All you need to know about Shadow IT.
As organizations become increasingly connected to the internet, thanks to everything from cloud computing, SaaS applications, and IoT devices, the risk posed from cybersecurity attacks only continues to grow.
In the past year, 73% of security incidents involved internet-facing external assets. This demonstrates the importance of protecting and managing your online assets. However, the problem gets even more complex when you consider the prevalence of shadow IT.
With the constant stream of new devices and software being added to their network, security teams can’t keep up, resulting in a visibility gap that attackers can exploit.
It may sound cliche, but it’s true – you can only protect the assets that you know about, and security teams today are being given an incomplete picture. According to Gartner, 30% of internet-facing assets are unknown to security teams. If they only know about 70% of what’s exposed, that means most security professionals are only protecting about 70% of their network. It’s little wonder then that 1 in 3 breaches originate from shadow IT.
Security breaches can cost millions and cause permanent damage to your business. Your attack surface is your first line of defense; that’s why it’s key you have an effective way of discovering unknown assets. Only then can you gauge their risks, take steps to remediate any vulnerabilities, and begin to understand why they went undetected.
In The Definitive Guide to Shadow IT, we’ll cover the various types of shadow IT, the risks they can bring to your business, and how you can effectively discover and manage shadow IT.
Gartner defines shadow IT as IT devices, software, and services unknown to organizations’ IT/security teams. These IT solutions are usually deployed without the IT team’s oversight or are acquired via poor hygiene, external software, appliances and mergers and acquisitions.
Because of the lack of oversight, they’re not inventoried as part of a company asset management program. That means they’re completely invisible to the security teams tasked with protecting them. This is a serious problem.
Shadow IT breaches make up one third of all security breaches.
Shadow IT is not limited to a specific type of asset and can be found across a wide range of internet-facing assets. As businesses expand and move to the cloud, it’s important to recognize the risks these transformations pose and take proactive steps to stay protected.
When your business merges with or acquires a new company, it also takes on all of that company’s internet connected assets, which may or may not be accurately inventoried. If the company hasn’t been diligent in proactively looking for gaps in security, it’s easy to fall victim to an attack. Even if the company has fairly good security protocols, there will often still be unknown assets, expanding the surface that’s open to attack. Costs from M&A related breaches can cost millions and severely impact the ROI of the investments, so having proactive processes in place for M&A is critical.
As automation increases, connected devices from office appliances to industrial machinery are now on the network, but are often not inventoried and monitored. It might be easy to access them because employees think of them as internal equipment or temporary devices. But if these devices are often connected to the internet, they can provide a tempting entryway for attackers.
Databases that contain customer or employee information are an irresistible temptation to hackers. Many companies are not even aware that some of their databases are exposed to the internet until it’s too late. This results in breached SLAs, loss of customer trust, and a hit to brand equity.
Another type of shadow IT caused by human error is misconfigured test and development sites. The developers may think that the site is set for internal use only, when it’s actually open to anyone on the internet.
IT departments should be aware of and monitor company-wide SaaS subscriptions, but this is not the only type of unsanctioned application. Individual employees may also install software or apps without permission on computers that are connected to the company network.
It’s impossible to expect security teams to keep track of every asset on their own. There are many factors that contribute to the increase of shadow IT; here are few of the biggest.
The increase in remote working and having multiple offices/facilities across locations makes it more difficult for IT teams to stay in sync over constantly changing assets.
Few restrictions or lack of oversight on the use of open source components and a lack of clear security protocol on test sites allow vulnerabilities to arise.
Out-of-date asset inventory and the inability to scan assets completely can leave many assets unknown and exposed to external attackers.
The cloud migration process inevitably brings risks with it as more of your assets are connected to the internet. Any misconfigurations might expose data.
New partnerships and subsidiaries mean more data that you’re not familiar with. This means more potentially exposed, unknown assets.
Well-intentioned employees may download new productivity apps or try out new software that they think could benefit the company. If they’re just trying it out, they may not think getting permission is necessary, but any new software provides opportunities for security breaches.
Strategic business units and subsidiary companies might be connected to your network, but not under the direct control of security teams. All the exposed assets on these systems become part of your company’s attack surface.
If your business relies on contractors and agencies, there’s another opportunity for shadow IT to expand. When you have shared drives and logins with these businesses, their unknown assets may also be connected to your network.
All you need to know to learn and leverage external ASM solutions as part of your cybersecurity program.
As you can see, shadow IT is a widespread problem that starts in many places. Finding it alone may seem to be an insurmountable task but ignoring it can lead to serious security risks. In this section, we’ll discuss the risk posed by shadow IT and why it’s imperative security teams effectively manage it
Even if you’ve deployed other cybersecurity solutions, ASM can still complement them perfectly well. Continue reading to learn how ASM can harden your other solutions to proactively detect and mitigate risks stemming from exposed assets.
Unknown vulnerabilities in your network leave you open to attack. When hackers see an easy opening to break in and steal valuable data, they take advantage of it.
Exposed databases make information publicly available for the taking, even if it’s not supposed to be. It doesn’t require any effort for external parties to make use of it.
Enterprises handling sensitive data that need to comply with security mandates like the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS) face fines or lawsuits if breaches are discovered.
Not having sufficient control of the network leads to fires, which can burn out a security team. When teams are constantly having to focus on clean-up, they won’t be on guard against newly emerging threats.
Shadow IT brings multiple financial risks from non-compliance fines to ransomware. In addition to pay-outs, the time and resources needed to recover from a breach also result in great financial loss.
While both of these terms mean that your data has been compromised, a breach refers to an actual attack. With a leak, no attack has occurred because the data was openly available.
The most prominent real world example of the disastrous consequences of shadow IT is the Equifax data breach which exposed 143 million customers’ data. Equifax had to pay over $1 billion in damages and spent an additional $1.4 billion in clean-up costs and security upgrades.
This was a result of several security failures, which began with shadow IT. It all started in March 2017 because of an open-source development framework with known vulnerabilities that should have been patched. The person responsible didn’t patch it.
Equifax’s vulnerability scanners performed scans a week later that should have identified unpatched systems, but the scanners didn’t find it because the framework wasn’t inventoried under their assets. Equifax didn’t become aware of the breach until months later, and by then hackers had accessed other servers on the system because the network wasn’t adequately segmented. Once the hackers were inside they found usernames and passwords which gave them even more access. They were then able to siphon out encrypted data from the system because Equifax had failed to renew a security encryption certificate.
This cascade of errors could have been prevented if the security team had been aware of the exposed assets on its network.
A more recent breach that illustrates the risks of misconfigured cloud servers occurred in 2019. Capital One was hacked by a former Amazon employee who accessed over a hundred million credit card applications. This led to 140,000 Social Security numbers and 80,000 bank account numbers being exposed. Although Capital One secured the data before it was used, there were still damaging repercussions.
The breach occurred due to an improperly configured Web Application Firewall (WAF) that was connected to one of its AWS servers. This is a common vulnerability that many hackers would be aware of. Capital One was deemed to be at fault for not having sufficient risk assessment procedures in place and had to pay $80 million in fines to Federal bank regulators.
While consumer data protection is important for all companies, it’s especially serious for those handling financial information. Not only does the exposure lead to potential monetary loss to customers along with lack of trust; it also brings severe consequences for violating Federal regulations.
To get started with identifying shadow IT in your network, you need to find a way to know what you don’t know. Asset management programs won’t find assets that you don’t know about, and shadow IT is by definition unknown. Every company has blind spots; seeing them, however, requires an outside perspective. Armed with this perspective, it’s then possible to perform a gap analysis to see how big the problem truly is. Without shadow IT discovery tools, these unknown assets remain hidden from you and exposed on your external attack surface.
It’s worth investing in a shadow IT discovery tool, such as external attack surface management, to find and manage high-risk external assets. A good tool will have a targeted, outside-in approach. That means looking at your entire network from an attacker’s perspective, showing you not only what’s exposed but also what appears most tempting to attack.
With the number of connected assets, it’s impossible to completely remove all risk, and 76% of security leaders agree breaches are inevitable. However, you can minimize them by setting KPIs for the number of high-risk external assets that are allowed. This should be a number that you have the resources to monitor.
You should also check your existing security policy and adapt it if necessary to include rules on installing third-party software and configurations for connected devices and cloud storage.
After you discover shadow IT, you can’t instantly deal with all of it, and the vast majority of it may not even be a serious threat. Prioritize taking action on the assets that pose the greatest shadow risk and which would allow you to prevent the most damaging attacks quickly.
This involves considering both likelihood and impact of an attack. Likelihood factors include weakness, enumerability, applicability, research potential, and post-exploitation potential. Targets that cause the greatest impact are those that would affect business-critical applications and/or would result in high costs in the event of a compromise.
To learn more about prioritizing shadow IT risks, check out our 3 Steps to Managing Shadow IT Risk e-book.
Once you’ve set priorities, take immediate remediation actions. Patch any vulnerabilities that can be patched and are likely to be targeted, fix risky misconfigurations, and remove or add controls around software that’s considered high-risk.
After you discover shadow IT, you can’t instantly deal with all of it, and the vast majority of it may not even be a serious threat. Prioritize taking action on the assets that pose the greatest shadow risk and which would allow you to prevent the most damaging attacks quickly.
This involves considering both likelihood and impact of an attack. Likelihood factors include weakness, enumerability, applicability, research potential, and post-exploitation potential. Targets that cause the greatest impact are those that would affect business-critical applications and/or would result in high costs in the event of a compromise.
A good shadow IT discovery tool will show the likelihood and potential impact of an attack.
To learn more about prioritizing shadow IT risks, check out our 3 Steps to Managing Shadow IT Risk e-book.
Once you’ve set priorities, take immediate remediation actions. Patch any vulnerabilities that can be patched and are likely to be targeted, fix risky misconfigurations, and remove or add controls around software that’s considered high-risk.
It’s not enough to audit and address shadow IT once. Even with sound security protocols in place, new shadow IT will still be added frequently, so you need to constantly monitor for it. Integrating security tools will enable you to do this.
Attack Surface Management (ASM) software constantly monitors your attack surface, helping you discover shadow IT whenever it’s added. It makes your unknown assets known so that they can then be added to your asset management solution’s inventory.
Set up a continuous monitoring strategy, for example, using ASM software to scan changes in your organization’s attack surface daily and planning patching cycles monthly. Prioritize the highest risk vulnerabilities to be patched first.
While acquired subsidiary shadow IT is unavoidable, many problems arising from shadow IT can be averted by educating employees on good security policy. Many are unaware of the risks of installing unsanctioned software or making configuration errors.
Since the first step in dealing with shadow IT is discovery, it’s crucial to choose a solution that effectively uncovers all your unknowns. To get the most accurate view of your external-facing assets, ASM is the best option.
ASM complements asset management; one is not a replacement for the other. Asset management allows you to manage all of your known assets; but it cannot include shadow IT. ASM monitors your entire external attack surface, finding all the assets that are exposed to the internet, even those you don’t know about.
Attack surface is not the same as assets. In simple terms, if assets are the things owned by an organization, attack surface refers to the things that are exposed for external attacks.
One option for protection against shadow IT risks is a cloud access security broker (CASB) tool. It acts as a buffer between cloud service users and cloud applications. It monitors user behavior and connected device profiles and prevents malware. However, it can lead to false positives, costing security teams valuable time. Another drawback is that while it protects cloud or SaaS assets, it doesn’t cover every unknown. ASM reveals a broader set of shadow IT and ranks it by risk, so security teams can address threats efficiently.
Cyber asset attack surface management (CAASM) solutions automatically unite asset management, cloud providers and XDR providers to give security teams complete and up-to-date visibility. But the problem is that even though it’s continuously monitored, it still only covers known systems. Shadow IT is undetected. ASM includes the parts of your attack surface that you don’t know.
When you’re choosing a shadow IT discovery tool, make sure it has these key features:
Your chosen shadow IT discovery tool must expose an external attacker’s perspective of your assets. Many organizations believe that their cloud storage and other assets are securely configured. But due to just a small error, their data might be fully visible to threat actors. It takes an outside view to reveal these risks.
Also known as blackbox discovery, the ideal shadow IT discovery tool should automatically and continuously identify your external-facing assets. It instantly makes your unknowns known.
Since your attack surface is dynamic, with shadow IT frequently being added, it’s important for the shadow IT discovery tool to perform ongoing asset and vulnerability monitoring and immediately alert your security team when a critical issue is found.
The shadow IT discovery tool must also prioritize discovered assets based on how likely adversaries will be to attack them. It’s even better if the software can also determine known exploits, the ease of attackers discovering the assets, and the post-exploitation potential of the assets.
Manually checking for the latest changes to the attack surface is inconvenient and time-consuming for security teams. The right shadow IT discovery tool must provide real-time visibility and alerts to critical issues (e.g., newly discovered exploitable assets) as well as regular summary notifications for non-critical issues (e.g., newly discovered IPs).
IThe data from the shadow IT discovery tool must have adequate context and information that are easily searchable, along with remediation guidance that can help your security team to quickly improve your company’s cybersecurity posture.
Security teams already have multiple tools to keep track of, so you don’t want to add the work of a complex installation. A good shadow IT discovery tool is ready to deploy easily, perhaps with just a business email, and it keeps running so your team is free to focus on important tasks.
It’s important for your chosen shadow IT discovery tool to be able to quickly integrate with your existing cybersecurity solutions like SIEM and asset management. Make sure that the tool is also equipped with an API so that you can automate these integrations.
In addition to the constant automated monitoring and daily reports for security teams, the best shadow IT discovery tool will also generate executive reports on a regular basis. These reports should include a summary of key findings and actions taken.
In this guide, we’ve shown you how widespread shadow IT is, as well as the serious risks that come along with it. Today’s organizations require technology to keep up with the ever-changing unknowns on their external attack surface.
In order to identify shadow IT, you need a complete view of all the exposed internet-facing assets.
Traditional asset management and SIEM solutions won’t pick up shadow IT, because they only scan and see the assets that are already known to security teams.
ASM, on the other hand, sheds light on all your unknowns. Using an attacker’s perspective, it continuously searches for and reports on all exposed assets as they’re added to the system. It does this automatically, so security teams don’t need to be concerned about keeping track of the multitude of assets being added every day. With ASM, you get regular reports on what’s exposed and what’s the highest priority to address.
Randori Recon is the industry’s leading ASM solution. Randori is the only ASM platform that brings a hacker’s perspective to your attack surface.
With advanced reconnaissance techniques used by real threat actors, it gives you the power to identify, prioritize, and continuously monitor your most valuable exposed assets, including unknown assets.
Are you ready to discover how much shadow IT is on your network? Contact us to get a complete view of your attack surface today!