Articles

The security impact of shadow IT

Published

January 17, 2022

Shadow IT is invisible. It may not be on the asset list because the asset management list is incomplete. It may not have an assigned owner because it does not fit well with the business unit, or because it is irrelevant to current operational priorities but has not yet been fully retired. It may have been installed outside of the normal process without permission or because the normal process was overridden.

If your internal network is left on its own device, over time it will accumulate systems and data that shouldn’t be there. The time and money available to build and maintain systems are always finite, and without increasing investment, it is almost inevitable that over time resources will be focused on business continuity (BAU) rather than maintenance. Existing infrastructure that can accommodate new project implementations or redesign business growth. When new functionality needs to be considered, it is often implemented as a quick-fix or part of an existing system to reduce the upfront investment required for the project.

Problems accumulate over time due to the decisions individuals make. And there are usually legitimate business pressures behind those decisions. When legacy systems are no longer needed, you may not have time to decommission them, as developing new functionality requires attention elsewhere.

As you migrate from one business process to a new business process, you may have to keep many legacy systems running to support some customers who do not want to move to the new platform. If you decide to introduce a new set of security controls into your current inventory, you may be able to save significant costs by deploying those controls only on active production servers and skipping legacy systems and development hosts. . You may not have the luxury of monitoring everything, so focus on the systems that are most important to your day-to-day business operations.

Each of the above examples has some form of business imperative, such as prioritization of innovation, focus on business development, budget constraints, need to meet deadlines, need to have backups. The challenge for all organizations is that each of these decisions will have an unforeseen negative impact on cybersecurity resilience over time as technical debt mounts.

Shadow IT infrastructure doesn’t seem to matter as much when you’re working on a business impact assessment. It may not be able to handle critical data assets and may not be able to support critical production processes. If you go offline, you probably won’t notice, and probably won’t affect BAU. However, in some cases, it seriously compromises the security of other systems.

Imagine a typical attack exists. Attackers launch phishing attacks against employees and, with luck, reach workstations within your infrastructure. For attackers, this is rarely the end. Attackers want what’s inside.
our database. This includes intellectual property, customer data, credit card information, etc. Holds are just the beginning. Attackers want to move laterally through the network, increasing their powers and strengthening their position until they can achieve their goals.

Attackers are always trying to find a path from their last point of entry to their destination. In other words, draw a diagram to the destination. When attacking an organization like an adversary, Shadow IT within the network is the first contact. This is where we often get simple achievements that can extend our privileges.

In centralized authentication environments such as Active Directory networks, compromise of a single unmaintained server almost always compromises the entire network with exploitable trust relationships. Compromising centralized authentication mechanisms is usually one of the key points to achieving your goals. Compromising Active Directory allows access to systems and applications that use Active Directory as an authentication mechanism, allowing access to data of interest. If we have legacy systems that are Active Directory member servers and they are not part of our normal patch cycle, we can leverage those legacy systems to advance our goals. Undocumented web applications, test platforms, backups, and database services are also prevalent, often giving us the edge we need to control our internal AD environment.

Unapproved file shares are common, but they are usually created as a convenience for a specific purpose, such as collaborating on projects, migrating systems, or ad-hoc documentation. These are often old, but the information contained in these file shares is often useful (account credentials, backup files, documents, etc.).

Network-wide security gaps are often most visible in shadow IT. We often find accounts with weak passwords, manufacturer defaults, passwords shared with other systems, or password patterns that are prevalent among system administrators within an organization. These systems, applications, and file stores are undocumented, so it’s important to never clean them up.

We often accidentally store sensitive information somewhere temporarily and then forget it. Some of you reading this have probably written your password to a text her file at some point in the past and saved it to your workstation or file share. Some people may have backed up their working configuration files to a file share without realizing that they might contain database credentials or server component keys. Shadow IT is also one reason why a rigorous, compliance-based approach to cybersecurity is only good for now. For example, if you measure internal system patching as a security key performance indicator (KPI), if you have a server with 99% of his patching success rate, an attacker can find that 1% of his servers. It should be noted that the high Not patched. Also, if you have a server with a 100% patching success rate, it’s imperative to ensure that all servers are included in that measurement. If you are monitoring servers that are not part of your patch management process because you have servers that are not enrolled in asset management, you may be inadvertently exposed.

In the security field, we often talk about “advanced persistent threats,” but we tend to get stuck on the “advanced” part of that adjective. “Altitude” is dangerous, but “persistence” is the most worrisome. There are thousands of servers that are properly registered with technical management, fully monitored and fully patched, and it is possible that he has one undocumented server that is neither patched nor monitored. I can’t imagine my opponent not taking the time to find that weakness. Once a persistent adversary is inside your network, they won’t stop until they reach their goal. If that means checking thousands of servers, reading thousands of files, or accessing thousands of databases, they’ll pay you to achieve their goals. I guess. If you want to be persistent and willing to defend yourself, you need to be equally persistent in comprehensive asset management and a thorough understanding of where and how your systems and data are used. An opponent who wants to break through your defenses only needs to get lucky once. You must always be on your guard.

In this article:security