it audit - shadow it systems
TRANSCRIPT
Presenter: Damaine FranklinInformation Security Management and Auditing
IT AUDIT – SHADOW IT SYSTEMS
July 1, 2017
1
What is Shadow IT 2
Shadow IT is a term that refers to Information Technology (IT) applications and
infrastructure that are managed and utilized without the knowledge of the
enterprise's IT department. Shadow IT can include:
Hardware,
Software web services
Cloud applications
Executive Summary 3
This IT audit assess an organization for the
existence of any shadow IT systems. Area’s
accessed were:
Network/Information Security Controls
Unsanctioned Software’s and Applications
Asset Identification and Classification
Threats and Vulnerability Controls
IT Audit Scope
The purpose of this IT audit is to
perform a comprehensive risk
assessment of the organizations
IT/IS infrastructure with a focus on
any shadow IT systems with regards
to the organizations information
security policies
Network/Information Security Controls 4
Findings 1
Company emails on personal smartphones
Risks
Litigation (criminal/civil)
Malicious Apps
Lost or Stolen
Email Phishing
Man in the middle attack
Network/Information Security Controls Cont’d
5
E-mail Fishing Attacks
Fig. 2 sourced
Network/Information Security Controls 6
Fig. 3. Sourced: https://blogs.otago.ac.nz/infosec/files/2013/02/Slide4.png
Phishing Email Example
Network/Information Security Controls Cont’d 7
Recommendations
Since there are no polices that supports the use of work email on
personal smartphones, management should invest in corporate
owned close user group (CUG) for private encrypted
communication work related purposes.
Network/Information Security Controls 8
Findings 2
Inappropriate use of Company Email
Risks
It was discovered that some employees uses
their company email for public purposes
such: subscribing to ecommerce websites and
social media (Facebook). The inappropriate
uses of company email open the door for
email-based malwares and virus attacks.
Network/Information Security Controls 9
Recommendations
If a suspicious email is opened
immediately, unplug your network cable
or shut down your computer, and
contact the IT Help Desk.
Do not click on links (including the
unsubscribe links) in emails unless you
are confident they are legitimate.
Enforce the policy on the uses of company
emails
Limit social media uses
Download and install security updates and
patches for all PC’s
Ensure that antivirus software has the latest
definitions
If an employee receives an email that doesn’t
look legit call the IT help desk
Network/Information Security Controls 10
Findings 3: Misuse of Confidential Password
Network/Information Security Controls 11
Risks
The purpose of a user password is to authenticate and allow access
to company intranet and information. In the case of non-repudiation,
shared passwords can allow an employee to contest or deny any
malicious use on their computer. For example, in emails non-
repudiation is used to guarantee that the recipient cannot deny
receiving a malicious email, which infects the computer with
ransomware.
Network/Information Security Controls 12
Recommendations
Once an employee password has become compromised, the system
administrator should be notified to have it changed.
Management should enforce the policies, which governs the proper uses
of passwords.
Train employees on how to use complex passwords and how to secure it.
Rouge Devices on Company Network 13
Findings
Rouge devices have been fund in the enterprise environment.
Rogue refers to any device, access point, or client, whom with
unauthorized access attempts to connect, attack or interfere with
the originations network.
Rouge Devices on Company Network 14
Rouge 1. unmanaged switch
Rouge 2. wireless access point
Rouge 3. personal laptop
Rouge 4. LAN access point
Rouge Devices on Company Network 15
Risks
The fact that rouge devices are unmanaged means that the user has
full privileges to do just about anything. The main concern of rouge
device is the propagation of viruses on the corporate network.
Another concern is the infection of malware, which normally affect all
network devices or infiltrate an entire corporate network.
Rouge Devices on Company Network 16
Risks cont’d
Rouge device provide a vulnerable in the network where by an attacker
could hijack the device and use it to perform
Peer Hijack
Packet Spoofing
Unauthorized access attack
Reconnaissance
Mac address table over flow
Brute force attack
Denial of service attack
Rouge Devices on Company Network 17
Recommendations
Update security policies regarding
BYOD and the use of personal devices
on company private network
Shutdown all unused switch ports
Locate eradicate all rouge devices
Configure strong encryption on
wireless access point
Consider strong router/switch protocols
and standards to quickly neutralize and
control rouge devices.
Separate normal user and privileged user
accounts
Configure port security in each switch
Rouge Devices on Company Network 18
Mac address table over flow
Fig 10. source: http://player.slideplayer.com/12/3561082/data/images/img15.jpg
Rouge Devices on Company Network 19
Mac address table over flow
Fig 11. source: http://player.slideplayer.com/12/3561082/data/images/img16.jpg
Unsanctioned Software’s and Apps 20
Findings:
Although the IT policy outline strict guidelines regarding
intellectual property and licensing, some employees manage to
bypass the rules and participate in the use of rouge software’s and
applications. My audit reveals the following known unsanctioned
applications running on the organizations network.
Unsanctioned Software’s and Apps 21
Unsanctioned Sanctioned
Adobe Photoshop CS3 Adobe Photoshop CS6
Drop boxMS Outlook/network
shared drives
Spiceworks InventorySage FAS 500 asset
inventory
Evernote Microsoft Outlook
Google DriveMS Outlook/network
shared drives
Unsanctioned Sanctioned
AVG Internet SecurityMcAfee Enterprise
security
AutoCAD 2009Autodesk Design
Suites 2016
StormCadNone
Tekla Structures
Autodesk Design
Suites 2016
Tekla Tedds
Tekla structured
Bluebeam Revu
Findings cont’d:
Unsanctioned Software’s and Apps 22
Risks: Use of file sharing solutions (Dropbox)
Data stored in file sharing solutions become exposed to unauthorized users.
File sharing services does not provide enterprise class security or control.
Sensitive data stored in Dropbox is not secure and just as importantly, not
controlled by IT.
Unsanctioned applications may have embedded malicious coding
A breach of intellectual property rights may leady to legal ramifications
Unsanctioned Software’s and Apps 23
Recommendations
Enforce polices regarding the usage of intellectual property and
licensing.
Monitor FTP traffic on firewall
Block FTP port
Perform integrity check
Asset Identification and Classification 24
Findings
Asset Management Application
Fig 12. Sage FAS 500 Asset inventory
Asset Identification and Classification 25
Fig 13. Laptop
Fig 15. Multifunction
Fig 14. Asset tag barcode reader
Asset Identification and Classification 26
Risk: Identification of Ghost Assets
A “ghost” asset is defined as a property that is lost, stolen,
or unusable, but is still listed as an active fixed asset in the
system
A crucial risk caused by ghost asset is that undocumented
devices may become unmanaged by the domain
controller. Once the domain recognizes a device as being
unknown, it becomes a rouge device, which is, then
recognize as security threat.
Asset Identification and Classification 27
Recommendations
Eliminate ghost assets
Conduct physical asset inventories
Tag assets appropriately
Use durable and lasting labels
Perform frequent cyclical updates on
inventory logs
References 28Corporation, N. (2015). Shadow IT in the Enterprise. Nasuni Corporation.
Microsoft. (2013). The Link Between Pirated Software and Cybersecurity Breaches. Microsoft Digital Crimes Unit.
Retrieved from http://www.play-it-safe.net/
Organisation. (2006). Information Technology - EDITION 3. Kingston, Jamaica: Government.
Points, R. A. (2017, June). Telelini. Retrieved from http://itsecurity.telelink.com:
http://itsecurity.telelink.com/rogue-access-points/
Ruggiero, P., & Foote, J. (2011). Cyber Threats to Mobile Phones. US-Cert. Retrieved from https://www.us-
cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf
Sage. (2011). Best Practices for Fixed Asset Managers. Herndon, VA: Sage Fixed Assets White Paper. Retrieved
from
http://www.sage.com/na/~/media/category/sna/assets/lp/sagebusinessknows/documents/resources/sage
_erp_best_practices.pdf
SolarWinds. (2017). Detecting and Preventing. SolarWinds. Retrieved from
http://web.swcdn.net/creative/pdf/Whitepapers/UDT_WP_Detect_Prevent_Rogue_Devices.pdf
Techopedia. (2017, June). Active Directory (AD). Retrieved from Techopedia:
https://www.techopedia.com/definition/25/active-directory
END
29