The potential for abuse has risen as so-called information concentrators employ file-sharing clients to scour P2P networks for data that can be used for ID theft, fraud, and other illicit activities. Last September, authorities in Seattle arrested 35-year-old Gregory Kopiloff on charges that he used LimeWire to amass federal tax returns, student financial aid applications, and credit reports, then used them to open accounts in other people's names. Kopiloff pleaded guilty and is due for sentencing March 17.
IT departments must be proactive because once business data pops up on a P2P network, there's no pulling it back. By the time you learn of the breach, your spreadsheets and documents may have spread to dozens of computers, including ones outside U.S. legal jurisdiction.
Step 1 is to ensure that IT policies address P2P usage and that management tools are in place to enforce them. Products from Audible Magic, Cisco, Cymphonix, FaceTime, and St. Bernard Software let IT administrators restrict, monitor, and otherwise manage P2P network access. Jump on any users caught breaking the rules.
It's not unusual for IT administrators to think there are no P2P clients on a corporate network when in fact there are, says FaceTime VP Frank Cabri. That's because P2P apps can make themselves look like browser traffic. "They're very evasive. They find a way to connect," says Cabri. FaceTime's Unified Security Gateway gives admins fine-grained control over 130 P2P applications.
Step 2 is to watch P2P nets for data leaks. IT departments can periodically monitor major networks using the search function in a file-sharing application, but it's laborious, hit-or-miss work. P2P clients let you search only one network at a time and, even then, they show files from only some nodes. Security service companies such as Cyveillance will do the grunt work for you, but face the same challenge: limited visibility.