Third parties expose firms' data via P2P

Security chiefs may need to police the use of peer-to-peer systems outside their networks

A security expert has warned firms they need to address a "new generation" of security weaknesses enabled by peer-to-peer (P2P) networks on the systems of third-party contractors and business partners.

Former White House security advisor Howard Schmidt, now president of R&H Security Consulting, issued the warning at a conference of senior IT security professionals hosted by certification organisation ISC2.

"It's a very important and emerging issue," Schmidt said. "We [talk a lot] about intrusion detection and antivirus…but one thing we're not paying enough attention to is P2P file sharing networks and how much data we're really exposing inadvertently, which we have no control over."

Schmidt said IT managers typically control the use of file sharing networks within their own networks but contractors or agents working for their organisation can often keep or access corporate data on their laptops or home PCs, alongside P2P clients. He added that these users may then look for music or movie downloads on P2P applications, and inadvertently expose the entire contents of the hard drive.

"I've seen thousands of documents containing internal administrative passwords which are now being shared throughout the world," Schmidt warned. " The risk is that [criminals] are now searching for corporate information – P2P search strings [we've identified] show they're actively seeking these documents. "

Schmidt said security chiefs should closely monitor P2P networks at a granular level to see if corporate is exposed, and should look out for potential leaks across the whole supply chain, not just within the corporate perimeter. " That's the information you need so you can protect against [this threat]," he said.