Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Report: Unauthorized Apps Run Rampant on Many Enterprise Networks

Detailed analysis of traffic on 60 enterprise networks finds broad usage of software that isn't sanctioned by IT

End users are employing unauthorized, untested applications on their companies' networks at an alarming rate, and most IT departments don't know about it, according to a report published earlier today.

Palo Alto Networks issued its "Application Usage and Risk Report," a twice-yearly study of data collected from evaluations of live traffic at enterprises that use its next-generation firewall, which can monitor application traffic at a granular level. In the new study, Palo Alto reports on traffic in 60 enterprises, representing about 960,000 users.

The key finding, according to Palo Alto, is that most enterprises are supporting traffic from applications they don't know they have -- and in many cases, don't allow.

"In the 60 enterprises we evaluated, we found a total of 290 applications," says Steve Mullaney, vice president of marketing at Palo Alto. "We found as many as 230 applications in one enterprise. The low number was 50."

What that means, according to Palo Alto, is that many companies are running applications that IT doesn't sanction, or even know about. For example, more than 80 percent of the enterprises showed some traffic from Google applications, which most companies don't use for business, and virtually all of the enterprises exhibited at least some peer-to-peer traffic, which is generally viewed as a security vulnerability and disallowed by IT.

"This is nothing new," says Mullaney. "People have been bringing applications into the corporate network for years, and IT is always the last to know. But what surprises a lot of IT people is just how widespread it is. They feel like they've got a pretty good idea of what's on their network, but often, they don't."

Some of the "extra" applications traffic comes from malware, Palo Alto says. The study found iFrame attacks in 86 percent of the enterprises, and about 200 different variations of spyware. "We're also seeing a lot more media-based attacks," such as those hidden in audio or video content, Mullaney says.

Video and other streaming media, which usually aren't required for everyday business, represent a large chunk of the bandwidth used in the corporate network, Palo Alto says. "During one week of the Olympics, we saw one company where 80 percent of the Internet video usage was from sites related to the Olympics," Mullaney says. "That wasn't part of the company's business."

Aside from the threats to security or productivity, Palo Alto also spotted some trends that indicate significant shifts in application usage. For example, the study indicates that 64 percent of HTTP traffic is linked to specific applications, rather than a Web browser. "That means that HTTP is becoming the universal protocol for application delivery," Mullaney says. "You can no longer assume that most of your HTTP traffic is from people surfing the Web."

After looking at the Palo Alto data, some of the companies in the study tried blocking or filtering the unsanctioned applications, but they received heavy pushback from users. "In a lot of cases, what they decided was to go ahead and allow a lot of the applications, but talk to the users about how to use them securely," he said. "It's sometimes better to let the user keep it above board, so that you can track it and monitor it and build a policy for using it, than to outlaw it and drive the user underground."

But in the case of applications that have a big security downside and very little business value, it might make more sense to do blocking, Mullaney advises. "There are some applications, like Tor and P2P, which have no earthly business on the network except to get around IT," he notes. "In those cases, we see companies just trying to root it out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Palo Alto Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    StygianAgenda
    50%
    50%
    StygianAgenda,
    User Rank: Strategist
    4/16/2013 | 6:49:24 PM
    re: Report: Unauthorized Apps Run Rampant on Many Enterprise Networks
    Regarding Tor in the workplace: -Good luck with that! -:)

    Usage scenario: -Tunnelier Portable (SSH tunneler application) configured with port forwarding. -

    1. user configures SSH profile.
    2. user configures Client-to-Server port forwarding rules allowing connections to services they run on the remote network so that they don't have to run them locally where they'll inevitably be detected.
    3. user configures Firefox Portable, KVirc Portable, and a few other portable apps to connect via HTTP/HTTPS proxy on 127.0.0.1:8118 (which is forwarded to a Privoxy + TOR + I2P proxy construct at the remote location).
    4. user accesses darknet domains freely, and IT has no (or limited) ability to block or circumvent this activity.

    In an alternate scenario, the user utilizes a similar construct via a Linux PC configured with GSTM (Gnome Secure Tunnel Manager) to do basically the same thing.

    Personally, I've explored this option very heavily and it works fantastically to circumvent any and all network traffic filtering put in place on the corporate network, effectively allowing the user to do as they please... albeit at a reduced speed due to the overhead of the SSH-to-Privoxy-to-Tor-Tunnel... but with broadband availability being what it is today, the speed of Tor is increasing all the time, making it a much more attractive option to those that are in the know. -Since Tunnelier only makes a single connection, which it keeps alive and wraps in AES256 encryption via SSH2 protocol, and OpenSSH can be configured to listen on literally any TCP port, it's *nearly* impossible to detect and block, since it can simply be tunneled in turn over HTTPS.

    What many security articles overlook, although this one hints at, is the fact that many savvy corporate network users are using hacking skills themselves, but not to hack in.... rather, to hack *out*, essentially giving them freedom of movement to external networks and resources.
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-12512
    PUBLISHED: 2021-01-22
    Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
    CVE-2020-12513
    PUBLISHED: 2021-01-22
    Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
    CVE-2020-12514
    PUBLISHED: 2021-01-22
    Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
    CVE-2020-12525
    PUBLISHED: 2021-01-22
    M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
    CVE-2020-12511
    PUBLISHED: 2021-01-22
    Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.