File Sharing Software and Information Security
Thursday, August 6, 2009 23:11
Data Leakage
An article just came out about the Secret Service’ safe house plans for the president and his family as well as the president’s motorcade routes having been found on a file-sharing network. Also in the recent past, details of nuclear facilities in the country as well as details regarding the president’s helicopter have been found to have been leaked through file-sharing or P2P networks. This may sound like government incompetency, but in this case it can happen to private business as well as government. Listings of company acquisitions, patients health records as well as a variety of other sensitive business data have been found on file-sharing networks.
P2P or file-sharing network software was originally designed for users to share audio files, video files and games with others, but what you plan on sharing is not always what you end up sharing as the above examples indicate. Leaks of this nature usually occur when a user installs the P2P software (client software) on a computer and does not configure it correctly, exposing more information than they were planning. Also, the choice of P2P software can determine how much information is exposed. For example some P2P software can expose a whole folder of information when a music file is accidentally put in a folder. This comes back to configuring the software correctly, and configuration of this type of software is not always easy. Also, some P2P software has wizards that scan the whole hard drive and recommend any folders that have media files (audio, etc). If the user is not careful and just follows the software wizards’ recommendation, they can expose sensitive data that is in these folders.
Security Issues
Most of the information covered so far is about accidentally exposing sensitive data, but there is also malware that has been found to scan a computer to find P2P software and media files. If these are found anywhere on the computer, the malware changes the file-sharing software configurations so it shares the whole hard drive. Also, researchers have found criminals using the file-sharing networks to search for sensitive data such as passwords, PIN numbers, financial records and other similar types of sensitive information. Lastly, P2P networks are used to spread viruses and a variety of malware.
Security Solutions
Some of these recent information leaks have some lawmakers looking to regulate yet another industry, basically forcing software vendors to implement controls the government feels are appropriate. I am of the belief that, yes, some vendors do not write user-friendly software where users can easily change settings and know what information is actually exposed, but then it is our choice not to use that vendor’s software. Will government regulation solve problems? Look at history, and you can easily say no. If we do not take personal responsibility for the information on our computers or networks, is it right to blame someone else, such as, in this case, the software vendor.
Here are some things that you can do to protect your business.
- First, I would not allow such software on my network. You can control this by not giving users of your computers administrative privileges. Users will not be able to install such software on their computer. You can read more about this issue in a recent article I wrote on security and administrative rights.
- If you want to use P2P software then research the many P2P software programs and choose one that has the easiest user interface and the best security features.
- Never have file-sharing software installed on any computer that stores or handles sensitive information.
If you do not want to allow the software on your business computers or network, there is audit software available that you can use to discover those that are using P2P software. You can also configure routers to block or drop P2P traffic.
Hopefully, you can use these ideas to secure your business from the many security risks of file- sharing software. This is not an all inclusive list so if you have any additional solutions that have worked for your business, leave a comment and share your experience.
Related posts: