Shadow IT refers to the use of information technology systems, devices, software, applications, and services within an organization without explicit approval from the IT department or management. It typically involves employees using their own devices, apps, or cloud services to perform work-related tasks rather than relying on the official IT-provided tools (BYOD Security Risks).
When connected to the corporate network, shadow IT devices can introduce vulnerabilities that hackers can exploit to gain access to other parts of the network. This could potentially lead to a full-scale network breach.
Every unmanaged device connected to the network increases the overall attack surface (Unmanaged Switch). Attackers can use these devices as entry points to launch broader attacks on the network, compromising not just the device itself but potentially the entire organization’s infrastructure.
Since these invisible network devices are not centrally managed, IT teams often have difficulty monitoring them for unusual activities or responding to security incidents promptly. This delay in detection and response can allow attackers to dwell in the network attack undetected for extended periods.
Unauthorized Network Connections
Here are some ways unauthorized connections can be shadow IT:
- Personal Devices: An employee plugging in a personal router or storage device to the network creates an unauthorized connection. This can be for file sharing, running personal applications, or even bypassing company security protocols.
- Rogue Access Points: Someone setting up a wireless access point without IT’s knowledge creates a shadow network connection. This could be a malicious actor trying to gain access to the network, or even an employee trying to extend their Wi-Fi range.
- Compromised Devices: If a network device, like a printer or server, is compromised by malware, it can create unauthorized connections to external servers for malicious purposes, functioning entirely outside IT’s control.
The dangers of these unauthorized connections lie in the lack of oversight and security measures. IT departments establish specific network configurations and security protocols for a reason. Unauthorized connections bypass these controls, potentially:
- Introducing Security Vulnerabilities: These connections may not have proper firewalls or encryption, creating openings for attackers.
- Spreading Malware: Unauthorized devices might be infected with malware that can spread throughout the network.
- Data Breaches: Sensitive data could be accessed or exfiltrated through these unsanctioned connections.
To mitigate these risks, organizations should focus on improving visibility into their network, educating employees about the dangers of shadow IT, enforcing security policies, implementing network access controls, and regularly auditing for unauthorized devices and software.
Shadow IT Scenarios Handled by Sepio
By identifying and addressing unauthorized connections, IT can mitigate the risks of shadow IT and maintain control over the network’s security.
Endpoint Security
- Detection of a USB attack tool, typically able to bypass other endpoint solutions.
- Detection of a USB implant. Such tools can exploit the target with payloads that trigger when keywords of interest are typed.
- Detection of a USB implant hidden inside a regular looking USB cable. It’s a cable that looks identical to the other cables users already have (Juice Jacking).
- Detection and control of storage device which are used for the most common data theft and exfiltration scenarios.
- Detection and control of a mobile phone used as storage device that can be used for more advanced data theft scenario.
- Detection of a Wi-Fi Keylogger, used for capturing keystrokes and sending them wirelessly to a remote location for unauthorized access.
Network Security
- Detection of dual use network devices like Raspberry Pie that can be especially useful inside the network but can also turn against the company. It is important to find such devices and control them.
- Detection of an anomaly in regular assets or dual use device that are suspicious.
- Unmanaged switches inside a managed network can indicate the existence of shadow IT.
- Detection of network tap that can be used for reconnaissance, data theft, launching other attacks.
- Detection of network HUB that can be used for reconnaissance, data theft, launching other attacks, using a basic and common IT/Networking tools for LOTL and more advanced attacks.
- Attacker behind unmanaged switch/network hub present a simple scenario which and attacker finds easy to execute.
- Sleeping device in wait mode could represent an attacker but also a tool that is sleeping or unused tool.
- Detection of devices behind a legitimate device.
- Detection of network anomalies.
- Detection of rare devices such as consumer grade products.
Manage Your Network Devices
Manage your network devices and eliminate those blind spots by using physical layer data. Learn how Sepio platform provides ultimate network visibility using new data sources, harnessing the power of machine learning and physical layer fingerprinting.