Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/6/2020
02:00 PM
Dmitry Dontov
Dmitry Dontov
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Four Rules and Three Tools to Protect Against Fake SaaS Apps

Here's how to blunt the twinned forces of shadow IT and counterfeit apps and keep your data safe.

When employees work in an office setting, they operate under a certain number of protections. There is likely a secure network connection, up-to-date software defenses, and a team in charge of monitoring threats and educating employees on risky behavior. The shielding of company (and even more importantly, customer) data is of utmost importance. Even in this setting, the number of employees who admit to using unauthorized apps, devices, or other technologies is approximately 40% at any given time. Nearly half of all employees are engaging in risky behavior. And that's just when they're in the office. 

Now, with the influx of people working from home and operating outside normal, secure on-premises parameters, the likelihood of experiencing cybercrime has increased. Some experts predict that by the end of 2020, shadow IT will be responsible for one in three security breaches. An increasing concern in the world of shadow IT is the rise of fake SaaS-connect applications. While banning employees from downloading these and other types of apps would undoubtedly reduce the threat, a more effective method probably lies in between no apps and free rein. 

Here are four rules and three tools that can help you control this rogue behavior and minimize the risk fake SaaS apps pose to your company. 

Rule 1: Openly Allow the Use of Third-Party Apps
To develop structure around the use of these apps, you have to acknowledge they're being used. Banning the practice entirely creates an environment where people refuse to ask for help, especially if something seems amiss. By explicitly recognizing the ongoing use of third-party apps, you can build in mandatory rules that make their usage much safer for the company as a whole.  

To create a list of mandates, it's essential to know which apps post the most risk to the organization. Utilizing a third-party software system that can track which apps are downloaded and rank those apps based on assumed risk is recommended.

Rule 2: Generate a List of Approved and Banned Apps
Once you have visibility into the number and types of apps living on the devices throughout your network, you can assess which are compliant with your organization's privacy and security policies. Making a public list of which apps are allowed (and which should be deleted) is an excellent way to encourage the use of safe apps and even introduce your employees to new options that may make them more productive. If there are several "allowed" apps in various categories on the list, it lessens the chances that employees will go off on their own to find a potentially risky solution.

Rule 3: Host Mandatory (Virtual) Cybersecurity Trainings
The most significant risk to your data security is not the fake SaaS apps; it is the people who download them. It only takes one non-compliant person to introduce risk to an entire data set. For this reason, it's imperative that ongoing cybersecurity training is a part of your total protection strategy. These trainings are not just crucial for new employees during the onboarding process. They should be updated and viewed yearly by all employees in the organization. Investing a little in education can reduce the risk of being compromised substantially. 

Rule 4: Set Clear Rules Around Sensitive Information Sharing
Leaked sensitive data can create a real issue for both individuals and the greater organization. If an employee has given a risky app access to their email or cloud drive, and there is sensitive data stored in these areas, a bad actor can take control. Confidential information sharing can legally compromise the whole company and generate enormous fines for noncompliance. Setting clear, visible rules around user permissions and sharing platforms can help mitigate your chances of a breach. 

Now that the rules are established, how can you monitor adoption across the organization? Consider these three tools, all recommended for minimizing the risks associated with fake apps and Sshadow IT. 

An App Audit Solution
Look for a solution that will conduct automatic, ongoing scans of all third-party apps connected to your employees so you can identify risk in real-time. These tools will also inform the list of banned apps noted in rule two. Having the ability to see apps and their risk score all in one place is a great advantage for anyone looking to take better control of unauthorized activity.

A Backup Tool
One of the risks of shadow IT is data loss. If a third-party app or a Web extension is run by a threat actor, it can infect your data with ransomware or delete it. A reliable backup solution is an indispensable part of every organization where data management is a focus. Ransomware risks are higher than ever as cybercriminals turn their attention toward the cloud-based services being used by remote workers. Make sure your data is protected from all sides. 

A Ransomware Protection Tool
Ransomware is one of the main risk factors associated with third-party applications. It can seep through unauthorized applications and devices that your employees bring to work every day. Ransomware exploits any vulnerability and can move quickly from device to device and straight into your organization's network. Choose a solution that can stop an attack while it's in progress and flag it immediately. The sooner you're aware of a breach, the more likely you are to save your data.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Dmitry Dontov is the CTO and Founder of Spin Technology, a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.