Shadow IT: Every Company's 3 Hidden Security Risks ...

Network Computing Dark Reading

Advertise

About Us

Oldest First | Newest First | Threaded View

[close this box]

50%

BrianN060,
User Rank: Ninja
8/7/2018 | 6:45:14 PM

Shadow IT by any other name

Fine article from a veteran cybersecurity professional about an aspect that doesn't get enough attention. Call it shadow IT, or something else, it comes down to data governance.

Where Adam has "What you don't know can hurt you.", I'd add: You can't protect what you don't know you have. You can't protect data unless you know you have it, and know where it's stored - EVERYWHERE it's stored: every copy, every version, every device, every service, every B2B partner, even the data which can be reconstituted from disparate stores and sources, even the bio-memory of your knowledge workers, past and present. Too many places? Next time, limit the places to where it's needed.

For vast amounts of data, it's too late to regain control (control which was an illusion to begin with); but new data is generated all the time - you do have a chance to a better job of data governance with that. However, if you don't have an understanding of the fundamental nature of data and information, you're bound to repeat the old mistakes even if you find new ways (or new ways find you), to do that. Forget the idea of just protecting your "sensitive" data; in time, someone will find a way to make use of any data you leave unprotected to get at the crown jewels.

You have to start somewhere, start with this: don't put any data in front of anyone or on anything that doesn't need that specific data to do a specific job, and only while they are doing that specific task (not whenever they feel like it). I mean a specific person, not a job title. Make sure your authentication and authorization always resolves to an entity - not a type.

Reply | Post Message | Messages List | Start a Board

50%

dan91266,
User Rank: Strategist
9/17/2018 | 7:32:17 PM

Shadow IT Senior Management has to step up

Shadow IT happens when policies and procedures prevent employees from doing their work. The case of the insecure chat app in the article is a perfect example. Unsanctioned FTP clients and back door local user names and passwords are also symptoms of this.

This happens when senior management refuses to budget for the tools needed to secure Identity and Access Management in a way that lets employees work efficiently or when they don't buy into those intitiatives. Finally indadaquate IT and Security staff, or undertrained staff also feeds this evil weed.

If you make it hard or impossible for employees to work efficiently, or fail to factor your kludgy (read often "budget friendly") infrastructure into performance goals, people will find a way to work efficiently. And why wouldn't they? If I have to get spreadsheets or reports distributed to my supply chain vendors, and that is a poor, manual process that takes a lot of time, you bet I will find a quicker way. Nobody EVER got a raise for following policy that requires a slow, inefficient process and no review ever says, this employee did less, but they did it securely so give them a bigger raise than the ones who cheated but were more productive.

If you want your people to adher to secure processes, make those processes MORE efficient than a hacked up back door.

Start incentivizing good behavior instead of bad, and you will be amazed how secure things become.

It's just that simple.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

Sodinokibi Ransomware: Where Attackers' Money Goes

Kelly Sheridan, Staff Editor, Dark Reading, 10/15/2019

Data Privacy Protections for the Most Vulnerable -- Children

Dimitri Sirota, Founder & CEO of BigID, 10/17/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

More Informa Tech Live Events

White Papers

IDC Workbook: Cloud Security Roadmap

9 Ways Cybercriminals Disrupt Business Operations

7 Experts Discuss Evaluating MSSPs

How to Combat Island Hopping

How to Combat Spear Phishing

More White Papers

Video

All Videos

Cartoon

Latest Comment: Check outthe latest from Dark Reading cartoonist John Klossner!

Cartoon Archive

Current Issue

7 Threats & Disruptive Forces Changing the Face of Cybersecurity

This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

2019 Online Malware and Threats

As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?

Download Now!

The State of IT Operations and Cybersecurity Operations

0 comments

How Enterprises Are Developing Secure Applications

0 comments

The State of Cyber Security Incident Response

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-13545
PUBLISHED: 2019-10-18

In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.

CVE-2019-13541
PUBLISHED: 2019-10-18

In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.

CVE-2019-17367
PUBLISHED: 2019-10-18

OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.

CVE-2019-17393
PUBLISHED: 2019-10-18

The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...

CVE-2019-17526
PUBLISHED: 2019-10-18

** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]