Home > Publications > Non-Technical > April 2007 - Volume 2, Issue 4 - Security Concerns Regarding Peer To Peer (P2P) File Sharing

April 2007 - Volume 2, Issue 4 - Security Concerns Regarding Peer To Peer (P2P) File Sharing


Security Concerns Regarding Peer To Peer (P2P) File Sharing

Peer-to-Peer (P2P) networking has become a popular method for sharing files, music, photographs and other information.  P2P allows computer users, utilizing the same P2P software, to connect with each other and directly access files from one another's hard drives.

 

Although the concept of file sharing seems benign, there are a number of risks associated with P2P.

 

Some of the major risks are:

  • Sharing files on your computer with anonymous and unknown users on the Internet is contrary to the basic principles of securing your computer.
  • Even if you know the source, in P2P, opening a file has risks – it may contain a Trojan horse, worm, virus or other malware. 
  • P2P may expose personal, private or confidential data on your computer.
  • P2P software, like any other application, may contain vulnerabilities which could allow unauthorized access.
  • It is possible that the P2P software may be a malicious version - it might include a virus or Trojan.
  • In order to share files on your computer or to access files on other computers within a P2P network, you generally must authorize access through your firewall. This exposes your system to potentially malicious traffic from the Internet that otherwise may have been blocked by the firewall.
  • P2P traffic may consume your bandwidth, diminish your computer’s performance,  cause a denial of service and impede access to the Internet.
  • Some P2P programs may implement default settings that you do not want to use, such as scanning your entire drive, looking for files to share. 
  • Some of the files shared or downloaded may include copyrighted material, pirated software and other illegal material. 

 

Because the negative effects of P2P far outweigh any potential benefits, the best way to protect your computer/system is to avoid P2P technology

However, in the event of a documented business case for using P2P, make sure a thorough risk assessment is completed before employing this service.  If a P2P file sharing network is the only solution for your needs, consider the following tips for use of this type of service:

 

Obtain Permission to Use P2P

Obtain explicit, written permission from your organization’s cyber security group or IT director before installing a P2P client or using P2P network file sharing on a corporate network or system.

 

Limit Use of P2P On a Corporate Network

Restrict access to those in your organization who have legitimate business needs for P2P file sharing

 

Obtain the P2P Software from a Legitimate Source

Obtain software only from known, legitimate and reputable sources. 

 

Restrict Access

Restrict P2P access to only those folders specifically identified for this purpose.  When you install P2P client software and join a P2P network, check to see if there is a default folder for sharing, which is designated during the installation. If there is, limit file sharing only to this folder. The designated folder should contain only files that you want others on the P2P network to be able to view and download. Be careful not to designate the root "C:" drive as the shared files folder, which enables everyone on the P2P network to see and access virtually every file and folder on the entire hard drive.

 

Scan Everything

It is important that you have protective security software (anti-virus and anti-spyware) running on your computer.  This software should perform a virus scan on any file you download before you execute or open it. Make sure that the most current anti-virus software and virus definition updates are installed on your computer.

 

Scan your computer periodically with virus and spyware detection tools to ensure you haven't installed malicious code on your system.

 

Adhere to the Law (Copyright and others)

Know the laws.  There may be legal ramifications from sharing and/or downloading certain files.  Downloading illegal copies of files (i.e. music, movies, etc.), or downloading improper files on computers or networks, or sharing personal information may lead to legal consequences, such as prosecution, disciplinary action, as well as financial liability.

 

References:

 

Brought to you by:

MS-ISAC logo

http://www.msisac.org