P2P puts your business at risk

In June, the Recording Industry Association of America (RIAA) decided to start suing individual computer users who share "substantial" amounts of copyrighted music.

For Internet-connected businesses that aren't taking steps to stop illegal downloading, the proposed RIAA lawsuits could pose a serious financial risk.

Companies found liable for copyright infringement on the part of its workers, could face up $150,000 in damages per illegally copied file.

The RIAA expects to file its first round of lawsuits as early as mid-August.

The extent of the problem is great.

AssetMetrix Research Labs recently published a study of businesses that showed most of them had P2P (Peer-to-Peer) applications installed on some percentage of their computers.

The study included over 175,000 PCs from over 560 corporations from a broad cross-section of industry sectors.

The study shows businesses aren't yet taking their computer use policies seriously.

P2P started in 1999 with the release of Napster, a free program that allowed Internet users to share music files stored on their computer to anyone else on the Internet.

Napster had to stop its activities because the RIAA was able to prove that Napster materially contributed to the illegal activity of its users.

Newer incarnations of Napster-like software such as Kazaa, Morpheus, and Grokster have been able to dodge the RIAA's legal attacks, which has probably contributed greatly to the RIAA's new tactic of going after individual users and their employers.

Most computer users consider their activities on the Internet private and anonymous.

Nothing could be further from the truth.

The RIAA announced it was actively monitoring the file-sharing networks to begin locating the most serious offenders.

Earlier in April, the Federal Courts upheld the DMCA (Digital Millennium Copyright Act) provision that allows copyright holders like the RIAA to subpoena ISPs (Internet Service Providers) for customer records of suspected users who are infringing on their copyrights.

Indications are that the recording industry is actively exercising its rights under DMCA.

The San Jose Mercury News reported on Saturday, July 19, that the RIAA has already secured at least 871 federal subpoenas during the past month.

In addition to the right of subpoena, copyright holders also can file to have the ISP immediately terminate access to subscribers that utilize P2P software to illegally exchange copyrighted material.

Businesses that don't take steps to control the use of P2P software on their networks could very well get kicked off the Internet.

Besides the legal risks there are other reasons for businesses to take serious action against P2P software on their networks and computers.

P2P software is the newest conduit for viruses and other malicious software.

The most common P2P viruses copy themselves into shared folders with popular file names to try to trick others into downloading the infectious code.

Creative hackers have also started exploiting the P2P protocols to create backdoor and Trojan-horse programs that have the capability to remotely take over an unsuspecting user's computer.

For these attacks to occur, a computer user wouldn't actually have to be in the process of uploading or downloading any files.

The P2P software would only have to be running for the exploit to occur.

These kinds of attacks also have the potential of bypassing all traditional firewall and virus scanning security devices.

P2P software also presents a basic risk to data privacy.

An incorrectly configured P2P application could allow outsiders to search and download all the files in a worker's company computer or the corporate server.

This kind of weakness can be exploited by anyone with a minimum amount of computer experience maybe less if an employee accidentally shares their company's QuickBooks database on the Internet.

It doesn't have to be a computer savvy hacker that compromises your business' confidential data.

So how do owners/managers protect their businesses and livelihoods? First, all business with computers in the workplace need a written computer-use policy that specifically prohibits illegal activities on company-owned computer systems.

The policy must be distributed and acknowledged by every employee.

The MPAA (Motion Picture Association of America) and RIAA have a corporate policy guide at www.mpaa.org/Antipiracy/ press/2003/2003_02_13.pdf.

At the end of the guide they have provided a sample memo to employees and sample policy.

Second, computers must be audited for any unauthorized P2P software and/or copyrighted material.

For a company with a limited number of computers this may not take very long.

But for organizations with a moderate to large number of computers and distributed offices, the purchase of an audit software package may be necessary.

Audits should be conducted on a regular basis and documented as proof of proper enforcement of company policies.

Finally, medium to large companies should consider implementing network security solutions that work to block P2P file-sharing activities.

Most Internet firewalls can be configured to block common file sharing "ports" and also filter websites that make available the P2P software for download.

It's important to note that "port" and website filtering will only prevent the most casual attempts at P2P file sharing.

A determined and knowledgeable P2P user can quickly defeat these controls.

On the more advanced side, there are several newer security appliances that can more effectively work against illegal file sharing.

These systems integrate firewall, proxy, traffic scanning, anti-virus and intrusion detection into a comprehensive solution.

This kind of security measure, properly implemented, can make peer-topeer file sharing extremely difficult to do.

Louis Rachal has more than 20 years of technology and networking expertise and is currently working with JFG Systems, Inc.

a firm specializing in "secure network access from anywhere" located in Carson City.