Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Report: Unauthorized Apps Run Rampant on Many Enterprise Networks

Detailed analysis of traffic on 60 enterprise networks finds broad usage of software that isn't sanctioned by IT

End users are employing unauthorized, untested applications on their companies' networks at an alarming rate, and most IT departments don't know about it, according to a report published earlier today.

Palo Alto Networks issued its "Application Usage and Risk Report," a twice-yearly study of data collected from evaluations of live traffic at enterprises that use its next-generation firewall, which can monitor application traffic at a granular level. In the new study, Palo Alto reports on traffic in 60 enterprises, representing about 960,000 users.

The key finding, according to Palo Alto, is that most enterprises are supporting traffic from applications they don't know they have -- and in many cases, don't allow.

"In the 60 enterprises we evaluated, we found a total of 290 applications," says Steve Mullaney, vice president of marketing at Palo Alto. "We found as many as 230 applications in one enterprise. The low number was 50."

What that means, according to Palo Alto, is that many companies are running applications that IT doesn't sanction, or even know about. For example, more than 80 percent of the enterprises showed some traffic from Google applications, which most companies don't use for business, and virtually all of the enterprises exhibited at least some peer-to-peer traffic, which is generally viewed as a security vulnerability and disallowed by IT.

"This is nothing new," says Mullaney. "People have been bringing applications into the corporate network for years, and IT is always the last to know. But what surprises a lot of IT people is just how widespread it is. They feel like they've got a pretty good idea of what's on their network, but often, they don't."

Some of the "extra" applications traffic comes from malware, Palo Alto says. The study found iFrame attacks in 86 percent of the enterprises, and about 200 different variations of spyware. "We're also seeing a lot more media-based attacks," such as those hidden in audio or video content, Mullaney says.

Video and other streaming media, which usually aren't required for everyday business, represent a large chunk of the bandwidth used in the corporate network, Palo Alto says. "During one week of the Olympics, we saw one company where 80 percent of the Internet video usage was from sites related to the Olympics," Mullaney says. "That wasn't part of the company's business."

Aside from the threats to security or productivity, Palo Alto also spotted some trends that indicate significant shifts in application usage. For example, the study indicates that 64 percent of HTTP traffic is linked to specific applications, rather than a Web browser. "That means that HTTP is becoming the universal protocol for application delivery," Mullaney says. "You can no longer assume that most of your HTTP traffic is from people surfing the Web."

After looking at the Palo Alto data, some of the companies in the study tried blocking or filtering the unsanctioned applications, but they received heavy pushback from users. "In a lot of cases, what they decided was to go ahead and allow a lot of the applications, but talk to the users about how to use them securely," he said. "It's sometimes better to let the user keep it above board, so that you can track it and monitor it and build a policy for using it, than to outlaw it and drive the user underground."

But in the case of applications that have a big security downside and very little business value, it might make more sense to do blocking, Mullaney advises. "There are some applications, like Tor and P2P, which have no earthly business on the network except to get around IT," he notes. "In those cases, we see companies just trying to root it out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Palo Alto Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    User Rank: Strategist
    4/16/2013 | 6:49:24 PM
    re: Report: Unauthorized Apps Run Rampant on Many Enterprise Networks
    Regarding Tor in the workplace: -Good luck with that! -:)

    Usage scenario: -Tunnelier Portable (SSH tunneler application) configured with port forwarding. -

    1. user configures SSH profile.
    2. user configures Client-to-Server port forwarding rules allowing connections to services they run on the remote network so that they don't have to run them locally where they'll inevitably be detected.
    3. user configures Firefox Portable, KVirc Portable, and a few other portable apps to connect via HTTP/HTTPS proxy on (which is forwarded to a Privoxy + TOR + I2P proxy construct at the remote location).
    4. user accesses darknet domains freely, and IT has no (or limited) ability to block or circumvent this activity.

    In an alternate scenario, the user utilizes a similar construct via a Linux PC configured with GSTM (Gnome Secure Tunnel Manager) to do basically the same thing.

    Personally, I've explored this option very heavily and it works fantastically to circumvent any and all network traffic filtering put in place on the corporate network, effectively allowing the user to do as they please... albeit at a reduced speed due to the overhead of the SSH-to-Privoxy-to-Tor-Tunnel... but with broadband availability being what it is today, the speed of Tor is increasing all the time, making it a much more attractive option to those that are in the know. -Since Tunnelier only makes a single connection, which it keeps alive and wraps in AES256 encryption via SSH2 protocol, and OpenSSH can be configured to listen on literally any TCP port, it's *nearly* impossible to detect and block, since it can simply be tunneled in turn over HTTPS.

    What many security articles overlook, although this one hints at, is the fact that many savvy corporate network users are using hacking skills themselves, but not to hack in.... rather, to hack *out*, essentially giving them freedom of movement to external networks and resources.
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Introducing 'Secure Access Service Edge'
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-09
    An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
    PUBLISHED: 2020-07-09
    In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
    PUBLISHED: 2020-07-09
    The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
    PUBLISHED: 2020-07-09
    A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
    PUBLISHED: 2020-07-09
    IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...