Your Data And The P2P Peril

Usher, 10,000 BC, and your company's confidential spreadsheets could all be out there for the world to grab. Here's how these data leaks happen and what you can do to prevent them.

John Foley, Editor, InformationWeek

March 13, 2008

3 Min Read
InformationWeek logo in a gray background | InformationWeek

DANGER EVERYWHERE
Cigna has been using Tiversa's services since last year. Cigna prohibits use of file-sharing software on company PCs, but CISO Shumard knows that's not enough to stop the problem. With 10 million health plan members and 550,000 partners, Cigna has to worry about file sharing outside its firewall as well.

Cigna used to do its own P2P monitoring, and Shumard's done a bit of the investigative work himself. "I was shocked by some of the information I've seen out there," he says. But Tiversa casts a wider net, and its search-term data can be revealing. Shumard was surprised to learn that an anonymous P2P user was searching for information on an obscure Cigna business interest. "Why would someone be searching for one of those names?" he says. "Somebody's obviously fishing for something." He suspects a competitor was trying to dredge up information on the company.

To better understand the movement of private data over P2P networks, Tiversa has conducted a series of "honey pot" experiments in which it exposed files, then waited to see what would happen. One test involved a $50 cash card with the file name creditcardnumbers.doc. Within a day, the file was grabbed 28 times and the funds depleted. Other honey pots were set up with executive documents, HR files, IT-related material, and consumer data. The end result was always the same--wide and rapid file distribution on P2P networks around the world.

Cigna's Shumard knows the danger of a P2P leak

Researchers at Dartmouth's Center for Digital Strategies last year published the results of their investigation into inadvertent data disclosures on P2P networks, which involved a seven-week study of P2P search terms related to 30 major banks. The study was done with funding from the Department of Homeland Security and assistance from Tiversa. Factors influencing a bank's vulnerability included global brand recognition and number of employees and customers.

The researchers collected 114,000 bank-related files. Their biggest catch was a spreadsheet with 23,000 business accounts, including names, addresses, account numbers, and titles.

They also assessed each bank's "digital footprint," a measure of the words and phrases associated with a bank that might turn up documents in a P2P search. Not surprisingly, banks with names that have something in common with popular song titles or musicians are at increased risk of an internal document surfacing during a P2P search. For example, PNC bank shares an abbreviation with a rapper who goes by the same initials, making it more likely that a bank document might appear in search results for the rapper's work.

The Dartmouth researchers offer some useful advice to IT departments looking for answers to the P2P problem:

  • Educate employees, customers, suppliers, and contractors on the dangers of P2P sharing.



  • Create home-use policies to lower the risk of leaks from home-office PCs.



  • Introduce file-naming conventions that are less likely to be found and spread over P2P networks.

The evidence shows that not everyone is using P2P networks for music and video sharing. Shady characters are searching for financial records, Social Security numbers, personal data, and even documents that could be used to knock out a subway or undermine a company. "We see thousands of information concentrators. They're specialists," says Chris Gormley, chief operating officer at Tiversa.

Just what are these people doing with the treasure trove of digital content they collect? That's an open question, says Gormley. And it's one your company would be better off not having to answer.

Photograph by Erica Berger

Continue to the sidebar:
Our P2P Investigation Turns Up Business Data Galore

About the Author

John Foley

Editor, InformationWeek

John Foley is director, strategic communications, for Oracle Corp. and a former editor of InformationWeek Government.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights