Bugwatch: The perils of peer-to-peer

This week Frank Coggrave, UK regional director of Websense, warns of the dangers of file-sharing networks and suggests solutions for dealing with employees' use of P2P.

Increasing legal pressure on internet file sharing over peer-to-peer (P2P) networks means companies need to be ever more vigilant about what is on their networks.

The record industry's concerns with P2P services are primarily related to piracy, but there are many other dangers lurking behind P2P software that could affect every internet-connected business.

The problem for the record industry and companies alike is that free file-sharing systems are likely to become increasingly popular over the next few years.

In 2001, consumers downloaded more than five billion audio files from unlicensed file-sharing services.

There is also a lot of material available to users: five million games crossed P2P networks in 2002.

The temptation to use company resources for P2P file sharing is great.

With the amount of downloadable material available, it is easy for a user to think: "I'm only downloading one song," without realising the risks they are incurring for their employer.

File-sharing applications at work have access to more bandwidth than the average home user, and many staff will want to take advantage, downloading a movie in an hour over high-speed connections rather than taking several hours at home.

Employer networks also offer much more storage space and, with the arrival of low-cost terabyte storage appliances, there will soon be even more available.

But network bandwidth issues and pirated music represent only a small part of the overall risk to companies: pornography and pirated software can also be downloaded over P2P networks.

A recent study which analysed more than 22 million searches on file-sharing networks found that 73 per cent of all movie searches were for pornography and 24 per cent of all image searches were for child pornography.

In fact only three per cent of searches were for non-pornographic or non-copyrighted materials.

MP3 and movie files on company servers put an organisation at risk of legal action for copyright violations.

And pornographic material can lead to long and complex investigations, perhaps even a visit from the police.

Then there are the additional risks of Trojans and viruses. When downloading files from P2P networks there is no way of trusting the source or finding out whether it comes with a virus or a Trojan hidden in its installation files.

Of the top 50 viruses and worms in the past six months, 19 used P2P and instant messaging applications to spread.

Many P2P network clients will also install spyware to gather information on surfing habits.

Security attacks do not just come from a piece of malicious code. Employees could find that they are sharing not just their music and images, but exposing confidential documents and files.

So while a copy of the latest number one album could be coming into the network, a customer list could, unbeknown to the employer, be on its way out.

While an organisation might think it has locked down its networks using security software such as firewalls and port blocking, P2P applications can be tunnelling through trusted open ports, linking employee PCs to a global virtual private network.

What appears to a firewall as a persistent web connection or an FTP session could be someone downloading several episodes of the latest cult TV series.

For organisations worried about P2P applications running over their network, here are some tips to keep the above threats to a minimum:

• Educate: Employees and managers must be made aware of the dangers of P2P. Check that an acceptable usage policy is distributed to all employees to ensure there is no room for ambiguity.

• Report on usage: Invest in employee internet management software which allows management to view employees' internet activity.

• Enforce policy: Enforce company security policy and block access to P2P-related websites.

• Follow up: The internet is dynamic and constantly changing, so avoid static solutions.