Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Report: Unauthorized Apps Run Rampant on Many Enterprise Networks

Detailed analysis of traffic on 60 enterprise networks finds broad usage of software that isn't sanctioned by IT

End users are employing unauthorized, untested applications on their companies' networks at an alarming rate, and most IT departments don't know about it, according to a report published earlier today.

Palo Alto Networks issued its "Application Usage and Risk Report," a twice-yearly study of data collected from evaluations of live traffic at enterprises that use its next-generation firewall, which can monitor application traffic at a granular level. In the new study, Palo Alto reports on traffic in 60 enterprises, representing about 960,000 users.

The key finding, according to Palo Alto, is that most enterprises are supporting traffic from applications they don't know they have -- and in many cases, don't allow.

"In the 60 enterprises we evaluated, we found a total of 290 applications," says Steve Mullaney, vice president of marketing at Palo Alto. "We found as many as 230 applications in one enterprise. The low number was 50."

What that means, according to Palo Alto, is that many companies are running applications that IT doesn't sanction, or even know about. For example, more than 80 percent of the enterprises showed some traffic from Google applications, which most companies don't use for business, and virtually all of the enterprises exhibited at least some peer-to-peer traffic, which is generally viewed as a security vulnerability and disallowed by IT.

"This is nothing new," says Mullaney. "People have been bringing applications into the corporate network for years, and IT is always the last to know. But what surprises a lot of IT people is just how widespread it is. They feel like they've got a pretty good idea of what's on their network, but often, they don't."

Some of the "extra" applications traffic comes from malware, Palo Alto says. The study found iFrame attacks in 86 percent of the enterprises, and about 200 different variations of spyware. "We're also seeing a lot more media-based attacks," such as those hidden in audio or video content, Mullaney says.

Video and other streaming media, which usually aren't required for everyday business, represent a large chunk of the bandwidth used in the corporate network, Palo Alto says. "During one week of the Olympics, we saw one company where 80 percent of the Internet video usage was from sites related to the Olympics," Mullaney says. "That wasn't part of the company's business."

Aside from the threats to security or productivity, Palo Alto also spotted some trends that indicate significant shifts in application usage. For example, the study indicates that 64 percent of HTTP traffic is linked to specific applications, rather than a Web browser. "That means that HTTP is becoming the universal protocol for application delivery," Mullaney says. "You can no longer assume that most of your HTTP traffic is from people surfing the Web."

After looking at the Palo Alto data, some of the companies in the study tried blocking or filtering the unsanctioned applications, but they received heavy pushback from users. "In a lot of cases, what they decided was to go ahead and allow a lot of the applications, but talk to the users about how to use them securely," he said. "It's sometimes better to let the user keep it above board, so that you can track it and monitor it and build a policy for using it, than to outlaw it and drive the user underground."

But in the case of applications that have a big security downside and very little business value, it might make more sense to do blocking, Mullaney advises. "There are some applications, like Tor and P2P, which have no earthly business on the network except to get around IT," he notes. "In those cases, we see companies just trying to root it out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Palo Alto Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    StygianAgenda
    50%
    50%
    StygianAgenda,
    User Rank: Strategist
    4/16/2013 | 6:49:24 PM
    re: Report: Unauthorized Apps Run Rampant on Many Enterprise Networks
    Regarding Tor in the workplace: -Good luck with that! -:)

    Usage scenario: -Tunnelier Portable (SSH tunneler application) configured with port forwarding. -

    1. user configures SSH profile.
    2. user configures Client-to-Server port forwarding rules allowing connections to services they run on the remote network so that they don't have to run them locally where they'll inevitably be detected.
    3. user configures Firefox Portable, KVirc Portable, and a few other portable apps to connect via HTTP/HTTPS proxy on 127.0.0.1:8118 (which is forwarded to a Privoxy + TOR + I2P proxy construct at the remote location).
    4. user accesses darknet domains freely, and IT has no (or limited) ability to block or circumvent this activity.

    In an alternate scenario, the user utilizes a similar construct via a Linux PC configured with GSTM (Gnome Secure Tunnel Manager) to do basically the same thing.

    Personally, I've explored this option very heavily and it works fantastically to circumvent any and all network traffic filtering put in place on the corporate network, effectively allowing the user to do as they please... albeit at a reduced speed due to the overhead of the SSH-to-Privoxy-to-Tor-Tunnel... but with broadband availability being what it is today, the speed of Tor is increasing all the time, making it a much more attractive option to those that are in the know. -Since Tunnelier only makes a single connection, which it keeps alive and wraps in AES256 encryption via SSH2 protocol, and OpenSSH can be configured to listen on literally any TCP port, it's *nearly* impossible to detect and block, since it can simply be tunneled in turn over HTTPS.

    What many security articles overlook, although this one hints at, is the fact that many savvy corporate network users are using hacking skills themselves, but not to hack in.... rather, to hack *out*, essentially giving them freedom of movement to external networks and resources.
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/30/2020
    6 Ways Passwords Fail Basic Security Tests
    Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
    'Act of War' Clause Could Nix Cyber Insurance Payouts
    Robert Lemos, Contributing Writer,  10/29/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    How to Measure and Reduce Cybersecurity Risk in Your Organization
    In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27652
    PUBLISHED: 2020-10-29
    Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
    CVE-2020-27653
    PUBLISHED: 2020-10-29
    Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
    CVE-2020-27654
    PUBLISHED: 2020-10-29
    Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
    CVE-2020-27655
    PUBLISHED: 2020-10-29
    Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
    CVE-2020-27656
    PUBLISHED: 2020-10-29
    Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.