Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Report: Unauthorized Apps Run Rampant on Many Enterprise Networks

Detailed analysis of traffic on 60 enterprise networks finds broad usage of software that isn't sanctioned by IT

End users are employing unauthorized, untested applications on their companies' networks at an alarming rate, and most IT departments don't know about it, according to a report published earlier today.

Palo Alto Networks issued its "Application Usage and Risk Report," a twice-yearly study of data collected from evaluations of live traffic at enterprises that use its next-generation firewall, which can monitor application traffic at a granular level. In the new study, Palo Alto reports on traffic in 60 enterprises, representing about 960,000 users.

The key finding, according to Palo Alto, is that most enterprises are supporting traffic from applications they don't know they have -- and in many cases, don't allow.

"In the 60 enterprises we evaluated, we found a total of 290 applications," says Steve Mullaney, vice president of marketing at Palo Alto. "We found as many as 230 applications in one enterprise. The low number was 50."

What that means, according to Palo Alto, is that many companies are running applications that IT doesn't sanction, or even know about. For example, more than 80 percent of the enterprises showed some traffic from Google applications, which most companies don't use for business, and virtually all of the enterprises exhibited at least some peer-to-peer traffic, which is generally viewed as a security vulnerability and disallowed by IT.

"This is nothing new," says Mullaney. "People have been bringing applications into the corporate network for years, and IT is always the last to know. But what surprises a lot of IT people is just how widespread it is. They feel like they've got a pretty good idea of what's on their network, but often, they don't."

Some of the "extra" applications traffic comes from malware, Palo Alto says. The study found iFrame attacks in 86 percent of the enterprises, and about 200 different variations of spyware. "We're also seeing a lot more media-based attacks," such as those hidden in audio or video content, Mullaney says.

Video and other streaming media, which usually aren't required for everyday business, represent a large chunk of the bandwidth used in the corporate network, Palo Alto says. "During one week of the Olympics, we saw one company where 80 percent of the Internet video usage was from sites related to the Olympics," Mullaney says. "That wasn't part of the company's business."

Aside from the threats to security or productivity, Palo Alto also spotted some trends that indicate significant shifts in application usage. For example, the study indicates that 64 percent of HTTP traffic is linked to specific applications, rather than a Web browser. "That means that HTTP is becoming the universal protocol for application delivery," Mullaney says. "You can no longer assume that most of your HTTP traffic is from people surfing the Web."

After looking at the Palo Alto data, some of the companies in the study tried blocking or filtering the unsanctioned applications, but they received heavy pushback from users. "In a lot of cases, what they decided was to go ahead and allow a lot of the applications, but talk to the users about how to use them securely," he said. "It's sometimes better to let the user keep it above board, so that you can track it and monitor it and build a policy for using it, than to outlaw it and drive the user underground."

But in the case of applications that have a big security downside and very little business value, it might make more sense to do blocking, Mullaney advises. "There are some applications, like Tor and P2P, which have no earthly business on the network except to get around IT," he notes. "In those cases, we see companies just trying to root it out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Palo Alto Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    StygianAgenda
    50%
    50%
    StygianAgenda,
    User Rank: Strategist
    4/16/2013 | 6:49:24 PM
    re: Report: Unauthorized Apps Run Rampant on Many Enterprise Networks
    Regarding Tor in the workplace: -Good luck with that! -:)

    Usage scenario: -Tunnelier Portable (SSH tunneler application) configured with port forwarding. -

    1. user configures SSH profile.
    2. user configures Client-to-Server port forwarding rules allowing connections to services they run on the remote network so that they don't have to run them locally where they'll inevitably be detected.
    3. user configures Firefox Portable, KVirc Portable, and a few other portable apps to connect via HTTP/HTTPS proxy on 127.0.0.1:8118 (which is forwarded to a Privoxy + TOR + I2P proxy construct at the remote location).
    4. user accesses darknet domains freely, and IT has no (or limited) ability to block or circumvent this activity.

    In an alternate scenario, the user utilizes a similar construct via a Linux PC configured with GSTM (Gnome Secure Tunnel Manager) to do basically the same thing.

    Personally, I've explored this option very heavily and it works fantastically to circumvent any and all network traffic filtering put in place on the corporate network, effectively allowing the user to do as they please... albeit at a reduced speed due to the overhead of the SSH-to-Privoxy-to-Tor-Tunnel... but with broadband availability being what it is today, the speed of Tor is increasing all the time, making it a much more attractive option to those that are in the know. -Since Tunnelier only makes a single connection, which it keeps alive and wraps in AES256 encryption via SSH2 protocol, and OpenSSH can be configured to listen on literally any TCP port, it's *nearly* impossible to detect and block, since it can simply be tunneled in turn over HTTPS.

    What many security articles overlook, although this one hints at, is the fact that many savvy corporate network users are using hacking skills themselves, but not to hack in.... rather, to hack *out*, essentially giving them freedom of movement to external networks and resources.
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-8216
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8217
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8218
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8219
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8220
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .