aren’t
easily transmitted via email. FTP (file transfer protocol) technology,
which was created in 1971, emerged as the standard in the mid-80s and
is still used today, particularly when sharing large volume files
between businesses. It’s safe because the file is uploaded from one
user and held on an FTP server, before being downloaded by the
recipient. Because files are centrally located, it is easier to secure
them against viruses, malware and other threats.
With the introduction of Napster in 1999, the transferring of data
over the Internet took a dramatic turn. Now, instead of going to a
designated FTP site and downloading data from a secure server, users
could instantly transfer data peer-to-peer (P2P) – from one computer to
another, and ultimately to the world, because anyone who had the
service could access all the data. As Napster gained in popularity,
other services followed suit and today there are scores of file-sharing
protocols such as KaZaA, LimeWire and Morpheus, to name just a few.
More importantly, social-networking sites such as MySpace and
Facebook have helped file sharing among its users grow exponentially,
while camouflaging the threats that can accompany it. Many users on
these sites try to be conscientious, but would not hesitate to download
files from a friend, which is where exploits often start. In most
cases, users are totally unaware that their actions could be exposing
their personal data, not to mention corporate files, to criminal
hackers. The consequences of P2P file sharing can be dangerous and
costly, as these recent examples illustrate:
It was recently revealed by Tiversa, a US security company, that a
security breach last summer exposed military information to an IP
address in Tehran, Iran. This information included engineering
upgrades, aviation blueprints and financial data for Marine One, the
President’s official helicopter. Tiversa traced the security breach to
a defense contractor in Maryland and believes the files were exposed
via P2P file sharing. In addition to the leaked classified information,
the contractor’s internal email communications, calendar and contact
data were also exposed.
Over 5,000 Citigroup mortgage customers were exposed via P2P sharing
when a Citigroup employee joined a file-sharing P2P network online and
exposed corporate files held on her personal computer. The customers
who were jeopardized had their social security numbers and other
personal information accessed through this unintentional security
Another incident involved current and former Pfizer employees,
17,000 of whom had their social security numbers exposed by the spouse
of a Pfizer employee. The incident happened when an employee took home
a Pfizer-owned laptop that had the personal data on it. When the spouse
downloaded a P2P program, the data became vulnerable.
Unfortunately, these incidents are not uncommon and each of the cases
cited here were likely accidents, not intentional criminal actions.
However, they point out how easily an intentional exploit could be
launched via P2P. As the economy continues to struggle, we can expect
direct malicious attacks to increase.
The opportunity for disgruntled ex-employees to do harm cannot be
ignored and yet, whether deliberate or inadvertent, the risk for
companies remains the same. As these illustrations show, the risks
aren’t restricted to exposing personal data. Corporations invest
heavily in their proprietary technologies and other data, going to
great lengths to secure their intellectual properties. Yet, as in the
case of Marine One, these assets can be easily exposed via negligent or
criminal P2P file sharing.
What is the Answer?