News Stay informed about the latest enterprise technology news and product updates.

The FTC offers tips on fending off P2P security risks

As more legislation on P2P file-sharing security risks makes its way into the Senate, the FTC offers guidance to protect against data breaches.

Federal lawmakers and regulators are placing a spotlight on P2P security risks as employee and customer data continues to leak onto peer-to-peer file-sharing networks.

More P2P security resources
Security concerns may mean peer-to-peer file sharing days are over

Do P2P networks share the same risks as traditional ones?

Are P2P applications worth the risk?
In addition to the P2P Cyber Protection and Informed User Act, which would require user approval when a P2P file-sharing program is installed and give the Federal Trade Commission the ability to introduce regulations that enforce the bill, the FTC has released a guide for businesses to protect against P2P security risks.

The FTC guide suggests that businesses:

  • Apply application-level encryption to protect file information where possible and restrict where sensitive data may be saved.
  • Use file-naming conventions that are less likely to disclose the information a file contains.
  • Monitor P2P networks directly or use a third-party information security provider.
  • Install network monitoring tools that "restrict, monitor and otherwise manage access" to P2P file-sharing networks from the organization's network, including intrusion detection systems, intrusion prevention systems or firewalls.

The FTC has also posted a series of criteria for evaluating P2P security risks.

If a business does not have tight controls around applications deployed at endpoints, it should also monitor inbound and outbound traffic to ensure that sensitive data is not being leaked over the P2P network, said Christophe Veltsos, president of North Mankato, Minn.-based security consultant Prudent Security LLC. And businesses should be monitoring more than simply the IP or port numbers, he said, adding that firewalls are not enough protection since a "quick search for p2p bypass firewall reveals a myriad of ways to circumvent that control."

We found health-related information, financial records
and drivers' license and
Social Security numbers --
the kind of information that could lead to identity theft.

Jon Leibowitz
chairmanFederal Trade Commission
Instead, he recommends using a plug-in or network-based appliance to look for P2P traffic.

Days before the P2P Cyber Protection and Informed User Act was introduced in February, the Federal Trade Commission notified nearly 100 organizations that sensitive data about employees and customers had leaked onto peer-to-peer file-sharing networks. The data breaches alert on P2P file sharing served as a notice that the nation's top consumer privacy regulator is watching how enterprises address this risk.

The sensitive data was accessible to "any users of those networks, who could use it to commit identity theft or fraud," read the FTC statement. "We found health-related information, financial records and drivers' license and Social Security numbers -- the kind of information that could lead to identity theft," said FTC chairman Jon Leibowitz in the notice.

The P2P Cyber Protection and Informed User Act was introduced by Sens. John Thune (R-S.D.) and Amy Klobuchar (D-Minn.) last month.

"As a former prosecutor, I know that identity theft and security leaks can be prevented," Klobuchar said in a statement posted on her website. "Families across Minnesota run the risk of unintentionally sharing all of their private files, like tax returns, legal documents, medical records and home movies when they are connected to peer-to-peer networks. This bill will let people know -- in a way that they can understand -- that their personal files are being shared with complete strangers."

A similar software notification bill designed to introduce notice and consent into the process of using peer-to-peer software was passed in the House of Representatives last year.

Let us know what you think about the story; email Alexander B. Howard, Associate Site Editor or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Vulnerability assessment for compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.