Endpoint

8/7/2018
10:30 AM
Adam Marre
Adam Marre
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Shadow IT: Every Company's 3 Hidden Security Risks

Companies can squash the proliferation of shadow IT if they listen to employees, create transparent guidelines, and encourage an open discussion about the balance between security and productivity.

Twelve years with the FBI and I was ready for anything: espionage, massive cyberattacks, Tom Clancy-esque zero-day exploits. I saw some of that, of course, but more often I discovered and rediscovered that it's the simple things that most often cause catastrophic problems — simple things that plague every company.

For example, midway through my stint as a dedicated cyber agent, we responded to a data breach at a well-known company. Private information, much of it highly sensitive, had been dumped into a repository on the open Internet. Was it the result of state-sponsored actors? Sophisticated activist groups? A brute-force login attack?

No. An employee had placed sensitive data in a free cloud storage account, and run-of-the-mill data thieves had simply posted it online. Despite the fact that this storage provider had a high-profile breach only months earlier, the employee didn't change the account password. A million-dollar problem could have been avoided with a 60-second password reset. This is a great example of the three risks I see in most companies.

  1. Who: Any employee can collect data. With a credit card and Internet access, any individual member of the staff can run critical company functions with or without permission. Most have good intentions. Some don't.
  2. What: Employees can collect any kind of sensitive data. Customer and company data are sensitive and can be immensely valuable. Without guidance, employees can just as easily collect and store Social Security numbers as coffee preferences. But if the Social Security numbers get hacked, you could be on the hook for millions in recovery costs.
  3. Where: Data are invisible and inaccessible to company managers. In the new GDPR world, data that doesn't live in enterprise-controlled systems is much more difficult to retrieve. Worse yet, data in private accounts follow the owner when she leaves the company. What if she's taking a list of your 100 best clients?

It's no surprise that as many as 80% of employees use unauthorized services. What is surprising is that companies have known about this threat for a very long time, yet they're still failing to address it. According to Gartner, "Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year."

When employees use platforms that have not been screened or authorized by a company's technology and security team, they're wading into what's known as "shadow IT." And shadow IT makes it much easier for hackers to steal your company's data. For example, employees will always try to increase productivity in any way they can. They'll rely on unsanctioned cloud-based file storage, survey software, or messaging apps if those apps will save them a few minutes. But this kind of behavior opens up the holes that can cost a company millions of dollars and priceless consumer trust. A 2017 study by the Ponemon Institute found that the average cost of a breach is $3.62 million. There's nothing productive about that. 

Chat-Room Lurkers
Another true story: During an investigation into a network intrusion at a large company, the network engineering team was using a free chat tool to communicate as they fought to regain control of their network. They had not told anyone about this tool, and they had been using it for months. In fact, it became their primary channel as they chased the attackers in their network. Do you see where this is going?

These engineers hadn't involved their infosec team in vetting the tool, and it was set up insecurely. The attackers had joined the very chat group the engineers were using to try to kick them off, and they were tracking the team's every move. We discovered the intruders only by identifying every person in the chat group and isolating several imposters. After that, we moved quickly to a different communications channel. 

In their rush to be productive, the engineers made the problem worse with a sloppy setup of a free tool. The company spent a lot more time and money remediating the breach, and the data loss was much larger than it could have been. They had to spend millions to inform customers and to provide credit protection for those customers.

Squashing Shadow IT
How can your company avoid horror stories like these? Here are four ways to bring security priorities and employee behavior together:

  1. Policy and communication. Companies need a well-defined policy on the use of unsanctioned services and the protection of company data. But policy won't accomplish anything if it isn't communicated to employees. Offer regular training, including explanations of the rationale behind the policy and real-world risks.
  2. Open-minded onboarding. New employees often want to use the productivity tools that were helpful at their previous jobs, so onboarding must include the data security policy. But also use that moment to take new suggestions into account.
  3. What you don't know can hurt you. Survey employees regularly on the resources they're using to illuminate security risks before a breach occurs. If enough employees need a solution, IT should work to find an approved vendor that can securely fill that need.
  4. Partners, not police. Foster an ongoing conversation between employees and your company's security/IT departments about how to balance productivity with security. If your security team reflexively says "no" whenever employees want productivity-boosting tools, employees will just stop asking and use the tools anyway.

Companies can squash shadow IT risk, but they have to be willing to listen to their employees, create transparent guidelines, and encourage an open discussion on the best ways to be both productive and secure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dan91266
50%
50%
dan91266,
User Rank: Strategist
9/17/2018 | 7:32:17 PM
Shadow IT Senior Management has to step up
Shadow IT happens when policies and procedures prevent employees from doing their work. The case of the insecure chat app in the article is a perfect example.  Unsanctioned FTP clients and back door local user names and passwords are also symptoms of this.  

This happens when senior management refuses to budget for the tools needed to secure Identity and Access  Management in a way that lets employees work efficiently or when they don't buy into those intitiatives. Finally indadaquate IT and Security staff, or undertrained staff also feeds this evil weed. 

If you make it hard or impossible for employees to work efficiently, or fail to factor your kludgy (read often "budget friendly") infrastructure into performance goals, people will find a way to work efficiently.  And why wouldn't they? If I have to get spreadsheets or reports distributed to my supply chain vendors, and that is a poor, manual process that takes a lot of time, you bet I will find a quicker way.  Nobody EVER got a raise for following policy that requires a slow, inefficient process and no review ever says, this employee did less, but they did it securely so give them a bigger raise than the ones who cheated but were more productive.

If you want your people to adher to secure processes, make those processes MORE efficient than a hacked up back door.  

Start incentivizing good behavior  instead of bad, and you will be amazed how secure things become. 

It's just that simple. 

 
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
8/7/2018 | 6:45:14 PM
Shadow IT by any other name
Fine article from a veteran cybersecurity professional about an aspect that doesn't get enough attention.  Call it shadow IT, or something else, it comes down to data governance. 

Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have.  You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present.  Too many places?  Next time, limit the places to where it's needed. 

For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that.  However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that.  Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.

You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it).  I mean a specific person, not a job title.   Make sure your authentication and authorization always resolves to an entity - not a type. 
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.