Peer-to-peer software facilitates collaboration and security threats
Companies are providing government agencies with ways to reduce the risk to sensitive data posed by unauthorized file sharing
- By Doug Beizer
- May 08, 2009
Before the theatrical release of a recent movie, a digital copy of the film was leaked onto the Internet.
The media company where the leak occurred scrambled to figure out how the movie was released. An information technology administrator noticed an employee had peer-to-peer software installed on his computer.
Peer-to-peer software, such as the original Napster, allows a network of users to search and share files from one another’s computers.
Using an application from enterprise systems management provider Quest Software Inc., the media company was able to identify all the people at the company with peer-to-peer software installed on their computers. In some cases, people were uploading and downloading gigabytes worth of data, said David Sengupta, Quest’s director of unified communications.
“We were able to block all the file-sharing apps, which not only prevents leaking movies it also cuts down bandwidth,” he said.
If someone intentionally or accidentally leaks a movie to the Web, the production company probably will lose revenue from the film. The stakes are higher for government agencies. Leaked data can lead to privacy breaches and national security concerns.
For example, reports surfaced in February that data about the president’s helicopter fleet might have been released via peer-to-peer software. The Navy declined to reveal details about the event, but it should be a warning to other agencies that the threat is real, experts say.
Agencies have two choices: monitor networks to ensure no unauthorized peer-to-peer file sharing is occurring or provide employees with a way to share work-related data, industry experts say. For many government organizations, the first step is determining what software is on employees' computers and eliminating software that presents a threat.
Need to block
The Army Information Management Support Center realized a few years ago it needed help identifying and eliminating noncompliant applications. Employees were installing rogue software applications on thousands of the center’s Windows-based workstations, said Jim Ivers, chief marketing officer at Triumfant Inc., an IT security company. IT administrators were struggling to keep tabs on all the different applications, Ivers said.
“For every one program they removed, another three new ones would be installed,” he said.
Some the applications, such as weather information utility WeatherBug, were benign. Others applications, such as music-sharing or peer-to-peer software, created vulnerabilities.
The situation at the Army Information Management Support Center is not unique, Ivers said.
“In many agencies, it is pretty pervasive,” he said. “When I speak to a lot of the systems integrators, they tell me stories of agencies where everyone has administrative rights on their machines therefore they can install anything they want.”
Over the years, a culture has developed in which employees treat work computers as personal computers, Ivers said. Because of that, they feel like they can put personal things on work computers.
“The number of people using their work-provided machines to do personal things has really gone through the roof, and that leads to high-vulnerability applications being loaded,” he said.
Triumfant began helping the support center address those needs in 2007. The company's software automatically discovers, analyzes and fixes unapproved changes on computers and servers. It ensures the computers are compliant and properly configured, he said.
The Triumfant platform, called Resolution Manager, gathers and processes about 200,000 attributes per computer per day. The attributes include registry settings, port settings, performance statistics and hardware statistics.
Quest’s Sengupta has also seen a surge in employees who install unauthorized software on work computers. Some even use consumer file-sharing products for work-related purposes.
“Putting your trust in those applications that are designed to share data that isn’t necessarily above board is kind of risky,” he said “The assumption the applications actually have integrity and are just sharing specific data designated by the user is a false assumption.”
Quest’s solution, called Policy Authority for Unified Communications, comes as software or a preconfigured, hardened appliance.
Policy Authority enforces policies and archives instant messaging and other real-time communications. It blocks unwanted protocol and enforces regulatory compliance requirements.
The system packages instant message conversation transcripts, file transfers, SMS communications, BlackBerry PIN-to-PIN messages and BlackBerry call logs, and it exports them to e-mail archives.
For most people, file sharing involves only MP3 music files and video clips. But as more organizations encourage collaboration, employees need new ways to share files, said Jimmy Tam, general manager of file-sharing services provider FolderMaestro LLC.
“From a technology standpoint, peer-to-peer file sharing does serve a purpose,” he said.
"With peer-to-peer, there is no need to e-mail large attachments or to set up and maintain file-transfer-protocol servers," Tam said. "However, consumer-oriented, peer-to-peer file-sharing technologies were not written with the same rigor or security standards that a business file sharing application needs."
FolderMaestro’s software is designed to enable enterprise file sharing. The software resides on an organization’s network, and IT administrators install local versions of the software on users' computers. Administrators can control file sharing via a console.
“So from a security standpoint, you can’t share a file unless you told your IT manager, ‘I’m going to be sharing these files with these people.’ ” Tam said. “There is no browsing on a network, like you have with consumer peer to peer. You can’t browse someone else’s machine and say I want to grab that file.”
When someone edits a file, no one else can access it. When that person finishes working with the file, others with rights to view and edit it can then access it.
Organizations that need to support frequent file sharing should look for a system that controls where and how users share documents, Tam said. The ability to browse folders with consumer peer-to-peer tools is the biggest vulnerability they present.
Software such as FolderMaestro eliminates that threat.
“You either send files out or receive automatically based on your predefined relationships; there is no browsing,” Tam said. “And files reside on your organization’s servers behind firewalls, [so] nothing ever goes out on the open Internet.”