IT Audit - Shadow IT Systems
Download as PPTX, PDF1 like849 views
This document provides an IT audit report focusing on shadow IT systems, highlighting the risks and recommendations for improving information security within an organization. Key findings include the inappropriate use of company emails, the presence of rogue devices on corporate networks, and the utilization of unsanctioned software, which pose significant security threats. The report suggests implementing stricter policies, enhancing employee training, and conducting regular audits to mitigate these risks.
IT Audit - Shadow IT Systems
- 1. Presenter: Damaine Franklin Information Security Management and Auditing IT AUDIT – SHADOW IT SYSTEMS July 1, 2017 1
- 2. What is Shadow IT 2 Shadow IT is a term that refers to Information Technology (IT) applications and infrastructure that are managed and utilized without the knowledge of the enterprise's IT department. Shadow IT can include: Hardware, Software web services Cloud applications
- 3. Executive Summary 3 This IT audit assess an organization for the existence of any shadow IT systems. Area’s accessed were: Network/Information Security Controls Unsanctioned Software’s and Applications Asset Identification and Classification Threats and Vulnerability Controls IT Audit Scope The purpose of this IT audit is to perform a comprehensive risk assessment of the organizations IT/IS infrastructure with a focus on any shadow IT systems with regards to the organizations information security policies
- 4. Network/Information Security Controls 4 Findings 1 Company emails on personal smartphones Risks Litigation (criminal/civil) Malicious Apps Lost or Stolen Email Phishing Man in the middle attack
- 5. Network/Information Security Controls Cont’d 5 E-mail Fishing Attacks Fig. 2 sourced
- 6. Network/Information Security Controls 6 Fig. 3. Sourced: https://blogs.otago.ac.nz/infosec/files/2013/02/Slide4.png Phishing Email Example
- 7. Network/Information Security Controls Cont’d 7 Recommendations Since there are no polices that supports the use of work email on personal smartphones, management should invest in corporate owned close user group (CUG) for private encrypted communication work related purposes.
- 8. Network/Information Security Controls 8 Findings 2 Inappropriate use of Company Email Risks It was discovered that some employees uses their company email for public purposes such: subscribing to ecommerce websites and social media (Facebook). The inappropriate uses of company email open the door for email-based malwares and virus attacks.
- 9. Network/Information Security Controls 9 Recommendations If a suspicious email is opened immediately, unplug your network cable or shut down your computer, and contact the IT Help Desk. Do not click on links (including the unsubscribe links) in emails unless you are confident they are legitimate. Enforce the policy on the uses of company emails Limit social media uses Download and install security updates and patches for all PC’s Ensure that antivirus software has the latest definitions If an employee receives an email that doesn’t look legit call the IT help desk
- 10. Network/Information Security Controls 10 Findings 3: Misuse of Confidential Password
- 11. Network/Information Security Controls 11 Risks The purpose of a user password is to authenticate and allow access to company intranet and information. In the case of non-repudiation, shared passwords can allow an employee to contest or deny any malicious use on their computer. For example, in emails non- repudiation is used to guarantee that the recipient cannot deny receiving a malicious email, which infects the computer with ransomware.
- 12. Network/Information Security Controls 12 Recommendations Once an employee password has become compromised, the system administrator should be notified to have it changed. Management should enforce the policies, which governs the proper uses of passwords. Train employees on how to use complex passwords and how to secure it.
- 13. Rouge Devices on Company Network 13 Findings Rouge devices have been fund in the enterprise environment. Rogue refers to any device, access point, or client, whom with unauthorized access attempts to connect, attack or interfere with the originations network.
- 14. Rouge Devices on Company Network 14 Rouge 1. unmanaged switch Rouge 2. wireless access point Rouge 3. personal laptop Rouge 4. LAN access point
- 15. Rouge Devices on Company Network 15 Risks The fact that rouge devices are unmanaged means that the user has full privileges to do just about anything. The main concern of rouge device is the propagation of viruses on the corporate network. Another concern is the infection of malware, which normally affect all network devices or infiltrate an entire corporate network.
- 16. Rouge Devices on Company Network 16 Risks cont’d Rouge device provide a vulnerable in the network where by an attacker could hijack the device and use it to perform Peer Hijack Packet Spoofing Unauthorized access attack Reconnaissance Mac address table over flow Brute force attack Denial of service attack
- 17. Rouge Devices on Company Network 17 Recommendations Update security policies regarding BYOD and the use of personal devices on company private network Shutdown all unused switch ports Locate eradicate all rouge devices Configure strong encryption on wireless access point Consider strong router/switch protocols and standards to quickly neutralize and control rouge devices. Separate normal user and privileged user accounts Configure port security in each switch
- 18. Rouge Devices on Company Network 18 Mac address table over flow Fig 10. source: http://player.slideplayer.com/12/3561082/data/images/img15.jpg
- 19. Rouge Devices on Company Network 19 Mac address table over flow Fig 11. source: http://player.slideplayer.com/12/3561082/data/images/img16.jpg
- 20. Unsanctioned Software’s and Apps 20 Findings: Although the IT policy outline strict guidelines regarding intellectual property and licensing, some employees manage to bypass the rules and participate in the use of rouge software’s and applications. My audit reveals the following known unsanctioned applications running on the organizations network.
- 21. Unsanctioned Software’s and Apps 21 Unsanctioned Sanctioned Adobe Photoshop CS3 Adobe Photoshop CS6 Drop box MS Outlook/network shared drives Spiceworks Inventory Sage FAS 500 asset inventory Evernote Microsoft Outlook Google Drive MS Outlook/network shared drives Unsanctioned Sanctioned AVG Internet Security McAfee Enterprise security AutoCAD 2009 Autodesk Design Suites 2016 StormCad None Tekla Structures Autodesk Design Suites 2016 Tekla Tedds Tekla structured Bluebeam Revu Findings cont’d:
- 22. Unsanctioned Software’s and Apps 22 Risks: Use of file sharing solutions (Dropbox) Data stored in file sharing solutions become exposed to unauthorized users. File sharing services does not provide enterprise class security or control. Sensitive data stored in Dropbox is not secure and just as importantly, not controlled by IT. Unsanctioned applications may have embedded malicious coding A breach of intellectual property rights may leady to legal ramifications
- 23. Unsanctioned Software’s and Apps 23 Recommendations Enforce polices regarding the usage of intellectual property and licensing. Monitor FTP traffic on firewall Block FTP port Perform integrity check
- 24. Asset Identification and Classification 24 Findings Asset Management Application Fig 12. Sage FAS 500 Asset inventory
- 25. Asset Identification and Classification 25 Fig 13. Laptop Fig 15. Multifunction Fig 14. Asset tag barcode reader
- 26. Asset Identification and Classification 26 Risk: Identification of Ghost Assets A “ghost” asset is defined as a property that is lost, stolen, or unusable, but is still listed as an active fixed asset in the system A crucial risk caused by ghost asset is that undocumented devices may become unmanaged by the domain controller. Once the domain recognizes a device as being unknown, it becomes a rouge device, which is, then recognize as security threat.
- 27. Asset Identification and Classification 27 Recommendations Eliminate ghost assets Conduct physical asset inventories Tag assets appropriately Use durable and lasting labels Perform frequent cyclical updates on inventory logs
- 28. References 28 Corporation, N. (2015). Shadow IT in the Enterprise. Nasuni Corporation. Microsoft. (2013). The Link Between Pirated Software and Cybersecurity Breaches. Microsoft Digital Crimes Unit. Retrieved from http://www.play-it-safe.net/ Organisation. (2006). Information Technology - EDITION 3. Kingston, Jamaica: Government. Points, R. A. (2017, June). Telelini. Retrieved from http://itsecurity.telelink.com: http://itsecurity.telelink.com/rogue-access-points/ Ruggiero, P., & Foote, J. (2011). Cyber Threats to Mobile Phones. US-Cert. Retrieved from https://www.us- cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf Sage. (2011). Best Practices for Fixed Asset Managers. Herndon, VA: Sage Fixed Assets White Paper. Retrieved from http://www.sage.com/na/~/media/category/sna/assets/lp/sagebusinessknows/documents/resources/sage _erp_best_practices.pdf SolarWinds. (2017). Detecting and Preventing. SolarWinds. Retrieved from http://web.swcdn.net/creative/pdf/Whitepapers/UDT_WP_Detect_Prevent_Rogue_Devices.pdf Techopedia. (2017, June). Active Directory (AD). Retrieved from Techopedia: https://www.techopedia.com/definition/25/active-directory
- 29. END 29