Federal lawmakers and regulators are placing a spotlight on P2P security risks as employee and customer data continues to leak onto peer-to-peer file-sharing networks.
The FTC guide suggests that businesses:
- Apply application-level encryption to protect file information where possible and restrict where sensitive data may be saved.
- Use file-naming conventions that are less likely to disclose the information a file contains.
- Monitor P2P networks directly or use a third-party information security provider.
- Install network monitoring tools that "restrict, monitor and otherwise manage access" to P2P file-sharing networks from the organization's network, including intrusion detection systems, intrusion prevention systems or firewalls.
The FTC has also posted a series of criteria for evaluating P2P security risks.
If a business does not have tight controls around applications deployed at endpoints, it should also monitor inbound and outbound traffic to ensure that sensitive data is not being leaked over the P2P network, said Christophe Veltsos, president of North Mankato, Minn.-based security consultant Prudent Security LLC. And businesses should be monitoring more than simply the IP or port numbers, he said, adding that firewalls are not enough protection since a "quick search for p2p bypass firewall reveals a myriad of ways to circumvent that control."
Days before the P2P Cyber Protection and Informed User Act was introduced in February, the Federal Trade Commission notified nearly 100 organizations that sensitive data about employees and customers had leaked onto peer-to-peer file-sharing networks. The data breaches alert on P2P file sharing served as a notice that the nation's top consumer privacy regulator is watching how enterprises address this risk.
The sensitive data was accessible to "any users of those networks, who could use it to commit identity theft or fraud," read the FTC statement. "We found health-related information, financial records and drivers' license and Social Security numbers -- the kind of information that could lead to identity theft," said FTC chairman Jon Leibowitz in the notice.
The P2P Cyber Protection and Informed User Act was introduced by Sens. John Thune (R-S.D.) and Amy Klobuchar (D-Minn.) last month.
"As a former prosecutor, I know that identity theft and security leaks can be prevented," Klobuchar said in a statement posted on her website. "Families across Minnesota run the risk of unintentionally sharing all of their private files, like tax returns, legal documents, medical records and home movies when they are connected to peer-to-peer networks. This bill will let people know -- in a way that they can understand -- that their personal files are being shared with complete strangers."
A similar software notification bill designed to introduce notice and consent into the process of using peer-to-peer software was passed in the House of Representatives last year.