Jeremy D. Wunsch, John L. Nicholson and Jeffrey A. Carr
Right now, employees and contractors are accessing and disseminating confidential corporate information in ways that may be harmful to their employers. Some employees are acting intentionally or even maliciously; others are compromising proprietary and confidential information inadvertently and ignorantly. In either case, the consequences to employers can be catastrophic.
Everyone has heard about companies getting burned from leaks of sensitive data. Wal-Mart, TJX and the U.S. Department of Veterans Affairs are just a few of the recently publicized victims of information security breaches that are costing billions of dollars in legal and recovery fees. While many cases involve deliberate acts of theft by insiders, there are plenty of examples where insiders unknowingly expose confidential data that malicious third parties then exploit. Some of the most insidious sources of inadvertent data loss are peer-to-peer (P2P) file-sharing programs, which are rising to the top of the threat list for network security professionals.
In the past, file-sharing risks were primarily assessed in the context of copyright infringement, illicit (or unacceptable) content, or even bandwidth escalation. Until recently, there has been a general complacency within the enterprise about P2P risks to information security. The competitive and financial costs related to information loss simply weren't considered in the context of P2P, and security resources were allocated toward other, more obvious vulnerabilities. The fact is that P2P protocols are becoming more prevalent, sophisticated and intricate than email or HTTP, resulting in greater risks for business. Even lawmakers in Washington are looking at this more closely after a July hearing indicated that the threat of P2P is greater than originally thought, according to court documents. The hearing was prompted by a report from the Patent and Trademark Office that said "several distributors of popular P2P networks have 'repeatedly deployed features' that trick users into sharing some of their files."
According to Insight Research's study, "Peer to Peer & File-Sharing Services Market 2007-2011," P2P networks and file-sharing services could generate up to $28 billion in revenue for carriers and ISPs over the next five years, and it is estimated that more than 50 percent of all current Internet traffic is P2P traffic. From a security perspective, many P2P protocols are being modified to specifically evade existing security tools such as Web filters, IDS/IPS and firewall rules. While some of these design choices are made based on good intentions, such as enabling communications in countries that limit freedom of speech or access to information, the reality is that these well-intentioned changes are helping users with more nefarious purposes in mind.
Recent Incidents Highlight Urgency in Addressing the P2P Threat
Incidents at companies like Pfizer and ABN Amro are expanding how we perceive P2P risks, especially as they pertain to data loss. Recently, a Pfizer employee who installed an unauthorized P2P program on a company laptop exposed Social Security numbers and personal data belonging to an estimated 17,000 current and former Pfizer employees. Additionally, ABN Amro recently learned that data for 5,000 of its customers was found on the BearShare P2P network and the original files containing this sensitive information were traced to the home computer of an ABN Amro employee.
According to a Dartmouth study released earlier this year, an estimated 10 million users share music, videos, software and photos over P2P networks - up from 4 million in 2003. The study noted that efforts to limit P2P use only have prompted program developers to create decentralized, encrypted, anonymous networks that can easily poke through both corporate and residential firewalls. Some of this development is done with good intentions, but these changes can lead to problems for those who have a legitimate need to limit the access of P2P systems to corporate networks.
The good news is that business owners can significantly decrease the potential for corporate data loss from P2P networks via proactive prevention and protection with what is often referred to as "internal threat management." Effective internal threat management procedures not only help prevent these information leaks from happening, they also protect confidential and valuable information from exposure to unauthorized parties. By taking just a few simple steps, organizations can decrease risks and potentially save untold costs in time, resources, money and reputation.
The Keys to Effective Internal Threat Management
First and foremost, identify the information of greatest concern and where that sensitive data resides on the network. This analysis should include Social Security numbers, credit card numbers, driver's license numbers, trade secrets, merger/acquisition information, customer information, financial information and the like. This is not just a job for the IT department - other company stakeholders, like the human resources, legal and finance departments, should be included in the discussion of what information is valuable, and all departments should be involved in identifying where it is stored.
Many companies believe the most reliable methods for protection against internal threats are firewalls and anti-virus software. However, given the constant evolution of the P2P threat, such technical precautions can only do so much in the absence of appropriate policies and procedures. Consider Gartner Group's projection that "through 2010 we expect 80-90 percent of sensitive information leaks to be unintentional, accidental, or the result of poor business processes." This statistic is supported by the Pfizer and ABN Amro examples, where both individuals responsible for spilling the data were unaware of the leaks.
Companies should consider hiring an outside firm to conduct an internal threat assessment of the network and associated policies to identify vulnerabilities and establish benchmarks for compliance. It is essential to educate employees about company policies, including the reasons why such policies are in place, and consistently enforce them (that includes executives and IT). People are more likely to comply with policies when they understand the purpose behind them and perceive their enforcement as fair and even-handed.
Compliance and enforcement with policies also is important when a company ends up in court following a data breach. If a company can show that it had reasonable policies and procedures that were consistently monitored and enforced, that could go a long way toward reducing any fines or penalties imposed on the company.
Acknowledging the risk for data leaks from P2P file-sharing is an important step in protecting the enterprise. With escalating incidents, companies would be wise to immediately undertake a strategy to protect against this well-established threat.
Jeremy D. Wunsch is the Founder, CEO and director of data forensics for LuciData Inc. With more than a decade of internal threat management and e-discovery experience, he is a leading authority in the development of internal threat management and data forensic solutions for companies and their legal counsel He can be reached at +612.604.0848 or at firstname.lastname@example.org.
John L. Nicholson is a Senior Associate in Pillsbury Winthrop Shaw Pittman LLP's Global Sourcing Group. A frequent speaker on privacy, security and outsourcing, his practice includes structuring and negotiating complex IT and business process outsourcing agreements. He can be reached at +202.663.8269 or at email@example.com.
Jeffrey A. Carr is the Chief Operations Officer for Red Lambda, a technology leader in distributed network security. He has more than 20 years of successful experience in technology sales, business development and start up executive management within the security marketplace. He can be reached at+303.717.2091 or at firstname.lastname@example.org.