The document discusses the growing issues of shadow IT and shadow data in organizations. It notes that employees are increasingly using unauthorized cloud services and mobile devices to store and access company data without IT approval. This poses security risks as employees may not follow proper security practices. The document recommends that organizations shift to adopt more flexible security strategies that empower employees while maintaining proper access controls, such as privilege management and monitoring. It also suggests improving security awareness training for staff.

1. What Lurks in the
Shadow
Addressing the Growing Security
Risk of Shadow IT & Shadow Data
By @3ncr1pt3d

2. Cheryl Biswas
•
• Works for: JIG Technologies
• Does what exactly: security researcher,
analyst, writer of things
• Trekkie, techie, maker, baker
• Bridging the gap between tech and non-tech
Necessary Disclaimer: All content is my own and does not reflect the opinions
of my employer
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
2

3. Security Lords
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
3

4. Faster. Better. More. Tech.
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
4

5. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
5

6. #GenMobile
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
6
#GenMobile “For the security of company data and IT
systems, there may be cause for concern”.
(http://www.arubanetworks.com/mobileriskindex/)

7. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
7
BYoD

8. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
8
Internet of So. Many.
Things

9. The Human Factor
Fear of the Unknown
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
9

10. The Dark World
Shadow IT/Shadow Data
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
10

11. In the Land of Mordor
Where the Shadows Lie
Keep it secret, keep IT safe
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
11

12. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
12

13. “Employees in every cubicle are using Box,
Workday and Salesforce, and they’re not
waiting for IT’s permission to do so.
They’re using their own apps on their own
devices. Many are spinning up servers in
the cloud for infrastructure in the cloud, a
practice dubbed bring your own server. So
privilege is now being consumerized like
apps and devices.”
- Forbes

14. - ZDNET
“When you agree to BYOD
policies, you put employees
within the security chain”.
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
14

15. Bad Apples
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
15

16. Pass on the Passwords
• 51% Single password/numerical PIN
• 58% NO policies of software to enforce
better passwords
• 56% Shared passwords
• 17% Used company-provided password mgr
• 60% Accessed confidential corporate data
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
16

17. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
17

18. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
18

19. Unprotected and Connected
• questionable WiFi networks via
the local coffee shop hotspot
• unapproved cloud storage
• really, really bad USB

20. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
20

21. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
21

22. Security
means never
having to say
you’re sorry
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
22

23. Cyber Insurance
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
23

24. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
24

25. A culture of indifference.
Sharing as the norm – devices, data,
passwords
Indifference towards security – the
assumption that security is somebody
else’s problem; not worried about their
own responsibility
Self-empowerment succeeds over
existing rules (Aruba Networks)

26. “Businesses are ill-prepared for the
attitude of next generation
employees who own mobile devices,
and may be placed at risk as the
BYOD trend causes fractures in
security enforcement.”
- ZDNet
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
26

27. Alien Vault Insider Risk Matrix
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
27

28. “All identities are
not created equal”
With great power comes
great responsibility
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
28

29. Great Power, Great Responsibility
• 92% orgs have user monitoring
• 56% handle privileged identity mgmt.
• 58% corps do regular password updates
• 60% IT decision makers share creds
• 52% share creds with contractors
>20% analyze or audit privileged access
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
29

30. “IT departments often give non-
technical executives (e.g. VP of Sales,
CEOs, CFOs, etc.) broad privilege inside
corporate applications, figuring it is
better to give too much freedom to
upper management than get yelled at
when someone can’t create a report.”
- Forbes
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
30

31. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
31
“It is scary to think that this many
people consider it normal for
employees to have access to data
that they shouldn’t have and for
companies to not know where
their missing data has gone.”
- David Gibson, VP at Varonis.

32. The Loss of Privilege
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
32

33. The hearts of men are easily corrupted. And
the ring of power has a will of its own...
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
33

34. Time
for
a little talk
about
B I G
Data
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
34

35. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
35

36. Who Touched the Data?
“It’s not good enough to merely
resist the rise of BYOD, if people
can still access corporate e-mail
when they get home…”
John McAfee
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
36

37. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
37

38. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
38

39. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
39

40. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
40

41. What’s Mine is Mine &
What’s Yours is Mine Too
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
41

42. Sh*tposts
from
the
Trenches
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
42

43. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
43

44. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
44

45. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
45

46. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
46

47. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
47

48. Let’s do a little Demo
https://www.shodan.io/

49. Country. Company. Device. Password
Default
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
49

50. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
50

51. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
51

52. So Where Do We Go From Here?
“Just Say No.”
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
52

53. Current rules can’t apply
when the game itself
has changed.
What was working
isn’t working now
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
53

54. Least Privilege:
“Every program and every user of the
system should operate using the least
set of privileges necessary to complete
the job. Primarily this principle limits the
damage that can result from an accident
or error.”
- SALTZER, J.H. and SCHROEDER, M.D.
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
54

55. We’ve taken the lid off Pandora’s box.
I don’t think it ever goes back on.
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
55

56. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
56

57. What Are We Missing
• Training and Awareness
• Inventory and Monitoring
• Secure Hi-Value Assets
• ????
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
57

58. The Cloud
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
58

59. No Idea What They’re Using,
No Idea What They’re Losing
• 15x more cloud services used to store
critical data than CIOs authorized
• IT says 51 active cloud services. Survey
says 730
• Use growing exponentially.
• 1000 external services per company by
2016
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
59

60. 30% of business critical info is in
the cloud.
Most cloud apps are third party
apps.
- Ponemon Institute

61. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
61
Shadow IT
isn’t
going
anywhere …
Gartner says so

62. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
62

63. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
63

64. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
64

65. To Build a Better Mousetrap,
Draw A Bigger Circle
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
65

66. The Way Forward
• Ask what users really need and
want
• Show the CSuites why we are their
strategic partner
• Shift gears and adapt
• Projections based on Cloud, Big
Data, Everything as a Service
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
66

67. As for that one ring
that rules them all …
The World has
changed. And so must
we.
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
67

68. Thank You So Much!
BSidesTO
Contact Deets: @3ncr1pt3d
ca.linkedin.com/in/cherylbiswas
https://whitehatcheryl.wordpress.com/
09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
68

69. 09/11/2015
BSidesTO: What Lurks In The Shadow by
@3ncr1pt3d
69