|
With little, if any, business justification for P2P networks in the enterprise, organizations face a significant
security threat, in addition to the threats of network bandwidth misuse and legal liability.
Forty-five percent of the executable files downloaded through Kazaa, the most popular file-sharing program,
contain malicious code like viruses and Trojan horses.
(TruSecure study, January 2004)
In October 2002, the RIAA, along with the Motion Picture Association of America, the National Music
Publishers Association and the Songwriters Guild of America, sent letters to Fortune 1000 companies warning that
they are at risk when employees illegally distribute copyrighted works over corporate networks.
(Raleigh News & Observer, January 14, 2004)
Kazaa, the most popular gnutella-based P2P network, is the most searched
term on the Internet, as well as the most downloaded executable. Search term statistic as reported by Yahoo!: http://search.yahoo.com/top2003. Download statistic as reported by Downloads.com in December 2003.
Corporate P2P Use Is Common, Study Says, c|net News.com, July 16, 2003.
Spyware and malicious mobile code
Spyware is any technology used
to gather information about users or their activities, secretly or without consent, and relay that information to interested and potentially undesirable third parties over the Internet.
These programs are often downloaded automatically and unintentionally from Web sites or P2P sites.
Examples of spyware include adware, Web bugs, and tracking cookies. Although many of these programs are harmless
and simply annoying, some more insidious spyware, such as keystroke loggers, records and transmits information about keystrokes and specific user actions on the computer to outside third parties.
Since keystrokes and user actions can include usernames and passwords, bank account numbers and PINs, or other
access codes, these programs pose a significant security threat to the enterprise and, depending on the information relayed, may present a legal concern for organizations as well.
Similar to spyware, malicious mobile code (MMC) can infect an end-users computer simply by visiting the URL to the
Website that distributes it. Perhaps the most well known example of this type code was the Nimda worm that spread throughout the Internet in 2002. Among other means of distributing itself, Nimda could infect
computers that merely visited Websites which had its payload embedded as an ActiveX component. MMC includes any executable delivered via a Website that changes system settings without the end-users knowledge or
approval. The consequences of MMC are as variable to an organization as the nature of the payload and can result in anything from a security threat to a legal liability concern.
Employee hacking
Organizations have always been concerned about the ability of outsiders to
hack into their computing environments and gain access to proprietary information. Interestingly enough, the threat of hacking is primarily a threat from the insider. In fact, security experts often say that
over 70% of hacking exploits are from insiders.4 Employee hacking is a bigger problem than ever before, because dangerous how-to information is now so readily available and easily accessible over the Internet. Newly
available hacking portals target novice users and offer tools such as scripts and programs, as well as message boards that would-be hackers can use to learn about and discuss their hacking exploits.
45% of companies have suffered an unauthorized access by an insider in the previous 12 months.
(Source: 2003 CSI/FBI Computer Crime and Security Survey)
Motivated employees can find ingenious ways to access information to which they should
not be private customer data, confidential corporate information, or intellectual property, to name just a few. And employees willing to go to such lengths to obtain this type of information almost never keep the
information to themselves, thus presenting a legal risk from information breach to compound the security risk.
Streaming media
Streaming media includes interactive and high-bandwidth applications that
use the Internet to run. Media players, Internet radio, and Internet television are three examples. While it may be useful for employees to view Web-based training sessions on their office computers, it is difficult
to see the company benefit of employees watching concert highlights or clips from their favorite TV shows. When used inappropriately, streaming media also presents a risk to organizations in the IT resource domain,
as precious network bandwidth is consumed by non-work-related activity, thus adversely impacting business-critical applications.
Based on informal consensus. An Information Week Global Information Security Survey in November 2003 found the
figure to be 30% based on a formal survey of security experts.
As seen from the discussion above, these threats can pose risks to employee productivity,
legal liability, IT resource use, and security. The following table summarizes the many activities and actions that employees engage in and assesses the corporate impact and risks associated with them.
Emerging Threats in Employee Computing
|
Activity/ Application Threat
|
Corporate Impact/Risk
|
|
Introduction of viruses, worms or Trojan horses to
corporate network
|
Security (high)
|
|
Interception of confidential information (customer,
privacy, IP, financial disclosure)
|
Security (low)
|
|
Introduction of illegal or inappropriate content into
corporate environment (through file attachments)
|
Legal liability (moderate)
|
|
Instant messaging
|
|
Employee distraction
|
Productivity (high)
|
|
Introduction of virus or worm into corporate network
|
Security (high)
|
|
Lawsuit from illegal exchange of copyrighted digital
material on corporate network
|
Legal liability (low)
|
|
Saturation of network bandwidth (possibly impacting
business-critical applications)
|
IT resource (varies)
|
|
Peer-to-peer application use
|
|
Probability of pornography (possibly child porn) existing
on the corporate network
|
Legal liability (high)
|
|
Interception of system password through keystroke logging
program (possible use in identity theft)
|
Security (low but increasing)
|
|
Transmission of sensitive data to outside party
|
Security (high)
|
|
Spyware and malicious mobile code
|
|
Non-optimal utilization of network bandwidth or desktop CPU
cycles
|
IT resource (high)
|
|
Unauthorized access to systems by an insider
|
Security (high)
|
|
Confidential customer information security breach (possible
use in identity theft)
|
Security (varies)
|
|
Theft of corporate secrets or valuable confidential
information
|
Security (varies)
|
|
Legal liability from affected outside parties
|
Legal liability (moderate)
|
|
Damage to computing systems by hacker
|
IT resource (moderate)
|
|
Employee hacking
|
|
Public disclosure of executive compensation packages and
bonuses
|
Security (low)
|
|
Saturation of network bandwidth
|
IT resource (varies)
|
|
Employee distraction and loss of productivity
|
Productivity (moderate)
|
|
Streaming media
|
|
Legal liability from viewing of or listening to illegal
copyrighted movie or material
|
Legal liability (low)
|
|
Desktop incompatibilities
|
IT Resource (high)
|
|
Installation/execution of unauthorized applications
|
|
Use of pirated/un-licensed software programs
|
Legal liability (high)
|
|
|
