"Shadow IT" is a name often given to Information Technology systems used within an organization without proper authorization. But in order for Shadow IT to exist, there has to be enablers encouraging and/or providing a way. This talk looks at some of the enablers of Shadow IT, and proposes one mitigation towards dealing with the problem.

1. Shadow IT and the
Shadowing of IT
SAMUEL GREENFELD
SOUTH FLORIDA ISSA MEETING - 15 JUNE 2017

2. Disclaimer
This is a Personal Presentation
Not my current/past/future employers’
Not any past/future schools’ either

3. What is Shadow IT?
Users using Information Technology services within an organization other than those officially
supported & allowed
◦ Sometimes entire departments
◦ Sometimes with the tacit/implicit permission of others
Could be due to things such as:
◦ Lack of known internal services, or they don’t meet a need
◦ Bureaucracy
◦ The user(s) simply not caring

4. IT Being Shadowed
Users are getting more tech savvy, but they cannot do everything on their own
In order to use many Shadow IT services, users often have to bypass safeguards, or be
encouraged to use them
Goes beyond just Shadow IT to Suppliers & Third Parties obtaining company data

5. Reactive Responses
Port blocking/restricting:
◦ Result: Everything starts running over HTTP/HTTPS (TCP Ports 80/443)
SSL Interception
◦ Certificate Pinning
Users not given admin rights, often don’t update things
◦ Automatic Updaters
◦ Just run everything out of the user’s home directory

6. Social Engineering
Recommended Reading: http://www.tristanharris.com/
Make it as easy as possible to do the desired action, and hard as possible not to do it
◦ UI design changes
◦ Constant pestering via mail/notifications/etc.
◦ App settings reset on logoff, new settings added and enabled with updates, & things requiring group
policy/registry keys/obscure ways to shut them off
◦ Gamification – our brains are easily addicted to intermittent, random rewards
◦ Only so much of an attention span any human can keep
◦ Includes any rules/security training you’re giving them!

8. Fear of Missing Out

9. Wear someone out, then ask at the end

10. Users like Easy
Wesabe vs Mint (Yodlee)
◦ Think of all the secondary information they got
Only have to type passwords once during signup, or link to Google/Facebook/etc.
◦ Make it as easy to get in as possible, hard to get out
Never have to see the EULA or terms of service
Better to ask forgiveness than permission

11. App Permissions

12. Non-Obvious Permission Usage
Ultrasonic (Microphone & speaker based) & Bluetooth Beacons
Periodic geolocation
Permission usage when app not actively being used
Additional functionality added later within an allowed permission set
Shared Android filesystem space
Proximity detection – both to suppliers’ locations as well as competitors’
◦ Home/work – where you are during certain hours of the day when you don’t move as much

13. Data Aggregation

16. Stuff At the Edge of Regulations

17. Sold a Product, and then your
Usage is Sold

18. Stuff you cannot control

19. Analytics
Often used to see how users generally interact with the Application, Operating System, or
Website, and what problems they may encounter
Multiple Systems (Dual, Triple, sometimes even 20+) in a single app or website
◦ Found in certain IT security products – vendors will say “it’s documented!”
◦ May be on by default
◦ May need several individual controls to shut off, if they can be shut off
◦ May be subject to firewall bypass rules generated by/within said product
◦ The Ghostery plugin is one way to view these for websites

23. Machine Learning

24. Machine Learning (2)
http://www.evolvingai.org/fooling

25. Privacy Policies (Easy)

26. Privacy Policies (Maybe OK?)

27. Privacy Policies (Gibberish)
“Individual identifying information such as…”
“Non-individual identifying information such as…”
The “such as” collected always sounds non-threatening. What is not listed often is not.
Often the “Non-individual” information is enough (on its own or in combination with other
resources) to identify individuals
◦ Serial Numbers
◦ IP Addresses
◦ Everything but a person’s name
What happens with a company is acquired?

28. Benefits of IT Being Shadowed
Herd Immunity
◦ Antivirus/whitelisting
◦ Bug reports/Patches
Feature Adding/Removal Decisions
Changes in Usage Design
Performance
◦ Larger/more important customers may be more likely to opt-out and/or block Analytics

29. Everyone still tries to be a member of
a herd (and often more than one)
EULA’s and their placement/treatment
Infinite scrolling news sites
Login/signup forms swapping
Non-Disclosure/Non-Compete Agreements

30. The Search for the Silver Bullet
Everyone still wants to aim for zero data loss
Everyone still wants their own big data hoard, and believes it is uniquely valuable

31. Everyone’s a Hypocrite
“My data is uniquely valuable and important”
“I am allowed to find out as much as I want to about you, but you are not allowed to do the
same for me”

33. What we should be designing for

34. Conclusion
It is impossible (or at least impractical) to zero out the possibility of data loss
Instead of designing for zero data missing & then handling the exceptions, I think we need to
design with the expectation that data loss will occur

35. Questions?
https://www.slideshare.net/SamuelGreenfeld/shadow-it-and-the-shadowing-of-it/