Peer-to-Peer Poses Security Problems

While some companies may believe peer-to-peer file swapping is not a serious threat to their networks, security experts are warning that such practices gobble up corporate bandwidth, consume considerable disk space, and could result in major security risks.

A recent report released by Ottawa-based AssetMetrix Research Labs, a provider of managed services for PC inventory and IT analysis, looked at the problems associated with P2P downloading and found that 77 percent of P2P applications resided on desktop systems.

Some of the more common applications found included music-related apps such as Kazaa and Morpheus. Not a single company that had over 500 PCs was free of P2P applications, the report found.

The study examined approximately 175,000 PCs from over 560 corporations, 10 percent of which were in Canada.

P2P downloads can affect the amount of disk space being used, and if rampant throughout a company, P2P will gobble up a significant amount of bandwidth, explained Tom Slodichak, chief security office for WhiteHat in Burlington, Ontaria. He was clear on who suffers at companies because of P2P computing.

"The impact is [the worst] on IT managers and there is a potential impact on management, ownership, and shareholders of companies if it's found that people are harboring illegal file downloads on corporate systems," Slodichak said.

More importantly, P2P applications can create significant breaches to network security and corporate policies. As another security expert noted, there are several security-related problems that can result from downloading P2P applications. Because every user can act as a client or server in P2P computing, security concerns can be created unknowingly.

"Access control may be [one] issue. You may only want to share a folder and yet the application may be sharing your entire hard drive. It may not let you control what you want to share," said Simon Tang, a senior manager at Deloitte & Touche's LLP security services division in Toronto. Also, if an employee is not authenticated to download certain software, Tang noted that this creates trust or authentication issues for network administrators.

Some viruses are specific to P2P applications. P2P is also known to have installed third-party applications that are considered trackware or adware, the report said.

However, Tang said P2P is not a "serious" issue for large organizations because most have already created internal policies to block and monitor network traffic. Smaller companies may be more at risk, since they typically lack the technology or resources to dedicate to the problem, he said.

Several tools are available for IT departments to monitor and control the risk, including eTrust Secure Content Management from Computer Associates, and Project BlackBeard from SurfControl. Groove Networks also offers help via its Workspace collaborative product and Hewlett-Packard through its OpenView solution.

AssetMetrix said its new P2P-Tracker offering was developed in response to the global ascent of copyright infringements and peer file sharing. The software-based product is a managed service offered by AssetMetrix. It generates a series of reports that are gathered by taking inventory of a company's hardware and software products, explained Paul Bodnoff, president for the Ottawa company. The software is able to identify 260 variations of over 60 peer applications.

While IT departments have a responsibility to assemble a "laundry list" of what to look for on PCs and networks, WhiteHat's Slodichak added that educating employees on the dangers of peer downloading is an essential tool to combat the problem. If staff was educated, "they probably wouldn't do it," he said.