Shadow IT: What It Is And Why It Is An Alarming Security Concern For Every Organization
Post-breach investigation reports like those from IBM and Verizon agree that for the past several years, around one third of all successful breaches have one fact in common: they involve the use of stolen credentials. If we include brute-forcing weak passwords, this will rise to a staggering 80%.
Account takeover is the latest trend caused by a vast adoption of cloud services, paired with enterprises’ lack of control over the protection of their corporate accounts. Latest research found an average of 191 accounts per person on average. When employees register to any web-based service using company-related emails, they open up the possibility of important credentials being disclosed when poorly-protected third parties are breached. Credential stuffing tools are easily accessible for attackers to conduct distributed brute force attacks with stolen passwords across hundreds of web applications. One of the largest CDN networks had stated that upwards of 40% of all login attempts fell into this category.
A clear distinction about who owns and operates the target environment that we are trying to protect should be made. For SaaS—which encompasses most unsanctioned web applications—we must rely on what are the access tools and credential policies that vendors provide. These tools often lack basic functionalities, such as multi-factor authentication or central user management, not to mention any further intelligence, login, or accessible security controls (with the exception of a very few large SaaS providers that enterprises sanction such as O365).
Blind in the Shadows
Common tactics such as phishing, malware and denial of service attacks have one factor in common: they are visible. Whether any of our defensive strategies are able to detect or prevent them, they all directly target enterprise-owned infrastructure, meaning that we have numerous alerting tools to fight them at our disposal.
Contrarily, Shadow IT represents a giant blind spot; corporations may be breached through an unmanaged web application using credentials stolen from another unmanaged web service. In this instance, there is no apparent signal to connect or alert these breaches to corporate security departments. Even worse, these credentials enable attackers to breach enterprise-owned architectures—their actions are conducted with legitimate-seeming accounts, which are less likely to be detected before causing harm.
This article begins with discussing existing approaches and tactics regarding access control, and will evaluate their efficiency and weaknesses.
Using password managers is a great way to help users keep track of passwords. However, these services usually lack the intelligence to compare passwords with local repositories such as LDAP, and often miss controls to prevent password reuse. Password managers sometimes even encourage password sharing amongst employees as a feature, smashing a hole in compliance principles such as segregation of duties or least privilege, and making it very difficult to track the identities accessing services. The primary concern, however, is that password managers have an opt-in approach and cannot enforce visibility across all users and web applications; thus, leaving us with the same potential blind spot.
Privileged Account Management (PAM)
Privileged account management (PAM) and local password manager solutions can seamlessly integrate with applications that are operated and managed by the enterprise (or those that have enterprise-level integration for authentication). Large enterprise SaaS services such as O365 may provide SSO through corporate LDAP or add two-factor authentication options. This is certainly a great way to improve overall account security for authentication; additionally, these third parties may not need to store their own passwords, decreasing their potential to be the victim of a large-scale password leak after a breach.
Despite this, up to 70% of passwords used on the network of enterprises are easily cracked within a few hours, effectively demonstrating that the prevalence of credential management is way below par, even for local networks. For cloud applications, PAM solutions may not offer any significant functionality beyond password management.
A study of over 47,000 organizations noted that two-factor authentication is on the rise, being used by nearly 60% of those businesses studied. However, this figure only represents a survey of clients that are already using password managers, which arguably overrepresents 2FA usage amongst all companies. It also does not describe how prevalent 2FA is among all web applications. Additionally, there is a very large gap among smaller organizations under 1,000 employees, who are half as likely to use multi-factor authentication than large enterprises.
What this report highlights is the ongoing need for businesses to focus on training employees – particularly new users – and continuing to improve password hygiene…
For businesses and services that are not enterprise-owned, operated or managed, multi-factor authentication is only a limited feature. There is no clear path for organizations to require it from SaaS or web application providers, or enforce users to use 2FA in situations where it is available. It is also worth pointing out that once a credential is stolen, multi-factor authentication is reduced to single factor again.
Also, once the passwords used in multi factor are compromised, they offer a possibility for credential reuse attacks on other services; for this reason, multi-factor authentication is insufficient in preventing credential stuffing and account takeovers. Besides, even the most resourceful and widely adopted SaaS providers sometimes fall victim to MFA bypass attacks.
Have I Been Pwned? provides a free database of over 10 billion breached accounts. However, these already disclosed accounts seriously underrepresent the true prevalence of breached records. More recent and valuable (live) accounts take months or even years before they are pronounced useless by attackers and are finally shared on public forums, where intelligence providers are likely to discover them.
Proactive hunting for breaches is a valuable but expensive approach. In 2019 alone, 640 new breach sources had been discovered by specialists, amounting to 9 billion freshly-stolen accounts. Regardless of password complexity and strength, if they are frequently reused in business applications, credential stuffing becomes a very profitable way to discover valuable assets, and reaction-based intelligence is always a matter of chance.
How Large is This Blind Spot?
Industry reports indicate that several hundred to several thousand Shadow IT applications are used by enterprises. These applications are unsanctioned by IT or compliance, making the enterprise unaware of the exact applications that different business units or individual employees register to (and sometimes pay for). These services are unaccounted for from either a cost, security, compliance or operational perspective. Gartner reports up to 30-50% of IT spending goes toward unsanctioned applications, signaling a very real threat for business continuity and potential data leaks.
According to CISCO’s research, CIOs underestimate the number of cloud application by a factor of 15-22x.
When pairing the notion of cloud adoption with the fact that a very large chunk is invisible to and unmanaged by IT and security operations, it is understandable that hackers turn to account takeover as a cheap and easy attack vector that they can use to target enterprises.
How To Prevent Account Takeovers?
Account takeovers are most likely to occur as a combination of two factors: password leaks and password reuse. If a password is never reused, a breached service provider may enforce a password reset and notify its users. In case this happens in a timely manner, life could go on undisturbed. When passwords are stolen without encryption or the breach is not recognized immediately, there may be a window of opportunity for attackers to gain access to the breached services.
However, it’s a matter of chance whether a compromised service holds valuable assets, and as more prominent SaaS providers are less likely to get breached, the true value always comes from account reuse on other services. We must also note that similar passwords are also potentially vulnerable to dictionary-based attacks; therefore, password managers do provide a real value if they are used correctly, generating random passwords all the time.
According to Akamai, 43% of all login attemps across the web are brute force attacks using vast databases of stolen accounts.
To find the solution, we must have a solution in place with the following attributes:
- Monitors all login activities to discover any passwords that may lead to account takeovers.
- Compare all credentials to see if the passwords have been reused, and preferably compare them with local LDAP to see if high-impact passwords are shared online.
- Check credentials against existing leak databases to discover if previously-stolen credentials are being reused.
- Enforce password strength and complexity across all cloud applications, regardless if it is centrally-managed or even sanctioned.
- Improve user awareness about using similar passwords, or enforce password managers to minimalize potential password cracking from leak databases.
It’s important to note that preventing account takeovers is just the first step. A full inventory of cloud applications—along with all users and accounts—should be the baseline to understand how our compliance, business continuity and data governance is impacted.
NIST’s recent Zero Trust Architecture guidelines also recommend that Shadow IT components are catalogued as much as possible. Firewalls, proxies and CASB solutions simply do not provide visibility for account-level intelligence and are not focused on building a local SaaS directory that employees actually access. They do not have visibility towards account usage, with the exception of a few large, well-integrated providers, and thus can only improve security for already well-secured enterprise apps.
To unveil the complete Shadow IT landscape, organizations should be able to:
- Determine which web apps are being used by any of the employees.
- Know how many active accounts are there for each web app (and determine whether or not they are secure from a password perspective).
- See which unsanctioned apps are widely adopted or trending, and review their T&C for compliance, business impact and cost.
- Give users awareness warnings about password usage, and pinpoint employees that show risky behaviors such as heavy SaaS usage, frequent password sharing, or usage of weak credentials.
- Create an inventory of online accounts for each user, so that once they leave the organization or change roles, their access rights may be reviewed.
- Allocate data and app owners to widely-adopted SaaS services, turning them from Shadow IT to managed cloud services.
- Notify users or enforce password changes in case one of their providers has been breached.
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.