Shadow IT Risk Highlighted in Security Report

Security threats do not always start with malware sneaking its way onto a computer. Sometimes, they can begin with applications downloaded knowingly by employees for business or personal reasons.

Inside Check Point Software Technologies’ ‘2014 Security Report,’ the company shined a light on shadow IT and how certain applications can leave enterprises potentially at risk. As part of its report, Check Point analyzed data from more than 10,000 organizations in various countries. 

Recently, PhishLabs reported an attack campaign that compromised the computers of residential ISP customers using Remote Desktop and who had easily guessable passwords.

If use of these types of tools is not done in a controlled manner, it could end up creating a security hole unknown to IT staff, Meghu told SecurityWeek.

“There are many underground sites that search for these remote access tools, brute force their way in, and then sell the access,” he said.

“With a brute force attack, it’s a waiting game,” he continued. “And even with a complex password, there have been, and probably will be again, exploits against RDP that allow an attacker to crash or overflow the RDP service, thereby still getting in. The fact remains this is a service exposed to the Internet and represents a risk. We can say ‘what if it has a strong password’, but if it’s a service started by the local user and not provided by the business, what controls are in place that ensure it is secure?”

Earlier this month, a researcher from Trustwave explained how a remote management tool (NetSupport) used in some enterprises can be exploited by attackers to remotely connect to a host without needing any passwords. 

While these applications do have legitimate uses when they enable IT and helpdesk personnel to service and manage employee desktops around the world, many organizations “have adopted these tools haphazardly based on tactical needs, so rather than standardizing on a single remote admin application, IT organizations instead employ three or depending on the platform, connection and task,” the report notes. 

Work-related reasons may drive other corners of shadow IT as well, such as the user of file storage and sharing applications like Dropbox. Still, the presence of peer-to-peer (P2P) applications and anonymizers such as TOR and UltraSurf however may be a little harder for employees to explain to their bosses.

“It would be hard to see a need to use anonymizers, and there is limited value for P2P,” Meghu said. “You can access software images for things like Linux servers, but there is also a lot of questionable material, enough that just blindly allowing it would not be prudent.”

The BitTorrent protocol, SoulSeek and EDonkey Protocol were the most commonly used P2P technologies. Among the file storage services, Dropbox was the most prevalent.

“Whenever an unsupported service like Dropbox is used, you are exposing corporate data to an outside service,” Meghu said. “Many of these services have terms of service that may be in conflict with the corporate requirements. For example, if you post corporate information to Dropbox, does it become property of Dropbox? There is also the bigger issue of creating another point from which data can be stolen or leaked.”

Last year, a study performed by Frost & Sullivan and sponsored by McAfee found that more than 80 percent of the 600 respondents used non-approved software-as-a-service applications in their jobs – and IT employees were the worst offenders.

Users are smarter and more agile than ever before, Meghu said, meaning it is easy for them to bypass the proper channels when they want to try a new application or access type.

“By ensuring policy is being enforced, and high risk applications are identified when they appear in the network, users can be guided to proper resources to accomplish what they need,” he said. “Making user interaction part of enforcement ensures that the user doesn’t try to work around the controls, but follows a process that is in-line with the business.”

*This story was updated with additional commentary.