IT Audit - Shadow IT Systems

Presenter: Damaine FranklinInformation Security Management and Auditing

IT AUDIT – SHADOW IT SYSTEMS

July 1, 2017

1

What is Shadow IT 2

Shadow IT is a term that refers to Information Technology (IT) applications and

infrastructure that are managed and utilized without the knowledge of the

enterprise's IT department. Shadow IT can include:

Hardware,

Software web services

Cloud applications

Executive Summary 3

This IT audit assess an organization for the

existence of any shadow IT systems. Area’s

accessed were:

Network/Information Security Controls

Unsanctioned Software’s and Applications

Asset Identification and Classification

Threats and Vulnerability Controls

IT Audit Scope

The purpose of this IT audit is to

perform a comprehensive risk

assessment of the organizations

IT/IS infrastructure with a focus on

any shadow IT systems with regards

to the organizations information

security policies

Network/Information Security Controls 4

Findings 1

Company emails on personal smartphones

Risks

Litigation (criminal/civil)

Malicious Apps

Lost or Stolen

Email Phishing

Man in the middle attack

Network/Information Security Controls Cont’d

5

E-mail Fishing Attacks

Fig. 2 sourced


Fig. 3. Sourced: https://blogs.otago.ac.nz/infosec/files/2013/02/Slide4.png

Phishing Email Example

Network/Information Security Controls Cont’d 7

Recommendations

Since there are no polices that supports the use of work email on

personal smartphones, management should invest in corporate

owned close user group (CUG) for private encrypted

communication work related purposes.


Findings 2

Inappropriate use of Company Email

Risks

It was discovered that some employees uses

their company email for public purposes

such: subscribing to ecommerce websites and

social media (Facebook). The inappropriate

uses of company email open the door for

email-based malwares and virus attacks.


Recommendations

If a suspicious email is opened

immediately, unplug your network cable

or shut down your computer, and

contact the IT Help Desk.

Do not click on links (including the

unsubscribe links) in emails unless you

are confident they are legitimate.

Enforce the policy on the uses of company

emails

Limit social media uses

Download and install security updates and

patches for all PC’s

Ensure that antivirus software has the latest

definitions

If an employee receives an email that doesn’t

look legit call the IT help desk


Findings 3: Misuse of Confidential Password


Risks

The purpose of a user password is to authenticate and allow access

to company intranet and information. In the case of non-repudiation,

shared passwords can allow an employee to contest or deny any

malicious use on their computer. For example, in emails non-

repudiation is used to guarantee that the recipient cannot deny

receiving a malicious email, which infects the computer with

ransomware.


Recommendations

Once an employee password has become compromised, the system

administrator should be notified to have it changed.

Management should enforce the policies, which governs the proper uses

of passwords.

Train employees on how to use complex passwords and how to secure it.

Rouge Devices on Company Network 13

Findings

Rouge devices have been fund in the enterprise environment.

Rogue refers to any device, access point, or client, whom with

unauthorized access attempts to connect, attack or interfere with

the originations network.


Rouge 1. unmanaged switch

Rouge 2. wireless access point

Rouge 3. personal laptop

Rouge 4. LAN access point


Risks

The fact that rouge devices are unmanaged means that the user has

full privileges to do just about anything. The main concern of rouge

device is the propagation of viruses on the corporate network.

Another concern is the infection of malware, which normally affect all

network devices or infiltrate an entire corporate network.


Risks cont’d

Rouge device provide a vulnerable in the network where by an attacker

could hijack the device and use it to perform

Peer Hijack

Packet Spoofing

Unauthorized access attack

Reconnaissance

Mac address table over flow

Brute force attack

Denial of service attack


Recommendations

Update security policies regarding

BYOD and the use of personal devices

on company private network

Shutdown all unused switch ports

Locate eradicate all rouge devices

Configure strong encryption on

wireless access point

Consider strong router/switch protocols

and standards to quickly neutralize and

control rouge devices.

Separate normal user and privileged user

accounts

Configure port security in each switch



Fig 10. source: http://player.slideplayer.com/12/3561082/data/images/img15.jpg



Fig 11. source: http://player.slideplayer.com/12/3561082/data/images/img16.jpg

Unsanctioned Software’s and Apps 20

Findings:

Although the IT policy outline strict guidelines regarding

intellectual property and licensing, some employees manage to

bypass the rules and participate in the use of rouge software’s and

applications. My audit reveals the following known unsanctioned

applications running on the organizations network.


Unsanctioned Sanctioned

Adobe Photoshop CS3 Adobe Photoshop CS6

Drop boxMS Outlook/network

shared drives

Spiceworks InventorySage FAS 500 asset

inventory

Evernote Microsoft Outlook

Google DriveMS Outlook/network

shared drives

Unsanctioned Sanctioned

AVG Internet SecurityMcAfee Enterprise

security

AutoCAD 2009Autodesk Design

Suites 2016

StormCadNone

Tekla Structures

Autodesk Design

Suites 2016

Tekla Tedds

Tekla structured

Bluebeam Revu

Findings cont’d:


Risks: Use of file sharing solutions (Dropbox)

Data stored in file sharing solutions become exposed to unauthorized users.

File sharing services does not provide enterprise class security or control.

Sensitive data stored in Dropbox is not secure and just as importantly, not

controlled by IT.

Unsanctioned applications may have embedded malicious coding

A breach of intellectual property rights may leady to legal ramifications


Recommendations

Enforce polices regarding the usage of intellectual property and

licensing.

Monitor FTP traffic on firewall

Block FTP port

Perform integrity check

Asset Identification and Classification 24

Findings

Asset Management Application

Fig 12. Sage FAS 500 Asset inventory


Fig 13. Laptop

Fig 15. Multifunction

Fig 14. Asset tag barcode reader


Risk: Identification of Ghost Assets

A “ghost” asset is defined as a property that is lost, stolen,

or unusable, but is still listed as an active fixed asset in the

system

A crucial risk caused by ghost asset is that undocumented

devices may become unmanaged by the domain

controller. Once the domain recognizes a device as being

unknown, it becomes a rouge device, which is, then

recognize as security threat.


Recommendations

Eliminate ghost assets

Conduct physical asset inventories

Tag assets appropriately

Use durable and lasting labels

Perform frequent cyclical updates on

inventory logs

References 28Corporation, N. (2015). Shadow IT in the Enterprise. Nasuni Corporation.

Microsoft. (2013). The Link Between Pirated Software and Cybersecurity Breaches. Microsoft Digital Crimes Unit.

Retrieved from http://www.play-it-safe.net/

Organisation. (2006). Information Technology - EDITION 3. Kingston, Jamaica: Government.

Points, R. A. (2017, June). Telelini. Retrieved from http://itsecurity.telelink.com:

http://itsecurity.telelink.com/rogue-access-points/

Ruggiero, P., & Foote, J. (2011). Cyber Threats to Mobile Phones. US-Cert. Retrieved from https://www.us-

cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf

Sage. (2011). Best Practices for Fixed Asset Managers. Herndon, VA: Sage Fixed Assets White Paper. Retrieved

from

http://www.sage.com/na/~/media/category/sna/assets/lp/sagebusinessknows/documents/resources/sage

_erp_best_practices.pdf

SolarWinds. (2017). Detecting and Preventing. SolarWinds. Retrieved from

http://web.swcdn.net/creative/pdf/Whitepapers/UDT_WP_Detect_Prevent_Rogue_Devices.pdf

Techopedia. (2017, June). Active Directory (AD). Retrieved from Techopedia:

https://www.techopedia.com/definition/25/active-directory

END

29

Education

IT Audit - Shadow IT Systems