How to stop P2P data breaches
Three tips that will ensure your company meets security mandates
By Tony Bradley | PC World | Published: 12:30, 26 February 2010
The Federal Trade Commission (FTC) has notified hundreds of US businesses that their sensitive data is circulating freely on peer-to-peer (P2P) file sharing networks for all to see. While no company wants to have confidential information exposed to unauthorised users on the web, many businesses, depending on the nature of the data being exposed, also fall under legal compliance mandates to safeguard the data.
"Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk. For example, we found health-related information, financial records, and drivers' licence and social security numbers - the kind of information that could lead to identity theft," said FTC Chairman Jon Leibowitz in an FTC statement.
Leibowitz continued: "Companies should take a hard look at their systems to ensure that there are no unauthorised P2P file-sharing programs and that authorised programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing."
The FTC statement explains that the FTC is developing new educational materials that increase awareness of the risks associated with P2P networks, and provide tips to help protect data, in order to help businesses understand and manage the security risks of file-sharing networks.
Why wait for the FTC materials, though? Here are three tips that will help ensure your company doesn't receive a nasty letter from the FTC letting you know that your data has been breached on a P2P network.
1. Beware the doftware
There are actually multiple reasons to be cautious regarding the client software required for P2P file-sharing. First, most P2P client software doesn't have the same attention to security as commercial software does. P2P clients can be buggy and may cause system crashes or other performance problems.
The larger issue is that P2P client software is often open source and hosted from the host systems that are part of the P2P network. The client software itself could easily be compromised with some sort of Trojan or botnet-type malware which could infect systems and allow attackers access.
2. Watch what you share
P2P client software is generally pre-configured with a default folder that will be the shared folder for the P2P network. Files in that folder will be exposed to the rest of the P2P network and can be downloaded by all.
Some P2P clients might default to the root of the C: drive, or some users may unwittingly designate the root of the C: drive or some other equally sensitive drive or folder as the default share location for the P2P network.
3. Just don't use it
While it is true that there are legitimate uses for P2P networks, and most of the data available on P2P networks isn't counterfeit software, pirated music, or breached data from corporations, there is arguably no legitimate reason for accessing a P2P file-sharing system from a business network.
Allowing anonymous users access to files and folders on computer systems in your network can sap precious network bandwidth - and that is the best-case scenario. If not properly configured and secured, you also run the risk of opening your network to attack and compromise, or inadvertently exposing sensitive data.
If there is a legitimate reason for allowing P2P file-sharing access, the policies and procedures defining that access should be documented, and P2P file-sharing should be restricted to authorised users with an established need for it.
As long as companies continue to configure users with god-like Administrator privileges on their computers, and allow them to install and remove software at will, the risk will continue to exist that employees may install questionable software and expose the company network, or sensitive data to unauthorized access.