The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/

Advertisements

My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

CyberSec for Everyone

I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity.  For me, it’s a privilege to be asked, and my calling to help others.

I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”.  Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all.  Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.

The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base.   Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.

There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are?  Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.

signbunny

Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:

1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.

2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps.  And I use this on my cell phone. Easy to set up. No more excuses ok?

3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. friends

4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”!  But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/.    As for that attachment, you can use you AV to scan it first.  This article by Lifewire has lots more info to help.

5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.

6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet.  Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.

The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!

Yes Virginia, Dreams Really Do Come True!

securityunicorn

Sorry to have neglected you this past while. Big changes have happened. But that’s a good thing. A really good thing. And something I hope to carry forward.

You may have heard about the lack of talent in cyber security. And the lack of women in tech. And the resulting lack of women in cyber security. I am thrilled to tell you that I have now changed that statistic by one.

Yes Virginia, dreams really do come true. Because  I was offered the role of my life. My dream job.

I now do Threat Intel with the cyber security team at KPMG. As a cyber security consultant.

Repeat after me:

OMG! OMG! OMG!  Now breathe. (that really was fun, wasn’t it!)

Now I can stay up all night, every night, looking for cyber boogeymen and playing what-if til I can’t keep my eyes open. And people actually want to know about what I find. Oh, holy cow – it is amazing!

I have to learn more about all. the. things. Which is fantastic because I like all the things. Networks. SCADA ICS. Mainframes. Web Application Firewalls. And of course my 3 favourite letters: APT or Advanced Persistent Threat. Because the biggie of all those, Stuxnet, is what led me here in the first place.  I get to work with amazing people whose knowledge and skill just inspires me every day to do more.  We plan and build and evaluate things most people have no idea about, but that will actually make the world a better and safer place for everyone. And that is the realization of one of many childhood dreams. I still haven’t walked onto a Starfleet Enterprise class ship yet, but believe me, this is what it would feel like.

And this is where I tell you the really good stuff. That you have it in you to make your version of this happen. I stopped listening when people told me “you can’t do that” or “you  got that all wrong” or “maybe you’d be better at’.  I listened to that voice inside me, that passion pushing me further even when it seemed impossible. Even when I couldn’t understand it the first time, or someone said no, and said no again.  Because something inside of me wouldn’t let it go. I loved it too much.  Listen to that piece of you that won’t let go.  Find that thing you love enough to fight for it – and fight.  You deserve the sweetness of this victory. And oh, if it can happen for someone like me without all the proper degrees and traditional routes, then it can happen for you. Believe.

So come along and join me for my next incredible, amazing adventure. I’m only just getting started!

(Necessary Disclaimer bit that all these posts are my own and not my employer’s)

Back it up! Back it UP!

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

My First ShmooCon – This Time It’s Personal

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.

shmoosat

 

With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.

russiahouse

And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

Embracing the Shadow – wait! What?

Let me share a few more thoughts about Shadow IT with you as we head into 2016. The good folks at AlienVault were kind enough to ask, and let’s just say that we don’t expect the Shadow to fade anytime soon…

shadow

https://www.alienvault.com/blogs/security-essentials/embracing-the-shadow-wait-what?utm_medium=Social&utm_source=Twitter

There was a time when the IT security lords ruled. Mere mortals only had whatever devices and access they were issued. Companies had “standards” and if you wanted something it had to exist on the approved equipment list. But decisions took time and the lines of business didn’t always get the answer they wanted. Regulating tech was getting in the way of getting stuff done. Security had become an inconvenience.

It was easier to regulate things back then, when there were fewer things. The available tech was enough to get the job done. But that’s the thing. Tech is always evolving, to meet the demands for faster, better, more. And how do you do more better and faster? Shadow IT and Shadow Data.

Welcome to GenMobile, “a flexible, transparent and collaborative presence, ” which actually means folks who don’t follow the rules. Yes, Houston, we have a problem and it’s called self-service IT. Guess what percentage of workers are doing it for themselves? Aruba Networks cites 77%. Hello Shadow.

Be afraid. Be very afraid. Because we can’t see all the stuff, all the time. Easy-to-use devices are everywhere, creating an unprecedented level of end user entitlement. And a little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access.

So what do you do when employees make independent decisions about devices, data storage and transmission? Accept it? Regulate it? Or ban it? Because “keep it secret” definitely does not keep IT safe.

No Idea What They’re Using, No Idea What They’re Losing

We need to start by getting our head in the cloud. Ah, the Cloud. It’s the solution to everything: storage, countless productivity applications, Office 365, Google Docs. Face it. Cloud is accessible anytime, anyplace, anywhere, anywhen. But the truth hurts:

  • 15x more cloud services are used to store critical data than CIOs have authorized
  • IT says 51 active cloud services. Survey says 730
  • Use growing exponentially
  • 1000 external services per company by 2016
  • 30% of business critical info is in the cloud

Here’s where we worry: The combination of Insider Threat plus Shadow IT. What if the interfaces and APIs with which users interact aren’t secure? Attackers are actively searching for these types of vulnerabilities to exploit them. And how do you protect against what you don’t know, because there’s a whole lotta activity going on up there unreported.

Shadow as the New Norm?

What if I said to you Shadow IT isn’t going away. In fact, it’s being heralded as the new norm, the way work is going to get done. Ponemon Institute reports an average of 50% of cloud services are deployed by departments other than corporate IT. And an average of 44% of corporate data stored in the cloud is neither managed not controlled by the IT department. Control over network infrastructure and physical hardware like firewalls is supposed to be the realm of the IT folks in charge of securing proprietary data. But the cloud has a way of making things go all fuzzy.

Twelve years ago technology spending outside of IT was 20 percent of total technology spending. But according to the experts at Gartner, it will become almost 90 percent by the end of the decade. At the Gartner Symposium in Orlando in June this year, the new attitude toward Shadow IT was this: “to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon.”

Hank Marquis, research director at Gartner, declared:

“Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It’s called innovation. It’s happening in the edges where we don’t deliver the solutions. You might not agree with it but you should think that way. You’re not going to stop shadow IT. It’s not going to go away. You’re not going to suppress it. You might as well embrace it, leverage it, use it.”

His is not the only voice out there with that message. Jeanne Ross, Research Director and Principal Research Scientist, Center for Information Systems Research, MIT Sloan School of Management expressed similar sentiments in the HP Enterprise blog for December 10, entitled “Why Smart Companies are Embracing Shadow IT.” She talks about how business is using “demand shaping”, where companies identify their most “valuable and achievable business –change opportunities”, and then use this to select those projects best suited to invest IT dollars in. As for those rejected projects that would find their way into Shadow IT:

“This all comes down to relationships, and to the right conversations happening between people at all levels of IT and business. But if mutual respect exists between IT architects and program managers and their counterparts within the business units, demand shaping and shadow IT can forge an extraordinarily productive partnership.” Read more.

And then world peace can happen?

Ed Macnair, CEO, CensorNet, weighs in with this. “There is a case here for innovation versus risk. By allowing shadow IT, new solutions that will benefit the wider business can be found. However, shadow IT is a security nightmare as those members of staff who are likely to use their own solutions will inherently be from the generation of risk takers and will therefore be less concerned by the need for all encompassing security measures.”

The Innovation Trade Off

The recommendation by Gartner is that Shadow IT not be contained but encouraged and allowedwithin established boundaries to abide by existing compliance, regulatory and security rules. Innovation without peril. Even better, it’s a more prevalent and well-understood aspect of technology management among companies, and leaders might want to take a completely different approach to handling this matter.

As illustrated by IDC Senior Research Analyst Mark Yates, employees are operating with tacit permission, making their own decisions, and nobody is in control. The business environment has become a “Wild West.” Entitlement and empowerment are enabling employees to fake compliance and use what they want.

Simon Mingay, Vice President of Research, Gartner Inc., drives the point home. “For most IT organizations, resistance is futile. Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”

And there we have the corporate buy-in. Lower IT costs, increased flexibility, speedier task completion and less interference from IT. Yes, it is being echoed from suite to suite. Because innovation leads to profit. But at what price to security?

A New Hope for The Phantom Menace?

Again, there is a collective chorus on the new approach to take. There need to be guidelines and boundaries to help corral Shadow IT without driving it completely underground and out of scope. Mingay advised “bring shadow IT out of the shadows, make it transparent, provide services that support it.” He advocates “Rather than try to eradicate shadow IT, let’s rename it “dispersed IT,” since everyone has a piece of it.” Frank discussions need to happen to identify why Shadow IT is happening, and those users and business units engaging most heavily identified and consulted. Why are existing policies and rules being circumvented when the consequences are known?

Is it possible to construct a mutually viable arrangement whereby IT can assume the role of broker, an intermediary between users and their apps? Gartner recommends IT organizations engage the business as a partner, and ask senior executives what they think IT’s role should be. And the conversation should extend to outliers and users not operating within the daily confines. Marquis reiterates points we’ve all been saying, like the importance of having visible support from the top execs. Of great importance is IT collaborating efficiently with audit and asset management to ensure compliance.

Clearly, the game has changed and there’s no going back. We have to shift gears, project from the rapid developments of Cloud, Everything as a service, and Big Data. It’s going to mean moving out of our comfort zone to get a better handle on what people really need and want. Buy-in comes when we show the CSuites how security is the strategic partner to help them move toward innovation. It’s a different terrain, but we’ve still got to run it faster, better than the guys who are out there waiting, counting on what our end users will do and the rules they won’t follow.

Thanks for reading!