Peer-to-Peer Peril: How Peer-to-Peer File Sharing Impacts Vendor Risk and Security Benchmarking

Transcription

1 Peer-to-Peer Peril: How Peer-to-Peer File Sharing Impacts Vendor Risk and Security Benchmarking

2 Introduction Peer-to-peer (P2P) file sharing often conjures images of people downloading movies and music in the comfort of their own home to bypass paying for this media. In the late eighties and early nineties, websites such as Kazaa, Napster and Limewire emerged as popular channels for consumers to access media content. More recently, file sharing has been in the news due to the temporary shut down of Pirate Bay, reportedly raided by Swedish police after the United States threatened sanctions through the World Trade Organization 1. While this activity is often looked at with a consumer-centric lens, it can have serious effects for businesses as well. Out of the over 30,700 companies* that BitSight rates for security performance, we have observed file sharing activity on 23% of companies using the BitTorrent** protocol. Much of this activity is likely against corporate policies; although there are no published metrics on what percent of companies prohibit P2P file sharing, many companies have explicit rules against it. This is not to say that file sharing itself is illegal. It is important to note that sharing files over peer-to-peer networks is not illegal - only the sharing of copyrighted content 2. For many companies, peerto-peer file sharing is a result of shadow IT - where employees are downloading copyrighted business applications such as Microsoft or Adobe products. 43% of torrented applications contained malicious software IT and Legal departments are likely well-versed in the potential consequences of illegal sharing of copyrighted material - namely legal issues - yet many companies may be unaware of the security risks posed by this activity. After analyzing hundreds of torrented files from the BitTorrent protocol, BitSight researchers found that 43% of torrented applications contained malicious software. This finding demonstrates that businesses should ensure that policies and technologies are in place to mitigate the risks from this activity. The report will outline additional industry level metrics and provide recommendations that can help risk and security professionals mitigate this threat to corporate and vendor networks. *BitSight currently has over 37,000 companies in our total inventory. **BitTorrent is a protocol that enables users to share files across a network. These files could be any content, but they are often movies, applications, or other copyrighted files. The BitTorrent protocol authors have upgraded the protocol to make file sharing more distributed and so harder to stop through legal or law enforcement actions. Despite these changes, copyright enforcement agencies have found copyright files served from corporate networks and have requested that companies remove shared files through serving take down notices. 1

3 About BitSight BitSight is the worldwide leader in providing objective, accurate and actionable Security Ratings to businesses around the world. BitSight Security Ratings are a measurement of an organization s security performance. Much like credit ratings, BitSight Security Ratings are generated through the analysis of externally observable data. Leading companies, including the top private equity firms, largest banks, major insurers and more are leveraging these ratings to mitigate third party risks, benchmark security performance, underwrite cyber insurance, perform M&A due diligence and manage portfolio cyber risk. BitSight is the only security ratings company that provides customers with in-depth information on potentially harmful file sharing activity. Key Findings File Sharing is a common problem for many organizations Out of the 30,700 companies that BitSight rates on security performance, 23% percent of them have evidence of some file sharing activity on their networks. Companies with file sharing have lower BitSight Security Ratings Within every industry analyzed for this study, there was a major gap in the ratings between companies that had file sharing activity and those that did not. Torrented files are a major malware risk for businesses BitSight researchers found that 43% of application files and 39% of games contained malicious software. There is a correlation between botnet activity and file sharing activity BitSight researchers found that companies with more file sharing activity were likely to have more compromised machines due to botnet infections. Industries such as Government, Education and Utilities are poor performers More than a quarter of companies in these industries have observed peer-topeer file sharing activity in the last six months. 2

4 Study Overview: Clear Correlation between File Sharing and Botnet Infections File sharing is a prevalent problem on corporate networks today. Out of the 30,700 entities rated by BitSight, 23% percentage of organizations had some observed file sharing activity. Many organizations explicitly ban this activity, yet there is evidence that in some industries over a quarter of companies are currently sharing files over the BitTorrent protocol. While some of these files are likely legitimate, many of them are labeled as movies, games and other copyrighted material. Due to the high percentage of companies using the BitTorrent protocol, BitSight researchers analyzed the correlation between botnet infections and peer-to-peer file sharing activity. The high malware infection rates suggest that companies with file sharing activity are more vulnerable to botnet infections on their networks. There has been previous research that reinforces this finding, such as a paper from the Vienna University of Technology titled, Vanity, Cracks and Malware: Insights into the Anti-Copy Protection Ecosystem. In this paper, researchers Markus Kammerstetter, Christian Platzer and Gilbert Wondracek performed an analysis of file sharing download links and noted, Our results indicate that a majority of these programs aim to infect the target machine with one or more types of malware 3. BitSight researchers took a sample of files from two popular categories of downloads: applications and games. The reason for analyzing these categories is because they contain executable files that are more susceptible to being infected with malware. Running these files through multiple file scanners and accounting for false positives, BitSight determined that 43% of applications and 39% of games were carrying malicious code. This indicates that a significant number of files shared over the BitTorrent protocol contain potentially harmful software. After uncovering the high rate of infections within these files, BitSight researchers probed into another question: Do companies with file sharing activity have more compromised machines due to botnet infections? Games 38.7% Applications 43.3% 0% 10% 20% 30% 40% 50% Percentage of of P2P p2p Downloads with Malware with Malware Figure 1. The percentage of peer-to-peer file downloads containing malware. 3

5 An analysis of companies rated by BitSight demonstrated that, in fact, there was a clear correlation between file sharing over the BitTorrent protocol and botnet infections. While we cannot demonstrate that malicious software from downloaded files caused these observed botnet infections, we can definitively say that companies with more peer-to-peer file sharing activity are more likely to have an increased number of botnet infections. This has major implications for security and risk professionals: if a company or important third party has increased peer-to-peer file sharing activity, this could indicate more serious security issues such as botnet infections , ,000 Monthly count of P2P file sharing per employee Monthly count of Botnet infections per employee 4 Figure 2. Monthly count of botnet infections to monthly count of peer-to-peer file sharing per employee at analyzed companies. TOP TORRENTED GAMES TOP TORRENTED APPLICATIONS Grand Theft Auto V The Sims 4 Mortal Kombat X FIFA 15 The Witcher 3 Abode Photoshop Microsoft Office Microsoft Windows 7 Microsoft Windows 8.1 Microsoft Windows 10 In addition to analyzing malware, BitSight researchers looked at the top torrented games and applications from the 766 analyzed files. When it comes to applications, employees are engaging in shadow IT where they are downloading unauthorized programs for work. Also, employees are downloading games while on corporate networks.

6 Industry Level View of File Sharing Room for Improvement in Government and Education There are significant differences between industry sectors when it comes to file sharing activity. BitSight has identified ten key industries to focus on for this report: Media/Entertainment, Education, Government, Retail, Energy/Utilities, Manufacturing, Tourism/Hospitality, Legal, Healthcare and Finance. In Figures 3 and 4 readers can see how these industries stack up to one another when it comes to the number of average shared files and the proportion of companies with file sharing activity. The reason we focus on these industries is simple: they are a diverse set of key sectors in the global economy. We have previously released industry level reports that look at overall security performance in some of these sectors. The following section also calls out six of these industries for a closer look at their performance in preventing file sharing. Legal Finance Energy/Utilities Media/Entertainment Manufacturing Healthcare/Wellness Retail Government/Politics Tourism/Hospitality Education 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% Proportion of industry Industry with BitTorrent P2P file sharing Activity activity Figure 3. Percentage of companies within each industry with any file sharing activity over the last six months. Media/Entertainment Retail Government/Politics Energy/Utilities Education Manufacturing Tourism/Hospitality Healthcare/Wellness Finance Legal k 3.2k 2.8k 14.8k 28.0k 0k 5k 10k 15k 20k 25k 30k Shares per Company Figure 4. The total number of shares for all the companies in each industry divided by the number of companies in each industry over a 6 month period. 5

7 FINANCE Industry Security Rating: 716 Percent wth File Sharing: 12.5% Avg. Torrents per entity: Finance is the top performer of these industries when it comes to preventing file sharing on their corporate networks. When it comes to both proportion of entities and average peer-to-peer shares per entity, Finance is diligent in addressing these issues. Due to strong regulations and a culture of security, it makes sense that Finance is the top performer in preventing file sharing. Historically, Finance has had the highest Security Ratings of any industry in our analysis. When people bring up data breaches, it is often retailers that are the most mentioned companies. After major breaches at retailers like Target and Home Depot, many are skeptical of these companies ability to defend themselves against attacks. When it comes to file sharing over the BitTorrent protocol, there is room for improvement; 22% of these companies have file sharing activity present on their networks. When looking at the average number of shares, Retail is one of the worst offenders with 14.8k shares per entity. RETAIL Industry Security Rating: 684 Percent wth File Sharing: 22.19% Avg. Torrents per entity: HEALTHCARE Industry Security Rating: 634 Percent wth File Sharing: 22.36% Avg. Torrents per entity: Healthcare is a middle of the pack performer in file sharing. They have a lower than average number of shares, with only 135 per entity and only 22% of companies in the industry with this activity, only slightly higher than retail. There is still work to be done to bring down the percentage of entities with this activity. Nevertheless, for an industry with a host of issues, as highlighted in our Is Healthcare the Next Retail? report, this industry is not the worst offender for torrenting files. 6

8 ENERGY/UTILITIES Industry Security Rating: 652 Percent wth File Sharing: 25.38% Avg. Torrents per entity: The Energy/Utility sector experiences file sharing in around 25% of companies, yet the most surprising metric here is the average shares per entity at a high 2.8k. For a highly regulated industry that has to comply with various standards, this was a surprising find. In our most recent Insights report, we found that the Energy/Utilities industry was at risk of a breach due to performance metrics gathered by BitSight. Around 32% of government entities have some form of file sharing activity present on their networks. In addition, the average number of shares per entity is 3.15k. These numbers make this sector, which the federal government as well as local and state municipalities, a poor performer. Government agencies, such as the Federal Trade Commission, have published reports on the dangers of corporate file sharing 5. In 2009, there was a bill (H.R. 4098) that attempted to prohibit file sharing by employees of the federal government - yet this bill never made it beyond the House of Representatives to become law 6. Clearly there is work to be done by government organizations to prevent this activity. GOVERNMENT Industry Security Rating: 688 Percent wth File Sharing: 32.85% Avg. Torrents per entity: EDUCATION Industry Security Rating: 554 Percent wth File Sharing: 58.24% Avg. Torrents per entity: Downloading copyrighted media has proven to be a major issue for network administrators in higher education. While in many instances universities are not liable, there are still legal risks. The Copyright Clearance Center notes that, universities operating the computer networks over which P2P file sharing occurs may face claims of contributory or vicarious liability arising from the conduct of their students 7. Around 58% of organizations in the Education sector have some file sharing observed on their network. Yet, when it comes to shares per entity, the figure is 1.2k. While this is still higher than most industries, it falls below Energy/Utilities and Government. Perhaps few students are able to bypass campus restrictions in order to participate in this activity. 7

9 File Sharing and Security Ratings BitSight is the only security ratings provider that provides customers with an objective view of peer-to-peer file sharing activity on the their network and the networks of third parties. Currently, BitSight provides this information as a beta risk vector in the product. This means that it is not used in the algorithm that calculates the headline Security Rating for a company*. Finance Retail Media/Entertainment Legal Government/Politics Energy/Utilities Manufacturing Tourism/Hospitality Healthcare/Wellness Education Entities With P2P File Sharing Entities Without P2P File Sharing BitSight Security Rating Figure 5. Median Security Ratings by industry for companies with peer-to-peer file sharing and those without. After identifying the strong correlation between botnet activity and file sharing activity, BitSight s Data Science team wanted to look at the relationship between BitSight Security Ratings and file sharing activity (Figure 5). This analysis highlighted a similar finding: in every industry analyzed for this report, there was a significant difference in median Security Ratings for companies with file sharing activity and those without. *BitSight Security Ratings are calculated using a proprietary algorithm that includes event and diligence factors. The BitSight data science team updates the algorithm on an annual basis to add in beta risk vectors into the rating. Currently, file sharing is not included in the BitSight rating algorithm, although it may be included in the future. 8

10 Recommendations for Businesses It is clear that the consequences of file sharing on corporate networks go beyond the legal ramifications of downloading copyrighted material. This behavior can also pose a serious security threat by introducing malicious software to a corporate network. BitSight recommends that security and risk professionals take the following steps to mitigate these risks. Have a clear policy around file sharing on the corporate network - and enforce it. Many companies explicitly prohibit file sharing activity. Yet the key question for security and risk professionals to ask is: do employees know about this policy? Periodic training and regular updates are key steps to make sure that employees - both veteran and new - are up-to-date on policies and procedures surrounding these issues. If file sharing is allowed for legitimate purposes, ensure that there are policies in place to prevent unauthorized sharing of material. Configure your firewall to prevent file sharing. If file sharing is not an authorized activity, companies can make adjustments to firewalls to block the sharing of files over these networks. This may be useful for companies that do not use file sharing for legitimate purposes. Verify file sharing activity with a continuous monitoring tool. Beyond creating policies, companies should actively monitor their networks for evidence of file sharing activity. BitSight provides users with outside-in monitoring of a company s network meaning no information is needed from the rated company, giving security and risk professionals the ability to identify unauthorized file sharing activity on a company network. With User Behavior Forensics, BitSight users are also able to view file names (except for movies) and the source IP addresses. This gives security and risk professionals the ability to verify both authorized and unauthorized file sharing activity on a network. Look at file sharing activity on the networks of third party vendors and acquisition targets - especially those with access to sensitive company information. Many third party risk teams conduct questionnaires on different security policies and practices at an organization. Beyond asking vendors to actively prevent this behavior, third party risk teams should also invest in verification tools to ensure that vendors are adhering to their stated policies. For companies looking to acquire other companies, there should be a review of file sharing activity on the network of the target acquisition. For more recommendations on steps to prevent file sharing, we recommend the FTC Guidelines that can be found here: 9

11 Conclusions As businesses continue to manage the growing threat of cyber data loss, the findings of this report are relevant for stakeholders across the enterprise. Beyond the well-publicized legal consequences of file sharing activity, this user behavior poses a serious and pressing security issue for many companies. Security and risk professionals can leverage the recommendations within this report across a wide variety of use cases, including: Benchmarking Security Performance: Understand file sharing activity within a corporate network and reconcile this with internal policies and procedures. Compare a company to industry averages when it comes to file sharing activity. Report these findings to upper level management. Managing Vendor Risks: Question vendors about file sharing policies and procedures. Verify effectiveness of policies and procedures by using an outside-in view of security performance. Conducting M&A Due Diligence: Look at historical file sharing activity on a potential acquisition s network. Enable them to identify problem areas and address issues before security issues arise - and before a deal is struck. Underwriting Cyber Insurance: Understand steps an applicant has taken to limit file sharing activities and reduce risk. Monitor insureds for changes in volume of files or suspicious downloads such as applications or games. To learn more about BitSight, you can visit our website at ABOUT BITSIGHT TECHNOLOGIES BitSight Technologies is a private company based in Cambridge, MA. Founded in 2011, BitSight Technologies provides businesses with daily security ratings that objectively measure a company s security performance to transform the way they manage risk. For more information contact us at: BitSight Technologies 125 CambridgePark Drive Suite 204 Cambridge, MA sales@bitsighttech.com

12 Methodology The data on peer-to-peer file sharing is collected from index nodes advertising files for download from a set of peers. BitSight collects the peer information on a daily basis and uses an internally generated and curated list of public IP mappings for tens of thousands of entities. In order to test for the presence of malware, we collected 497 of the top applications and 269 of the top games and tested for the presence of malware using a well known malware identification tool. We initially found 221 applications and 131 games labelled as malware, but trimmed that back to 215 and 104 respectively after analyzing the range of responses for likely false positive labels. Sources 1. The Pirate Bay shutdown: The whole story (so far). (n.d.). Retrieved November 17, 2015, from 2. Retrieved November 17, 2015, from 3. Retrieved December 2, 2015, from 4. Peer-to-Peer File Sharing: A Guide for Business. (n.d.). Retrieved November 21, 2015, from 5. Secure Federal File Sharing Act ( H.R. 4098). (n.d.). Retrieved December 2, 2015, from 6. The Campus Guide to Copyright Compliance. (n.d.). Retrieved December 2, 2015, from copyright.com/services/copyrightoncampus/other/index.html 7. Vikram Kumar-SAV to SEP. (n.d.). Retrieved November 18, 2015, from connect/articles/what-do-p2p-applications-do-and-how-block-peer-peer-applications-p2p-usingsymantec-endpoin