"Shadow IT" is a name often given to Information Technology systems used within an organization without proper authorization.
But in order for Shadow IT to exist, there has to be enablers encouraging and/or providing a way.
This talk looks at some of the enablers of Shadow IT, and proposes one mitigation towards dealing with the problem.
1. Shadow IT and the
Shadowing of IT
SAMUEL GREENFELD
SOUTH FLORIDA ISSA MEETING - 15 JUNE 2017
2. Disclaimer
This is a Personal Presentation
Not my current/past/future employers’
Not any past/future schools’ either
3. What is Shadow IT?
Users using Information Technology services within an organization other than those officially
supported & allowed
◦ Sometimes entire departments
◦ Sometimes with the tacit/implicit permission of others
Could be due to things such as:
◦ Lack of known internal services, or they don’t meet a need
◦ Bureaucracy
◦ The user(s) simply not caring
4. IT Being Shadowed
Users are getting more tech savvy, but they cannot do everything on their own
In order to use many Shadow IT services, users often have to bypass safeguards, or be
encouraged to use them
Goes beyond just Shadow IT to Suppliers & Third Parties obtaining company data
5. Reactive Responses
Port blocking/restricting:
◦ Result: Everything starts running over HTTP/HTTPS (TCP Ports 80/443)
SSL Interception
◦ Certificate Pinning
Users not given admin rights, often don’t update things
◦ Automatic Updaters
◦ Just run everything out of the user’s home directory
6. Social Engineering
Recommended Reading: http://www.tristanharris.com/
Make it as easy as possible to do the desired action, and hard as possible not to do it
◦ UI design changes
◦ Constant pestering via mail/notifications/etc.
◦ App settings reset on logoff, new settings added and enabled with updates, & things requiring group
policy/registry keys/obscure ways to shut them off
◦ Gamification – our brains are easily addicted to intermittent, random rewards
◦ Only so much of an attention span any human can keep
◦ Includes any rules/security training you’re giving them!
10. Users like Easy
Wesabe vs Mint (Yodlee)
◦ Think of all the secondary information they got
Only have to type passwords once during signup, or link to Google/Facebook/etc.
◦ Make it as easy to get in as possible, hard to get out
Never have to see the EULA or terms of service
Better to ask forgiveness than permission
12. Non-Obvious Permission Usage
Ultrasonic (Microphone & speaker based) & Bluetooth Beacons
Periodic geolocation
Permission usage when app not actively being used
Additional functionality added later within an allowed permission set
Shared Android filesystem space
Proximity detection – both to suppliers’ locations as well as competitors’
◦ Home/work – where you are during certain hours of the day when you don’t move as much
19. Analytics
Often used to see how users generally interact with the Application, Operating System, or
Website, and what problems they may encounter
Multiple Systems (Dual, Triple, sometimes even 20+) in a single app or website
◦ Found in certain IT security products – vendors will say “it’s documented!”
◦ May be on by default
◦ May need several individual controls to shut off, if they can be shut off
◦ May be subject to firewall bypass rules generated by/within said product
◦ The Ghostery plugin is one way to view these for websites
27. Privacy Policies (Gibberish)
“Individual identifying information such as…”
“Non-individual identifying information such as…”
The “such as” collected always sounds non-threatening. What is not listed often is not.
Often the “Non-individual” information is enough (on its own or in combination with other
resources) to identify individuals
◦ Serial Numbers
◦ IP Addresses
◦ Everything but a person’s name
What happens with a company is acquired?
28. Benefits of IT Being Shadowed
Herd Immunity
◦ Antivirus/whitelisting
◦ Bug reports/Patches
Feature Adding/Removal Decisions
Changes in Usage Design
Performance
◦ Larger/more important customers may be more likely to opt-out and/or block Analytics
29. Everyone still tries to be a member of
a herd (and often more than one)
EULA’s and their placement/treatment
Infinite scrolling news sites
Login/signup forms swapping
Non-Disclosure/Non-Compete Agreements
30. The Search for the Silver Bullet
Everyone still wants to aim for zero data loss
Everyone still wants their own big data hoard, and believes it is uniquely valuable
31. Everyone’s a Hypocrite
“My data is uniquely valuable and important”
“I am allowed to find out as much as I want to about you, but you are not allowed to do the
same for me”
34. Conclusion
It is impossible (or at least impractical) to zero out the possibility of data loss
Instead of designing for zero data missing & then handling the exceptions, I think we need to
design with the expectation that data loss will occur
Certificate Pinning hampers the lockdown of devices which may be both inside and outside of a network, or if you have a guest network.
The actions of certain Nation states may have lead to Certificate Pinning being more commonplace.
In particular, Tristan’s essays are good
This is essentially psychological warfare
IT should not be just concerned about fishing, personal social media accounts, etc. – getting users to recognize situations like this is important as well
Yodlee screen scraped banks. Wesabe did not. Wesabe failed, and their founder cited their lack of this as one of the reasons.Now similar services included in bank websites themselves.
Interestingly bank bill pay sites may also resort to screen-scraping
Also known as why MDM & MAM are so important
Not just Google trying home/work detection; Foursquare commented in one news report that they do it as wellBit of a rivalry going on between app and OS developers as to who can access what when with what permissions (Uber/Apple, FitBit app/Android, etc.)
http://www.experian.com/assets/decision-analytics/brochures/data-enhancement.pdf
If company X knows Y then several other companies can tell X what they know about Y – and if they didn’t know some part of Y, now they know as well
Things passed around don’t just include facts.
Experian tries to guess includes: Demographics, Age, Occupation, Personal Interests, How likely you are to purchase things, Credit Worthiness, How wealthy you are, and more
https://blog.avast.com/2015/11/11/the-anatomy-of-an-iot-hack/
Other Smart TVs may show ads, etc. – even if no content is on the screen
Often re-uses existing security cameras/etc. May estimate age/gender/ethnicity/etc.
Passive detection of cell phones and where/how frequently they are seen
Inability to turn off Bluetooth on a FitBit without turning off the FitBit
Ghostery is an interesting case of an ad-/tracking blocker wanting to obtain these analytics to help advertisers in the end
Even restaurant workers and hair dressers are being forced to sign NDAs & Noncompetes
Includes individuals, not just corporations
http://www.marketwatch.com/story/college-students-would-give-up-their-friends-privacy-for-free-pizza-2017-06-13
94% with no incentives, 6% of no-incentives gave fake emails (not giving anything an option)
Smaller leaks, staggered over timehttp://cybersquirrel1.com/