What Lurks in the Shadow

What Lurks in the Shadow

Addressing the Growing Security Risk of Shadow IT & Shadow Data

By @3ncr1pt3d

Cheryl Biswas

•

• Works for: JIG Technologies

• Does what exactly: security researcher, analyst, writer of things

• Trekkie, techie, maker, baker

• Bridging the gap between tech and non-tech

Necessary Disclaimer: All content is my own and does not reflect the opinions of my employer

09/11/2015BSidesTO: What Lurks In The Shadow by

@3ncr1pt3d2

Security Lords09/11/2015

BSidesTO: What Lurks In The Shadow by @3ncr1pt3d

3

Faster. Better. More. Tech. 09/11/2015


4


@3ncr1pt3d5

#GenMobile


@3ncr1pt3d6

#GenMobile “For the security of company data and IT systems, there may be cause for concern”.(http://www.arubanetworks.com/mobileriskindex/)

http://www.arubanetworks.com/mobileriskindex/


@3ncr1pt3d7

BYoD


@3ncr1pt3d8

Internet of So. Many. Things

The Human Factor

Fear of the Unknown


@3ncr1pt3d9

The Dark World

Shadow IT/Shadow Data


@3ncr1pt3d10

In the Land of Mordor

Where the Shadows Lie

Keep it secret, keep IT safe


@3ncr1pt3d11


@3ncr1pt3d12

“Employees in every cubicle are using Box, Workday and Salesforce, and they’re not waiting for IT’s permission to do so. They’re using their own apps on their own devices. Many are spinning up servers in the cloud for infrastructure in the cloud, a practice dubbed bring your own server. So privilege is now being consumerized like apps and devices.”

- Forbes

- ZDNET

“When you agree to BYOD policies, you put employees within the security chain”.


@3ncr1pt3d14

Bad Apples09/11/2015


15

Pass on the Passwords• 51% Single password/numerical PIN

• 58% NO policies of software to enforce better passwords

• 56% Shared passwords

• 17% Used company-provided password mgr

• 60% Accessed confidential corporate data


@3ncr1pt3d16


@3ncr1pt3d17


@3ncr1pt3d18

Unprotected and Connected

• questionable WiFi networks via the local coffee shop hotspot

• unapproved cloud storage

• really, really bad USB


@3ncr1pt3d20


@3ncr1pt3d21

Securitymeans never having to say you’re sorry


@3ncr1pt3d22

Cyber Insurance


@3ncr1pt3d23


@3ncr1pt3d24

A culture of indifference. Sharing as the norm – devices, data, passwords

Indifference towards security – the assumption that security is somebody else’s problem; not worried about their own responsibility

Self-empowerment succeeds over existing rules (Aruba Networks)

“Businesses are ill-prepared for the attitude of next generation employees who own mobile devices, and may be placed at risk as the BYOD trend causes fractures in security enforcement.”

- ZDNet


@3ncr1pt3d26

Alien Vault Insider Risk Matrix


@3ncr1pt3d27

“All identities are not created equal”

With great power comes great responsibility


@3ncr1pt3d28

Great Power, Great Responsibility

• 92% orgs have user monitoring

• 56% handle privileged identity mgmt.

• 58% corps do regular password updates

• 60% IT decision makers share creds

• 52% share creds with contractors

>20% analyze or audit privileged access


@3ncr1pt3d29

“IT departments often give non-technical executives (e.g. VP of Sales, CEOs, CFOs, etc.) broad privilege inside corporate applications, figuring it is better to give too much freedom to upper management than get yelled at when someone can’t create a report.”

- Forbes


@3ncr1pt3d30


@3ncr1pt3d31

“It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.”

- David Gibson, VP at Varonis.

The Loss of Privilege


@3ncr1pt3d32

The hearts of men are easily corrupted. And the ring of power has a will of its own...


@3ncr1pt3d33

Time for

a little talk about

B I GData


@3ncr1pt3d34


@3ncr1pt3d35

Who Touched the Data?

“It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail

when they get home…”John McAfee


@3ncr1pt3d36


@3ncr1pt3d37


@3ncr1pt3d38


@3ncr1pt3d39


@3ncr1pt3d40

What’s Mine is Mine & What’s Yours is Mine Too


@3ncr1pt3d41

Sh*tpostsfrom the

Trenches


@3ncr1pt3d42


@3ncr1pt3d43


@3ncr1pt3d44


@3ncr1pt3d45


@3ncr1pt3d46


@3ncr1pt3d47

Let’s do a little Demo

https://www.shodan.io/

https://www.shodan.io/

Country. Company. Device. Password

Default09/11/2015


49


@3ncr1pt3d50


@3ncr1pt3d51

So Where Do We Go From Here?

“Just Say No.”


@3ncr1pt3d52

Current rules can’t apply when the game itself

has changed.What was working isn’t working now


@3ncr1pt3d53

Least Privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily this principle limits the damage that can result from an accident or error.”

- SALTZER, J.H. and SCHROEDER, M.D.


@3ncr1pt3d54

We’ve taken the lid off Pandora’s box. I don’t think it ever goes back on.


@3ncr1pt3d55


@3ncr1pt3d56

What Are We Missing

• Training and Awareness

• Inventory and Monitoring

• Secure Hi-Value Assets

• ????


@3ncr1pt3d57

The Cloud


@3ncr1pt3d58

No Idea What They’re Using,No Idea What They’re Losing

• 15x more cloud services used to store critical data than CIOs authorized

• IT says 51 active cloud services. Survey says 730

• Use growing exponentially.

• 1000 external services per company by 2016


@3ncr1pt3d59

30% of business critical info is in the cloud.

Most cloud apps are third party apps.

- Ponemon Institute


@3ncr1pt3d61

Shadow ITisn’t

going anywhere …

Gartner says so


@3ncr1pt3d62


@3ncr1pt3d63


@3ncr1pt3d64

To Build a Better Mousetrap,Draw A Bigger Circle


@3ncr1pt3d65

The Way Forward

• Ask what users really need and want

• Show the CSuites why we are their strategic partner

• Shift gears and adapt

• Projections based on Cloud, Big Data, Everything as a Service


@3ncr1pt3d66

As for that one ring that rules them all …

The World has changed. And so must

we.


@3ncr1pt3d67

Thank You So Much!

BSidesTO

Contact Deets: @3ncr1pt3dca.linkedin.com/in/cherylbiswashttps://whitehatcheryl.wordpress.com/


@3ncr1pt3d68


@3ncr1pt3d69

What Lurks in the Shadow

Technology