What Lurks in the Shadow

[Music]

[Music] okay we're going to get started for the for our next talk i'm going to do Sheryl this was who's going to be speaking out what lurks in the shadows hi everybody welcome and it is really great to be here so I am Schurrle Swanson and my talk today is what lurks in the shadow addressing the growing danger the risk of shadow IT and shadow data but first it is five o'clock so here's the deal every time you hear me say BYOD I want you to take a sip if you've brought something with you okay all right a little bit about me I'm the associate security officer with Jake technologies in toronto canada and i'm also an

analyst researcher and writer I've always loved tech and I think I discovered my inner hacker when I learned how to use computers of teach myself and then I discovered infosec about a year ago and I never want to leave so the opinions in this piece and this piece are my own there was a time when the security Lords ruled and mere mortals only had the devices they were granted and the access that they were given companies had standards you remember those if you wanted a better faster printer well I had to be on the approved equipment list if you wanted the latest and greatest version of Microsoft Word too bad not until the company was ready to roll that out

and if you if the company wasn't ready well you are out of work the decisions took time and you didn't always get the answer that you wanted it was easier than to regulate things because there were fewer things to regulate mobility wasn't an issue because it wasn't even a consideration the available tent was enough to get the job done but that's the problem because tech is always evolving to do more better and faster well how do you do more better and faster anybody one word mobile because the internet had become this happen in place and you could sign on any time to do anything you could access all the data that you wanted when you wanted it

but only with the newest fastest stuff and was that on the approved standards list no regulating tech was getting in the way of getting stuff done and that's when security became an inconvenience so what did people do to get what they wanted BYOD everyone brings anything into work and they plug it in be afraid be very afraid because we can't see all the stuff all the time so what do you do you accept it regulate it do you ban it well according to Pony Express seventy-four percent of companies are adopting BYOD policies they need visibility into all devices on or around their networks because the reality is that employees can and often will bypass your policy sometimes by accident and

sometimes on purpose which is bad because now there is the Internet of Things yet even more stuff that plugs in and who uses all the stuff people they are the unknown quantity and they are the constant variable in a security equation we just cannot seem to solve which for infosec anyway is a very real fear of the unknown what do they do with all those devices and what do they do with all that stuff with all the data how do we control what we don't know welcome to the mordoor of security where the eye of BYOD reigns supreme easy to use devices are are everywhere they're creating an unprecedented level of user entitlement and a little knowledge has

become a very dangerous thing as people continue to plug in and help themselves to data and to network access so what happens when employees and users take it upon themselves to decide what devices they want to use and how they want to implement them shadow aight aight shadow data so here's the deal as the Internet of Things proliferate and human nature takes its course we cannot out engineer human susceptibility and failings so that device and the freedom to see it to use it as the user sees fit I'll provide anything that we've got in place and then there are the tech savvy staff who take it upon themselves to do their own IT under their own autonomy also known

as the rogue IT department because hey who needs guidelines and you've got google and in the world of shadow IT shadow data rules are known but they're not observed risks are taken regardless of known consequences and keep it secret definitely does not keep IT safe we've got a problem and it's more than just devices in our corporate realm we've got regular users and super users for good reason we need privileges in order to do certain things and then we need privilege hierarchies to establish the right levels of access but here's the problem with great power comes great responsibility and so with those higher levels of privilege come higher levels of risk the problem is that what we're

seeing here is happening in organizations and companies it's a less discriminating assignment of polish according to erika jackowski while ninety-two percent of organizations in the United States have some user monitoring in place only fifty six percent are handling privileged Identity Management and almost a third of those companies don't have somebody actually analyzing or even auditing how and when employees or contractors are getting that privileged access onto systems even doing a bi-weekly basis I've got a question for you how many of you do regular password updates see that's good so we've got about fifty eight percent of organizations doing them now what percentage of IT decision-makers do you think share their credentials with other employees shout out a number how much

yeah actually that's very good yeah well they're rounding it at about sixty percent but I think that's low-balling it yes and from 200 of those decision-makers they found that fifty two percent of us-based IT employees that's just in the US share their credentials with contractors I think we know all about this one IT departments often give non-technical execs broad privileges because it's easier to give more freedom than it is to get yelled at but now this approach is extending down into the ranks of ordinary employees so we have all these devices and a pervasive BYOD culture demanding access to the networks and to the data all that lovely big data oh the pressure right so

we comply and we keep opening doors that we should just keep closed and as the culture grows so does this sense of entitlement and it spreads like a shadow across organizations for businesses it's a cost-saving measure in a convenience but businesses they really need to keep this morning when you agree to BYOD policies you put employees within the security chain privilege loses its meaning when that account status is being freely handed out yes we've got cutbacks and reductions and that means fewer Guardians at the gate for IT but we're under constant pressure to keep things running and to meet deadlines so we resort to the path of least resistance and we look to simplify the

process yeah sure why not enable users to solve problems for themselves and elevate their status or why not let marketing have access to all that it because they're just running reports right or sure we'll just let people update the social media accounts because really what can go wrong well is there a problem we know there is because all the hacker needs is that one keyword to get in and once in they can find their way through the labyrinth of security as easy as a rat through a series of tunnels everybody remember when cyber caliphate hacked the US military council espace winter right the social media ones same deal those accounts with elevated religion prized by hackers according to verizon's 2015

data breach report these passwords are worth their weight in gold because they've got root admin and read write access for critical infrastructure and data and other applications well we know what happens when security patches aren't updated and how easily it is for hackers to exploit those flaws we've just been through a rash of zero days Thank You hacking team let's see there was Adobe crash know I need flash there was internet explorer there's always WordPress and then this past fall who can remember know who can forget shell shock and bash which we are still seeing today it's one thing to try and keep all of our corporate devices patch but try and forcing that with individuals so

what happens when individuals operate as individuals and they make independent decisions about data storage and transmission this is why we can't have nice things I found this great graph by alien bulb so it's the threat matrix and it shows a variety of them risks that we're familiar with we've got disgruntled employees user errors we've got espionage but by far the biggest circle in there is shadow IT and it's about intent frustrated users jumping the barriers that we've put in place for their own security and then risking everyone's security internal employees and contractors well they're setting up wireless LAN access points for themselves we've got people using personal tech for business functions with no formal BYOD policies in place to

govern them and then we've got people sending sensitive confidential information across unsecured channels like Skype without any regard for compliance or regulation and we're talking HIPAA data here so what do you do when your greatest security risk comes from within welcome to Gen mobaile according to Aruba Networks this is the mobile workforce we now have and they're part of the enterprise realm they are flexible transparent and a collaborative presence within our workforce and for the security of company data and IT systems there may be cause for concern hmmm I wonder why now I have a question for you what percentage of workers do you think take it upon themselves to do their own IT self-service IT anybody ok

yeah it's very close to eighty percent seventy-seven percent according to Aruba I say hello a shadow and businesses just aren't ready they didn't see this coming so they didn't put provisions in place stats show that over thirty-seven percent of them don't have a mobile security policy in place and as for enforcing things like password protection on mobile corporate devices one in five users do not do that we're battling the culture of indifference we've got people sidestepping company policy in favor of expediency which happens everywhere every day because it's easier just to download the software than it is to go through corporate policy again in that recent study by Reba networks 11,500 workers were surveyed and across third 23 countries hands up

if some of these things are problems you're dealing with on a daily basis sharing is the norm of devices data and passwords that indifference towards security somebody else's probably get up or self-empowerment boo boo yeah and thank you they caution businesses are ill-prepared for the high risk high growth mindset of general Chen mobile workforce now I'm going to show you a little demo i did as everybody here heard of shodhan if not is very cool so this this site lets you see all the inner tent connections in real time and you can do a variety of searches you can go by device by country my company by password and what happens if we enter default sunidhi well let's just say

there are a whole lot of devices out there with default still this is very current still as that password so what happens if i modified the search a level which I did and I looked within specifically within the highest-ranking country and i found the highest-ranking city which was Brooklyn and then I zoomed in on Brooklyn and you can see that's a street and there's a there's an actual building there and I can see a whole lot more than makes me feel comfortable that's done I shouldn't be seen that stuff nobody should be sing right it really is that bad so how do we regulate a society that's essentially device driven because it isn't just the

servers and the desktops at the office everywhere we go and anything we touch we're connected we're talking fitbit's Apple watches smartphones flash drives the ability to portably plug in and then help ourselves as one we don't fully understand and we've lost any control over that we even had current rules can't apply when the game itself has changed and clearly what was working is no longer working just say no that homing were that easy so maybe it's a matter of regaining control could we get corporations to adopt and enforce the rules of least privilege well the original concept came about 40 years ago and you could reference that paper back to songs but I think we've

moved past that point the reality is that this is a hard concept to sell and that's before we've even let the genie out of the bottle so are you guys going to be the ones to claw back the access and restrict all those devices training and awareness are given and if we do them regularly and not reactively it'll pay off because knowledge is power and it can help us create the culture that we need to forge security out of insecurity and then there's inventory and monitoring and these are musts in fact current and complete inventories are essential to your first line of defense according two sons and what about high-value assets that need to be

secured the most but this is about what we're not capturing if we're really going to catch stuff in time what we need is to be tracking all the people and all their devices all the time we could keep asking nicely but when that doesn't work we need to get our heads in the cloud how many of you are having issues with cloud-based free-for-all at your workplace yeah so cloud apps are just information pipelines for users and their data storage dumps for corporations what we need is to be able to understand what user trends are how those applications are working and what's getting duplicated and the good news is there's stuff out there now that could help us

do this this is netskope which came about late 2013 so if you want to know who's been sending what up into the cloud netskope claims that it can help you do that it acts as a cloud application analytics and security and it's designed to help CIOs tackle the accelerating shadow IT conundrum and if it has become an all-access pass taps where you are while sky fence claims it can help you rein that in it's designed to help you enforce data leakage policy and it uses all the right buzzwords visibility compliance shadow and it is all about taking back control but then there's this keep your friends close but your enemies closer now this may sound

radical but what if we found a way to work with the people who keep jumping and bypassing the rules hello folks I'm you care unfortunately no one was watching the camera at this time and it looks like they have immediate grows up again so we don't have audio or the speaker moving for the rest of this video sorry for the inconvenience you you

you