Security concerns may mean peer-to-peer file sharing days are over

By Linda Tucci, Senior News Writer 04 Aug 2009 | SearchCompliance.com

Digg This!     StumbleUpon     Del.icio.us

More on P2P, data privacy Do P2P networks share the same risks as traditional ones? National data privacy law coming; Big Brother, already here

Inadvertent file sharing -- when computer users mistakenly expose files they had not intended to share -- can pose major IT security, privacy and legal risks. The question is whether new laws or better scrutiny and the use of existing tools will solve this problem.

A congressional hearing last week on inadvertent file sharing over P2P networks showed just how risky it is. Classified or sensitive files recently found on file-sharing networks included: the Secret Service safe house location for the first lady, the Social Security numbers of every master sergeant in the Army, medical records of some 24,000 patients of a Texas hospital and the entire Outlook calendar of an individual who handles all the merger and acquisition activity at a well-known, publicly traded company, with attachments detailing every proposed deal.

A listing of every nuclear facility in the U.S. turned up on four sites in France. Last week also showed that illicit music downloading can have serious legal consequences: a Boston University graduate student was ordered to pay $675,000 in damages for illegally downloading songs and sharing them online..

Bill to ban P2P networks on government computers

Many companies tend to dismiss peer-to-peer file-sharing programs, which are used to share music and videos, as the recording industry's problem, not a security risk. But this is a mistake, said Robert Boback, CEO of Pittsburgh-based Tiversa Inc., a P2P network monitoring vendor, and a witness at last week's congressional hearing.

Gartner: Four tips for P2P use Block P2P clients and traffic: Enterprises should block the installation of P2P software on endpoints and block P2P at the gateway, using network-based intrusion prevention systems, as well as secure Web gateways that can block P2P and other rogue applications based on network traffic pattern. Detect P2P file sharing: Most intrusion detection and network behavioral analysis products can detect P2P file sharing. P2P monitoring can also be used to detect data loss across the extended enterprise, including contactors. The key is to indentify sources and destinations of destination leakage, so they can be quickly stopped and remedied. Protect sensitive data: Consider installing data loss prevention technology at the endpoint and at the level to monitor and block the linkage of sensitive information. Use file encryption on sensitive documents. Educate employees and contractors: Share information about the risk of peer to peer file sharing and the proper handling of sensitive information. Source: Gartner Inc.

Boback testified that even at companies with sophisticated security programs, reams of sensitive corporate information are exposed on P2P networks due to user error, access control issues (teenagers downloading file-sharing software on a parent's company laptop), deception by global software developers and malicious code dissemination. The leaks happen despite safeguards by some P2P network developers to prevent inadvertent file sharing and despite security tools such as firewalls and encryption. Boback showed example after example of citizen tax returns, medical insurance information, FBI files and so on, easily found on peer-to-peer file-sharing networks.

At the congressional hearing, it was the popular P2P software company Lime Wire LLC and its CEO, Mark Gorton, on the hot seat, accused by committee members and expert witnesses of a continuing failure to prevent inadvertent file sharing. After the testimony, committee chair Edolphus Towns announced plans to file a bill to ban P2P software from all government and contractor computers and networks.

"As far as I am concerned, the days of self-regulation should be over for the file-sharing industry," Towns said.

But Towns is not the only one threatening legislation. And the file-sharing industry is not alone in being forced to get serious about data leakage. Efforts are under way on Capitol Hill to pass a tough national data privacy law, the Data Accountability and Trust Act, aimed at protecting personally identifiable information, including files inadvertently leaked or stolen on P2P networks.

P2P file sharing gets little attention from IT risk groups

At a time when companies are hypersensitive to the damage a data breach or stolen data can do, the security and privacy risks posed by P2P file sharing are not high on the IT security agenda for many companies, according to Jonathan Penn, a security analyst at Cambridge, Mass.-based Forrester Research Inc.

You have employees who have signed contracts to work at your company. You can't control their lives, but as far as the tools that you give them …, you do have control. Mike McGuire security analyst, Gartner Inc.

Forrester reports that while 73% of companies take some kind of stance on P2P, ranging from monitoring to filtering per incident, only 18% ban outright use of P2P.

One reason P2P file sharing gets so little attention from IT, Penn said, is that it is seen as a bandwidth issue, not an IT risk concern. Unless massive P2P usage is starving out legitimate traffic, "it can be simply addressed with bandwidth management tools," he said.

As for the legal liability issues related to sharing copyrighted material, most organizations are more focused on protecting their own data, Penn said, "not enforcing the copyright and usage terms of media conglomerates."

Organizations that do acknowledge that P2P tools can be used to send sensitive corporate data out of the network are addressing the problem with network-resident data loss prevention tools from vendors including Symantec Corp., McAfee Inc. and Vericept Corp. "In other words, concern over high-impact and high-probability business risks around P2P are part of specific data protection strategies, not a more general appropriate-use policy enforcement strategy," Penn said.

Taking action on P2P

Gartner Inc. security analyst Mike McGuire, who covers media for the Stamford, Conn.-consultancy, said he's a bit puzzled by the threat of legislation banning P2P file sharing among government agencies and contractors, given long-standing prohibitions and policies governing P2P file sharing at government agencies. "Another law would seem to be almost specious," McGuire said. "This is a matter of enforcing policy on usage of P2P clients on government networks."

In his view, corporate policy is the first line of defense against risks associated with P2P file-sharing programs. "You have employees who have signed contracts to work at your company. You can't control their lives, but as far as the tools that you give them to do their jobs, you do have control," McGuire said. Employees found to be opening MP3 files on the company networks by virtue of P2P files can be fired, he said.

With P2P networks in the news again, CIOs should revisit their P2P policies, talk to employees and actually do the periodic audits of their networks. "It is absolutely worth that reminder, without getting into, 'Is this is copyright issue?' or right or wrong," he said.

Tags: Log management software solutions,  Vulnerability assessment for compliance,  Risk management and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Log management software solutions New evaluation criteria for Web application security scanners Open Group releases log management update, risk management guide Google amends log retention rules, privacy advocates respond Log management vendors offer affordable compliance products Event log manager saves bank both time and money Vulnerability assessment for compliance New evaluation criteria for Web application security scanners GPS devices, geolocation data create privacy, security risks Security and compliance can go together, when done in the right order Steps toward making information security as important as data security Run encryption the right way to ensure wireless network security How CISOs can leverage the internal audit process How to build a mature information security program: A crisis helps A compliance officer, secure network aren't enough for real compliance How to mitigate operational, compliance risk of outsourcing services Applying risk assessment to your disaster recovery plan Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Event log management software (ELMS)  (SearchCompliance.com) event log manager (ELM)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary