What Lurks in the Shadow

[Music]

Biz to the stage and her talk. What lurks in the shadow? Please give it up for Cheryl.

Can you hear me? Is that okay? Can you hear me? All right. It's great to be here. What an amazing turnout. Thanks to everybody on the Bides Toronto staff for putting this together and to everybody here. Um, so yeah, what lurks in the shadow? I'm sure we're all familiar with the term shadow IT, shadow data. Uh, a little bit about me first. I work with a local company, Jake Technologies. They do uh some managed tech and I've brought the meaning of security into their lives. Uh when I'm not doing that, I'm watching endless Star Trek reruns, baking things that contain copious amounts of sugar, chasing children, cats, and people who don't follow security rules. Okay. Oh, and the opinions

expressed here are solely mine. Yes. All right. So there was a time when the security lords ruled. Mere mortals only got whatever devices and access that the lords deemed necessary. Companies had standards. You remember those. If you wanted a better, faster printer, you had to get it off the approved equipment list. If you wanted the newest version of Word, that had to be authorized. And it was only when the company said so. And that meant you didn't get the answer that you wanted when you wanted it cuz decisions took time. But people wanted faster, better, more tech and it was easier to regulate things back then because there were fewer things. The available tech was

enough to get the job done. But tech is always evolving and that increases the demand. So, what do you do when you want better, faster, more? One word. Anybody? Oh hold on. Mobile. Yeah, that changed everything because that meant you could go on the internet and get anything you wanted pretty much when you wanted it. It was such a cool happen in place. Access all the data all the time, but only with the newest and the fastest stuff. And were those on the approved standards list? No. So regulating tech was getting in the way of getting stuff done. Security become an inconvenience. So what did people do? Well, welcome to Gen Mobile. According to Aruba Networks, Gen Mobile is our

current new workforce. They're um flexible transparent collaborative which actually means these are the folks that don't follow the rules. Yes, Houston, we do have a problem and it's with the IT. So, it's called self-service IT. And guess what percentage of people are doing it for themselves? Try 77%. I say hello shadow. And so what do people do? Say it with me folks. B Y O D. Yes. Everyone brings anything into work and they just plug it in. Be afraid. Be very afraid because we can't see all of the stuff all of the time. And businesses just aren't ready for this. They didn't see it coming. So, they don't have the provisions in place. In fact, 37% don't

have a mobile enforcement policy in place. And that's a problem because now we have the internet of things. Oh, yes. Even more glorious stuff that plugs in because everybody has to email the toaster, right? Who the heck uses all this stuff? [Laughter] Well, it's us. We're guilty people. And we are the constant variable in a security equation that we just can't seem to solve. We are the unknown quantity. Well, maybe not us. We we're smarter. We know it all. But it's those people that we are so committed to helping. And for infosc that does create a very real fear of the unknown because what are they doing with all those different devices and what the heck are

they doing with all that data? How do we control what we don't know? Welcome to the mor of security where the eye of BYOD reigns supreme. We've got easy to use de vices everywhere and that's creating an unprecedented level of enduser entitlement. So a little knowledge has become a very dangerous thing because people can help themselves to the data and the network access. And what happens when these employees and users take it upon themselves to decide what it and what systems they want? Shadow it, shadow

data. And in the world of shadow data, shadow it rules are known, but they're not observed. Risks are taken regardless of the known consequences. And keep it secret definitely does not keep it safe. We've got a problem, but it's more than just the devices. So, here's the deal. As the Internet of Things proliferates and human nature takes its course, we can't outenineer human failings and susceptibilities. We know that, but we keep trying to. We don't know what else to do. And so that device and the freedom to use it as the user sees fit override anything that we put in place. And we've got the techsavvy staff that people go to who've become the rogue IT

department. As this culture grows, well, so does the sense of entitlement and it spreads like a shadow across organizations. Does this sound familiar? people encountering situations like this where you work. For businesses, it is a cost-saving measure and a major convenience. But businesses really need to heed this warning. When you agree to put BYOD policies, you also put employees within the security chain. And we all know it only takes a few bad apples to ruin a bushel. Now, we know how popular Apple and Mac are. They're everywhere. In fact, in US statistics, almost half of the workforce is is using an Apple product. So, they use their devices for corporate email to access the networks

to touch that data. Centrifi has um enterprise security and management software for Apple and they had some rather disturbing statistics. I'm kind of glad my friend Jesse Irwin, also Jessa Source Rex, isn't here because she is a password zealot. So, let's look at this. 51% are only single password or numerical pins. 58% don't have any policies or software to enforce better passwords. 56% are sharing passwords. Now there is a company provided password manager but only 17% are actually using that and of the devices out there 60% are accessing confidential corporate data. 65% of those are going after the really sweet stuff which is the data with health and sensitive customer information. Those get breached we're

saying lawsuits. It's ugly, right?

Yeah. So risk is what happens when IT professionals don't have the necessary resources to make sure that devices comply with security policies. And I'd like to send a quick shout out to Fernando who hinted at this earlier in his economics talk because face it friends don't let friends get connected unprotected. So, let's talk about exposure risk and the consequences of unprotected BYOD because bad USB really is a thing and it can lead to a nasty case of DTSDs. Yes, digitally transmitted diseases. What happens when individuals operate as individuals and they make independent decisions about data storage and transmission? That That that we know what happens when security patches are not updated. Oh yeah. And Adobe every week it's an Adobe

thing or an Explorer thing or a WordPress thing. I have a little calendar just, you know, tracking them every day. Um, fact of the matter is these just don't get touched. And you can remind people, we can remind ourselves. And the guys who write the exploits know that they're not getting patched. And they're miles ahead of us. They're just sitting there. They're planting their exploits because they know it's ripe and ready and available for them. So yeah, this is the uh evil litany that's out there. And one of the things that I want to bring up is Shell Shock Bash last year when we were all caught in the middle of it. And for months afterwards, I was

watching exploits being developed for the still waiting to be patched versions of Bash there. A cautionary tale, but I don't think it's really hit home

yet. Yes. So, we know what happens. Let's talk legalities. Business may love that employees pay for their own devices. And BYOD, it's all about convenience, right? But it comes at a cost and everybody really needs to be prepared because you can't protect what you don't know. And with shadow it, shadow data, you are exposed. I spoke to a friend of mine, his name's K uh Chris Case and he works with um Dan Lowry Insurance locally and he's a specialist in cyber insurance. He pointed out that most businesses have no idea what they're actually covered for in the event of a cyber incident or and that would be like a breach because the normal riders you

have in place do not specifically address a cyber incident. that has to be specifically addressed and you have to have errors and omissions in place and this has to be in place before anything happens. That's a whole lot of exposure. But it's not just the stuff, it's the attitude. And yes, we're talking a critical case of entitlement because as a culture grows, so does the entitlement. We're battling a culture of indifference. So folks are sideststepping company policy in favor of expediency anywhere and every day because it's just easier to download the software program than it is to go through the hurdles to get

approvals. I'm going to show you something else. Just tell me if some of these are your headaches sharing just an attitude of indifference like I talked about. You can bring it up but it doesn't resonate and that feeling of self-empowerment. I'll go do it. You don't have to say yes. It's okay. So we have all these devices and a pervasive BYOD culture demanding access to the networks and the data. Oh, all that lovely big data and we just comply and we keep opening the doors that should just stay closed. I found this from Alien Vault and I thought it was rather telling. If you'll notice, the biggest circle on there is shadow IT. And that's about

those intent and frustrated users we're talking about who are literally jumping over the barriers that we've tried to put up for their own safety. Does this like sound like parenting and kids? Because it feels that way. So, we've got internal contractors setting up their own wireless land points. people bringing in all host of devices and no real BYOD policy in there to govern what's going on. Yep, we got a problem and it's more than the devices. So, in our corporate realms, we've also got users and super users for good reason because we need to establish privilege hierarchies for security and give people the right level of access. But here's the problem. With great power comes great

responsibility. And not all the identities should be created equally. But when it comes to access and privileged management control, we're not doing what we need to be doing. These stats give us a rather telling tale. And you'd be interested to know just how many IT decision makers share their credentials. Yeah. Share them with other people. That level of access and privilege needs to be governed accordingly. 60%. And they also share it with contractors. How do we reach them? How do we make them understand that they are actually opening a doorway into their own breach? We know all about this one, but the problem is this is extending down into the lower ranks and the regular

users. Privilege loses its meaning when your account status is so freely given out.

Sure. Welcome Well, we're under I know we're all under demand to meet demand and to simplify the process. We wind up saying things like, "Sure, we'll let users resolve their own problems by giving them administrator status. That shouldn't be happening, but it does." Or we let marketing have access to all the data because they're just writing reports and those are harmless. or we let other people admin staff update the corporate social media accounts because hey, what harm is there in that? Well, after a cyber caliphate got hacked this winter, I think the answer is there. All the hacker needs is one word, that keyword to get in and they're golden. And then they find their way

through the labyrinth of security like rats through tunnels. And this is how easy and how how bad the problem

gets. Oh yes, those are the privileged accounts worth their weight in gold. So let's have a little talk about big data because there's a whole host of security issues when it comes to data and what happens when individuals work as individuals and they make their own independent decisions around what to do with the data security, storage and transmission. Maybe not security, storage and transmission. Here's the situation. So, we've got a user with a device that they own and it's not corporate and it's connected into the company network and chances are very very good that stuff is um getting compromised by malware either because of the sites that they're visiting because we understand about watering holes. We know that you

can go and get a free gift with purchase at a lot of places online that you didn't want and you bring it back and you infect everybody else or they click on the bloody cat gift again and they open up something they're not supposed to in their email again and they share it with everybody else. That's how your whole network becomes susceptible to a breach. So, we've got a situation that's evolved from what we are used to having to protect. It's true. It really has changed and it's changed quickly and there's a lot more there than we fully understand. So, how can we better understand the risk profile of both the device and the user? John McAfee gave a talk and he

brought this point up. He said, "It's not good enough to merely resist the rise of BYOD if people can still access corporate emails when they get home." It's true. That's exactly what's going on, right? And he says, "We've gone a long time without having to think or take any action. And so now we have to take some of it back and use our responsibility to make that happen." Oh, sorry, John. It's not going to be that easy. Yes, it it is as bad as it sounds. So because when an employee shares company data from a mobile device with an unauthorized application or third party, they are just that one click away from putting everything in

jeopardy. Data leaks can be caused by application vulnerabilities through malware and 40% of companies are not properly securing the mobile applications that they build for customers. That's a big exposure. So, I hope you've got a drink handy because here's another sobering thought. Nine and 10 websites, the big ones, the ones that everybody goes to, leak data. I'm sure we all thought of it or knew of it, but how did we apply that knowledge directly to the security that we have to do each day to the data that we're handling and the users that we're interacting with? and it's being siphoned off and shared amongst each other. So, we know Google, but Facebook, LinkedIn, Twitter's actually good for not doing

this. They've stepped up their security and privacy respect. Well, we know this. Yeah, that's bad enough for your personal deeds. Now, imagine an employee who's accessing unauthorized sites. And here's the other thing. You can't count on the do not track me setting in the browser. I know it sounds nice, but it's kind of like the button that you press at the traffic light. It it really just makes you feel better. And then there's safe harbor. And I bring this up because it's going to impact everybody and it's probably going to be pretty precedent setting. So it really was a sweet arrangement between the US and the EU as to how data flowed across the borders of all those

tiny little countries without getting into a massive amount of rules and regulations because as far as the courts are concerned that data is very visible to them and so are those borders as soon as the data crosses over it and then it becomes an ugly bunch of rules and regulations. And if they get unhappy, then something called data localization happens. And from the numbers I've seen, when data localization goes into effect, it is a very big price to pay. If you have kids, you know the toddler's credo. What's mine is mine and what's yours is mine, too. Well, safe harbor was kind of like that for the US and the EU. So the US was supposed to be making sure

it complied with the few regulations that were in place. Unfortunately, it really didn't happen and they they fell short of what they were supposed to do. Somebody found out, they blew the whistle and then they found out that the US was doing a little more of what's yours is mine than the EU was comfortable with. And now I'm going to share with you something completely different. Anybody here not on Twitter? Okay. It's a lot of fun. I totally invite you to it. I'm I'm at Encrypted, by the way. I do have a real name, but So, this is in real time, in real life. And um when a business is going through a situation like this, it's a

bonafide PITA. Now, my friend Taz calls it like it is. And what businesses and users need to understand is if somebody's device gets compromised, everybody can get compromised. And this is this is real time like four or five hours. Do you as a business really want to see your money going down that drain pipe, an investment in these people when there are loads of other better things that both could be spent on? And then my friend DA, he works with um the Taylor group with Cisco. They're a pretty excellent elite group of badasses and they chase malware. So he's r ranted long and hard about the fact that stuff is coming into the offices and opening up the you know

portals for the fiends that create the malware. It would be nice to prove DA wrong eventually and get some kind of policy in place that users will understand and listen to because telling users know when it matters to protect themselves and your company network is what this is all about. Now, I'm not going to do a live demo. I'm just going to show you what I found when I went hunting on Shodden because Shden is fun. It's evil fun. Yes, you can see all kinds of things connected to the internet in real time. I did a search by password. You can search by country, company, device, and then I entered default because you know those lovely Hyron

modems we all get from Rogers with the default setting. Any modem you get with a default setting, right? And you know, you're supposed to change the default setting right away. Uh-uh. That doesn't happen. You can

see I've got Brooklyn there at the top of my list. And then we zoom in a little bit more and you can see a lot more than I would feel comfortable with anybody knowing about my location. And that's where we are. It is that bad. So, how do we regulate a society that's essentially device driven? Because it's not just the servers and the desktops at the office. It's everything that we connect to. Fitbits, Apple watches, Barbie's car, flash drives, smartphones, anything that you can bring in and plug in. And the ability to portably help ourselves to data is one that we don't understand and we've lost any control

over. Like I said earlier, the current rules can't apply because the game itself has changed and what was working isn't working now. It would be nice to just say no, but we can't go back. We can't go back to times like this of least

privilege. The reality is a hard concept to sell and that's before we let the genie out of the bottle. So, are we going to be the ones to claw back the access and the devices? So what do we do? Well, training and [Laughter] awareness. Training and awareness are a given because if we do it regularly and not just reactively, it will sink in and that's what we want. We need to create the culture of security out of this culture currently of insecurity. And then there is inventory and monitoring. So inventory and monitoring. Well, thinking back to Allen's talk earlier with the mini city, absolutely. If you can start early and put something in place and keep it

up, you're golden. It's huge because then once you know what's coming in and out, you can start regulating that. You can track it. Know what your highv value assets are. But really the value in this talk isn't about what what we know it and it's what we're missing. What aren't we capturing and why? Ah the cloud it's the solution to everything right. What business isn't stuffing all their stuff up there? Productivity applications, Office 365, Google Docs, it's accessible anytime, any place, anywhere, anyone. But the fact is that companies use up to 15 times more cloud services than their critical data for their critical data than their CIO even know or approved. That's a big factor. Okay?

Because IT departments have no idea what's going on up there. They think 51 cloud services and there's 730. That is a huge disconnect and that is a big

exposure. 30% of critical information to businesses is up there and most apps are third party apps. So here's where we start worrying that combination of insider threat plus shadow IT because what if your interfaces and APIs that the users are going to go after are not secure and you don't know because you don't know what they're using but the attackers know and they can find the vulnerabilities and they can exploit them and we know how fast and how effective that's working. So we need to get our head in the cloud. What if I said to you that shadow it isn't going away? That in fact it's become the way business gets done and it's being viewed as a product

of the consumerization of it. Um, Ponyimon reports that an average of 50% of cloud services are deployed by departments that are not corporate IT and that 44% of corporate data stored in the cloud is not managed or controlled by the IT department. How did that get away from us? We're supposed to be looking after network infrastructure, firewalls, and keeping everything safe. But how do we do that if it's becoming a new way of managing? 12 years ago, technology spending outside of it was just 20%. total technology spending. It is now going to become 90%. That is a lot of money that we could use.

Okay, so Box was one of those shadow IT things that happen a lot and Aaron Levy.

Okay. Thank you. All right, Aaron Levy has now done an abrupt about face and switched his tone to say that he is against shadow it and he knows how it feels and he doesn't like it when his people do it to him. Yes. How many of you are now aware of the cloud issues and access free-for-all that's going on at your place? Well, I'm happy to tell you that there are a number of products and vendors like Scalar who can address this. So, CASBY's are cloud access security brokers and they are designed to help corporations get visibility into the cloud so that you can see who is doing what up there. And that's really important because up until this point,

we clearly had no idea Yeah, it is policing, but it's policing in real time. Tracking down the users, tracking down the applications, and identifying the potential loopholes and vulnerabilities. I'm not saying that it's a good thing or a bad thing. I'm just saying that it is now a thing. One of the caveats is that it requires users to fill in logs and submit application data and metadata. For a lot of companies, that's the showstopper. And then there's this. Keep your friends close, but your enemies closer. So, for those people who might be annoying the heck out of us and running their own shows, they're the folks we actually need to talk to and meet halfway and surprise the heck out

of them when we say yes when they fully expect us to say no. because we might get a lot more information out of them and that's information that we need and that we could put to use. We kind of have to build some bridges. And there are some people who are way smarter than me advocating this as the best route to go through some pretty treacherous territory because nobody ever said that security was easy. But we've got stuff to do even if we don't like it. And it's going to mean moving out of our comfort zone to get a better handle on what the people want and why they want it, right? Because we want to understand

why do you keep clicking on things? Why I put these nice rules here, but you're using this stuff anyway? You're avoiding all the good stuff I'm giving you. So buyin comes when we show the seauite that we can be their strategic partner, not the PITA that they like to think of us as because breaches are up and profits are down, but we can help change that. We're the ones they need to know to go to and we want them to give us the chance to take a real lead in making decisions, to sit at the table and start planning stuff out better. We can shift gears and we can project from the rapid developments of cloud,

everything as a service and big data. Yes, it is a different terrain, but we have still got to run it better and faster than those guys that are out there waiting because they know what our end users will do and won't follow. There is no one ring, no fires of Mordor to create the culture we need to forge security from insecurity. So if we're going to change the outcome, we have to change the game. And thank you everybody. [Applause] Oh okay. Sure. Yes.

Thank you. So, is mobile security impossible? No, I don't think so. I think what and and I'll if you want I can give you a very quick explanation as to why I think that um infosc is evolving and recognizing how to bring in a range of talents to complement the existing technology we already have an understanding of security and testing pentesting um attacking and defending. No, it's not going to be impossible. Uh, anybody else? Hi. Yes.

Okay. So, Safe Harbor and Amazon gets a free pass because they got in before first. I'm not as up to date on my Amazon side as I should be. All I know is that Oracle bowed to the will of the European Union and maybe setting a precedent for everybody else, but Oracle was already set up with with physical infrastructure and everything and that made it easy for them. Localization. Yeah, they went they went the localization route and honored all of the caveats. So, I don't know what this state is for Amazon. That's a good question. Yeah, that's a really good question. I don't know. Sorry. Okay. Oh, yes. Hi. One more question. Okay.

Okay. Um

Okay. So, so your question is um understanding could least privilege be a good foundation for helping manage shadow IT better. Okay. Well, lease privilege is is um it's 40 years old easily and it it very much limits it's defined and outlined well in the son's documents. So, I'd probably point you in that direction rather than me give a a a chewed- up version of it, but it essentially establishes that only these people for these reasons have this much access. If you are this person, you do not get this much access. When you become this person, you will be approved and then you'll have this much access. Does that sound about right to anybody who knows lease privilege? Okay.

Thank you. Right. Just to have as much as you need to do the work you do and no more.

That's good. Okay. Thanks. All

[Applause] [Laughter] right. Excellent. And before you run away, we need you to give away a $50 gift certificate for ebooks from No Star Press. So, whichever one of the questions you think is worthy of a $50 certificate.

All right. Thank you very much, Cheryl. And is this yours? Shar. All right. So, uh, before we get rolling here, I got a couple of housekeeping items. Go figure. Who saw that coming? Uh,