Most folks in the security business realize that peer-to-peer (P2P) file sharing exposes organizations to certain risks. Because P2P applications are often used to share pirated media such as music and movies, it is all too easy to underestimate the nature of those risks. The impact of P2P file sharing can easily extend beyond resource consumption, viruses, and threat of litigation from the entertainment industry.
Two examples of serious information breaches through P2P file sharing have recently been publicized. In the first case, blueprints of the presidential helicopter Marine One were accessible through P2P file sharing on the computer of a defense contractor. Other sources indicate that this data had been shared as far as Iran and other hostile nations. This is particularly surprising not only due to the highly sensitive nature of the information but also due to the fact that defense contractors are typically required to adhere to stringent security policies.
The second case involves a Dartmouth College finding that turned up a treasure trove of health related information from many sources over a handful of popular P2P sharing networks. This information included highly sensitive patient records, pre-signed prescription forms, social security numbers, and patient billing information. The impact to HIPAA compliance is obvious, but real world exploitation of this data is potentially even more serious.
It goes without saying that sensitive information must be secured. We often focus on outsider threats, but peer-to-peer file sharing can be a trojan horse that can originate with a non-malicious insider. The implications of this vulnerability can be much greater than might seem obvious.
Leave a comment