cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Data Exfiltration and Shadow and Stealth IT

Level 11

I've rarely seen an employee of a company purposefully put their organization at risk while doing their job. If that happens, the employee is generally not happy, which likely means they’re not really doing their job. However, I have seen employees apply non-approved solutions to daily work issues. Why? Several reasons, probably, but I don’t think any are intentionally used to put their company at risk. How do I know this?

My early days as an instructor

When I started out as a Cisco instructor, I worked for a now-defunct learning partner that used Exchange for email. The server was spotty, and you could only check email on the go by using their Microsoft VPN. I hated it because it didn’t fit any of my workflows and created unnecessary friction. In response to this, I registered a domain that looked similar to the company’s domain and set up Google apps, now called G-Suite, for the domain. That way I could forward my work emails to an address that I set up. No one noticed for several months.  I would reply to them from my G-Suite address and they just went with it. Eventually, most people were sending emails directly to my “side” email.

After becoming the CTO, I migrated the company off our rusty Exchange server and over to G-Suite, but I couldn’t help but think that I would have reamed someone if they would have done what I did. In hindsight, it was not the smartest thing to do. But I wasn’t trying to cause any issues or leak confidential data; I was just trying to get my job done. Management needs to come to terms with the fact that if it makes an employee's work/life difficult, they will find another way. And it may not be the way you want.

Plugging the holes

Recently, I saw a commercial for FlexTAPE. It was amazing. In one part, you see a swimming pool with a huge hole in the side with water gushing out of it. A guy slaps a piece of FlexTAPE over the hole from the inside of the pool, and the water stops flowing. It reminded me of some IT organizations that metaphorically attempt to fix holes by applying FlexTAPE to them. But, by that point, so much water has escaped that the business has already been negatively impacted. Instead, companies should be looking for the slow leaks that can be repaired early on.

Going back to my first example, once people learned how I was handling my email, they started asking me to set up email addresses for them so they could do the same. First one colleague, then another. Eventually, several instructors had an “alternate” email address that they were using regularly. The size of that particular hole grew quite large.

At some point, management realized that they couldn’t pedal backward on the issue, and was forced to update certain protocols. I often wonder how much confidential information could have been leaked once I was no longer the only one using the new email domain. Fortunately, those who were using it didn’t have access to confidential information, but lots of content could have been exfiltrated. That would have been bad, but in my particular organization, I don’t know if anyone would have known.

Coming full circle

Today I own my own business and deal with several external clients. When I have employees, I try to be flexible because I understand the problem with friction. I also understand that friction may not be the only reason one turns to a non-approved solution to get their work done. For core business operations, organizations would do well to clearly define approved software packages. Should an employee use services like Dropbox, iCloud, Google Drive, or Box.com? If they do, are there controls in place? How does the solution impact their role? Do employees have a way to express their frustrations without fear of reprimand? Having an open line of communication with an employee can help them feel like their role is important. It also helps management really understand the issues they face. If you neglect that, employees will choose their own solutions to get work done, and potentially create security issues. And we don’t want that now, do we?

27 Comments
MVP
MVP

Nice write up

I need to get me some FlexTAPE

Level 12

Your situation with the email also shows how easy it is to fool people and how inattentive people are to details like that.

I agree that most of the time people use shadow IT to make their jobs easier, or just plain possible to begin with. Most of the time there are no bad intentions based on using it. But as you pointed out that can also result in unexpected consequences like data being leaked.

Level 15

We used to occasionally find access points that someone had brought in from home and plugged into the network under their desk.

I enjoyed your story, and am aware of parallels in my past work environments.  Truly, if you build a network and its security so it impedes workers' abilities to accomplish tasks, they'll spend time trying to circumvent your roadblocks.

Be afraid they'll succeed.

Level 12

Wow Flextape!  Just saw the add for that last night, great analogy though. While I have seen similar work-around solutions at several of my past employments I continue to see further ones at my current job. Typically from non-it Staff who through frustration (not malicious acts) develop their own "solutions" to provide to their Dept Heads or self deploy, and there lies the blame, at least the way I see it. 

A lack of communication from Staff/Dept's to their support team members when they are having difficulties achieving some intended result, or when an embedded application is not serving their needs seems to be the most common of issues. I can think of only one time in my past when I was a member of a team that instead of helping their clients put up roadblock after roadblock, leading to the client having to figure out a way to make it work by themselves. I got out of that (no) support team ASAP.

Additionally things can be further complicated when Solutions brought forward by non-it staff (typically from research done at home without an understanding of the back-end at work) to Non-Technical Department heads who then authorize these workarounds. It's so important to having someone leading a department with an understanding of either technology deployed in the environment or a Dept head who know's their limitation as far as technology goes and understands when to reach out from the Techs.

Great article brandoncarroll​ !

flex-tape-still.jpeg

Level 14

Great write-up!

Great examples of things we all face everyday.....particularly the inevitable search by some to go around security because it "impedes" them from with doing their jobs or doing their job at a "speed" slower than perceived.

Nice job!

Level 14

Yes, IT departments should be engaging with the users to deliver what the user needs, not what the IT department want to deliver.  If the engagement works, the users will understand why certain restrictions are in place and won't try to circumvent them. 

Serious spanking to be applied to the installers of Rogue AP's.

In the early days of wireless we didn't allow it in our hospitals due to the security vulnerabilities with WEP, as well as us not having a corporate security policy for WLAN's and BYOD's.

Of course a few "entitled" individuals rebelled and purchased their own AP's & brought them in, plugged them into live network ports.  And promptly brought down the hospital network as their AP injected DHCP reception into the mix.  Soon 300+ devices were using 192.168. addresses, trying to use the AP as a gateway, etc.

What a pain.  I shut down their ports, told the users what problems they'd caused, etc.

Later they simply moved their AP's to other ports and brought the hospital network down again.

Since then we've implemented ISE NAC, and port security settings,  and DHCP snooping commands, and a wealth of other solutions.  We're not longer plagued by that particular problem now, but other IoT issues continue to drop up.

Level 20

We don't tolerate any shadow IT!  Although true it still doesn't stop some people from trying stuff.

Level 15

A rogue AP and a telephone that had 'localhost' defined as it's host name brought the network occasionally down at a place I used to work.

It's almost as if every organization needs monitors and metal detectors at every door checking that people have NOT brought verboten items in, and that they HAVE brought their brains into work.

An analogy we use over here is "Fixing the race car as we're driving it!"... if you can imagine that.

As for accommodating my employees I have put forth an effort to do so. I was the first manager in IT to institute a "work remote" policy for tasks, or training, that required focus without interruption. Two of my employees drive 40+ minutes, through traffic, and through a tollgate. By doing that two days a week I gave them both a significant raise (less gas, tolls, wear & tear), lowered their stress (two less days on I95 rush hour traffic), and increased productivity.

My company doesn't pay the best but we have really pushed the work/life balance in the past 7 years. Our employees don't want to give this up.

Level 12

Hat's off to you for recognizing the benefit of working remote for your staff. It is huge, and I believe any Staff that has the opportunity to work remote, would appreciate the multitude of benefits, as you mentioned productivity is a big one that I had seen, working uninterrupted was huge when I was part of a Large Server Environment in a Corporation that required extensive "paperwork" to document one's actions. When I had the opportunity to work remote, I regularly increased my productivity which the Team lead at the time recognized. Unfortunately there remains a disconnect with some Manager that feel that unless they can see you you are goofing off. A lack of trust sadly.

I know I appreciated the not having to commute a couple of times a week, but mostly for me it was the ability to focus 100% on my tasks with the only interruption being having to let the dog out once in a while.

Life Balance is so important to Health, well-being, positive attitude and Productivity.

MVP
MVP

We've heard the phrase that security is everyone's business so much that it's just background noise. We need to be vigilant about finding ways of getting this message to our teams, staff and users in a new and fresh way.

Good article.

Level 21

ecklerwr1​ I totally agree with the no tolerance approach.

I recently heard the quote "The culture of any organization is shaped by the worst behavior the leader is willing to tolerate.", I think this is a perfect example of why you can't tolerate such things.

Level 21

Management needs to come to terms with the fact that if it makes an employee's work/life difficult, they will find another way. And it may not be the way you want.

With this being said, I am curious how you would handle security requirements which are generally at odds with convenience and don't allow for compromise?

I'd provide education and training, and get employees to buy into that inconvenience through understanding why it's needed.

Then test over and over, both announced and unannounced, obviously and subtly, to ensure no one falls through the cracks.

I'm a believer in the idea that people will be good when they know that they can't be bad without getting caught.  Then with enough weeks/months/years of being good, it's become a habit.  Temptation is more easily overcome by establishing good habits based on good training and trust and rapport--AND on testing.

Level 12

When that is the case, that security requirements (Policies and Procedures) don't allow for compromise or are restricting work flow, then that is when the Policy makers and Exec that approves them, must be apprised of the situation, why this Security policy is in place (Risks, Legal, or ??) , how it impedes some workflow or operation, and what if any could/should be done. Then those Decision makers and stakeholders can have a clearer understanding or develop a new policy to address this issue.

Please see the following GIAC document... especially things like Don’t develop your policies in a vacuum

Level 13

No Shadows here.!!!!!!

MVP
MVP

too bad there isn't a way to see if a person actually brought their brain in to work with them on a given day.

Level 12

Actually we have a CT machine and an MRI machine we could do that with!

It would not be time efficient by any means what so ever, and would be expensive, but we could do it.

MVP
MVP

yeah but just because there is stuff in the head doesn't mean it is plugging in, booted up, and ready for input with autopilot turned off.

Oh, I think we need the new Solarwinds "BAM" (Brain / Application Monitor) to be purchased and applied (via that subcutaneous wireless link between our bodies & the network).

It'll alert our team and our Managers that our brain is either missing, or not engaged.

Plus we can leverage its monitoring abilities 7x24 to see what kind of rest we're getting at night, maybe even how much we're dreaming.  And NCM can use that same link to download logs of the dream even while Net Insight ensures our minds are safe & secure, and while Performance Analyzer layers multiple environmental and operating conditions into a graph that shows bed comfort, pillow firmness, ambient noise, room temperature, and what the cat is up to in the middle of the night.

Heck, since NPM can show it all, tie in all of your work & home IoT items for monitoring--what's happening at the Security Cam monitoring the garbage can by the garage? Is the bear or raccoon at it again?

MVP
MVP

write it up and we'll get the #bumpsquad rolling on it !!

We missed you while you were gone, Jfrazier​!

MVP
MVP

Nope, don't like this one. People already suspect that my brain is either missing or not engaged we don't need them having proof.

Besides I think computers already misbehave when we talk badly about them can you imagine the rebellion if they knew what we really thought?

About the Author
Brandon Carroll, CCIE #23837 is the CEO of California based Global Config Technology Solutions, Inc, Tech Blogger, and Cisco Press Author. With over 15 years in IT, a few certifications, and a love for technical education you'll find him at Cisco Live, on the Packet Pushers Podcast, Twitter, and Google+.