Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Shadow IT: Every Company's 3 Hidden Security Risks
Newest First  |  Oldest First  |  Threaded View
dan91266
dan91266,
User Rank: Strategist
9/17/2018 | 7:32:17 PM
Shadow IT Senior Management has to step up
Shadow IT happens when policies and procedures prevent employees from doing their work. The case of the insecure chat app in the article is a perfect example.  Unsanctioned FTP clients and back door local user names and passwords are also symptoms of this.  

This happens when senior management refuses to budget for the tools needed to secure Identity and Access  Management in a way that lets employees work efficiently or when they don't buy into those intitiatives. Finally indadaquate IT and Security staff, or undertrained staff also feeds this evil weed. 

If you make it hard or impossible for employees to work efficiently, or fail to factor your kludgy (read often "budget friendly") infrastructure into performance goals, people will find a way to work efficiently.  And why wouldn't they? If I have to get spreadsheets or reports distributed to my supply chain vendors, and that is a poor, manual process that takes a lot of time, you bet I will find a quicker way.  Nobody EVER got a raise for following policy that requires a slow, inefficient process and no review ever says, this employee did less, but they did it securely so give them a bigger raise than the ones who cheated but were more productive.

If you want your people to adher to secure processes, make those processes MORE efficient than a hacked up back door.  

Start incentivizing good behavior  instead of bad, and you will be amazed how secure things become. 

It's just that simple. 

 
BrianN060
BrianN060,
User Rank: Ninja
8/7/2018 | 6:45:14 PM
Shadow IT by any other name
Fine article from a veteran cybersecurity professional about an aspect that doesn't get enough attention.  Call it shadow IT, or something else, it comes down to data governance. 

Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have.  You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present.  Too many places?  Next time, limit the places to where it's needed. 

For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that.  However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that.  Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.

You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it).  I mean a specific person, not a job title.   Make sure your authentication and authorization always resolves to an entity - not a type. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...