SlideShare a Scribd company logo

What Lurks in the Shadow

Cheryl Biswas, profile picture
Cheryl Biswas

The document discusses the growing issues of shadow IT and shadow data in organizations. It notes that employees are increasingly using unauthorized cloud services and mobile devices to store and access company data without IT approval. This poses security risks as employees may not follow proper security practices. The document recommends that organizations shift to adopt more flexible security strategies that empower employees while maintaining proper access controls, such as privilege management and monitoring. It also suggests improving security awareness training for staff.

Technology
Related topics:
Information Security
1 of 69
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
What Lurks in the Shadow Addressing the Growing Security Risk of Shadow IT & Shadow Data By @3ncr1pt3d
Cheryl Biswas • • Works for: JIG Technologies • Does what exactly: security researcher, analyst, writer of things • Trekkie, techie, maker, baker • Bridging the gap between tech and non-tech Necessary Disclaimer: All content is my own and does not reflect the opinions of my employer 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 2
Security Lords 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 3
Faster. Better. More. Tech. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 4
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 5
#GenMobile 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 6 #GenMobile “For the security of company data and IT systems, there may be cause for concern”. (http://www.arubanetworks.com/mobileriskindex/)
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 7 BYoD
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 8 Internet of So. Many. Things
The Human Factor Fear of the Unknown 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 9
The Dark World Shadow IT/Shadow Data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 10
In the Land of Mordor Where the Shadows Lie Keep it secret, keep IT safe 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 11
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 12
“Employees in every cubicle are using Box, Workday and Salesforce, and they’re not waiting for IT’s permission to do so. They’re using their own apps on their own devices. Many are spinning up servers in the cloud for infrastructure in the cloud, a practice dubbed bring your own server. So privilege is now being consumerized like apps and devices.” - Forbes
- ZDNET “When you agree to BYOD policies, you put employees within the security chain”. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 14
Bad Apples 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 15
Pass on the Passwords • 51% Single password/numerical PIN • 58% NO policies of software to enforce better passwords • 56% Shared passwords • 17% Used company-provided password mgr • 60% Accessed confidential corporate data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 16
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 17
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 18
Unprotected and Connected • questionable WiFi networks via the local coffee shop hotspot • unapproved cloud storage • really, really bad USB
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 20
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 21
Security means never having to say you’re sorry 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 22
Cyber Insurance 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 23
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 24
A culture of indifference. Sharing as the norm – devices, data, passwords Indifference towards security – the assumption that security is somebody else’s problem; not worried about their own responsibility Self-empowerment succeeds over existing rules (Aruba Networks)
“Businesses are ill-prepared for the attitude of next generation employees who own mobile devices, and may be placed at risk as the BYOD trend causes fractures in security enforcement.” - ZDNet 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 26
Alien Vault Insider Risk Matrix 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 27
“All identities are not created equal” With great power comes great responsibility 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 28
Great Power, Great Responsibility • 92% orgs have user monitoring • 56% handle privileged identity mgmt. • 58% corps do regular password updates • 60% IT decision makers share creds • 52% share creds with contractors >20% analyze or audit privileged access 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 29
“IT departments often give non- technical executives (e.g. VP of Sales, CEOs, CFOs, etc.) broad privilege inside corporate applications, figuring it is better to give too much freedom to upper management than get yelled at when someone can’t create a report.” - Forbes 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 30
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 31 “It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.” - David Gibson, VP at Varonis.
The Loss of Privilege 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 32
The hearts of men are easily corrupted. And the ring of power has a will of its own... 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 33
Time for a little talk about B I G Data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 34
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 35
Who Touched the Data? “It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home…” John McAfee 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 36
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 37
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 38
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 39
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 40
What’s Mine is Mine & What’s Yours is Mine Too 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 41
Sh*tposts from the Trenches 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 42
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 43
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 44
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 45
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 46
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 47
Let’s do a little Demo https://www.shodan.io/
Country. Company. Device. Password Default 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 49
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 50
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 51
So Where Do We Go From Here? “Just Say No.” 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 52
Current rules can’t apply when the game itself has changed. What was working isn’t working now 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 53
Least Privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily this principle limits the damage that can result from an accident or error.” - SALTZER, J.H. and SCHROEDER, M.D. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 54
We’ve taken the lid off Pandora’s box. I don’t think it ever goes back on. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 55
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 56
What Are We Missing • Training and Awareness • Inventory and Monitoring • Secure Hi-Value Assets • ???? 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 57
The Cloud 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 58
No Idea What They’re Using, No Idea What They’re Losing • 15x more cloud services used to store critical data than CIOs authorized • IT says 51 active cloud services. Survey says 730 • Use growing exponentially. • 1000 external services per company by 2016 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 59
30% of business critical info is in the cloud. Most cloud apps are third party apps. - Ponemon Institute
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 61 Shadow IT isn’t going anywhere … Gartner says so
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 62
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 63
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 64
To Build a Better Mousetrap, Draw A Bigger Circle 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 65
The Way Forward • Ask what users really need and want • Show the CSuites why we are their strategic partner • Shift gears and adapt • Projections based on Cloud, Big Data, Everything as a Service 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 66
As for that one ring that rules them all … The World has changed. And so must we. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 67
Thank You So Much! BSidesTO Contact Deets: @3ncr1pt3d ca.linkedin.com/in/cherylbiswas https://whitehatcheryl.wordpress.com/ 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 68
09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 69

More Related Content

PPTX
When a Data Breach Happens, What's Your Plan?
Edge Pereira
 
PDF
Kill All Passwords
Jonathan LeBlanc
 
PDF
Mobile Authentication using Biometrics & Wearables
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PDF
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
PDF
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
PPTX
Webinar: eCommerce Compliance - PCI meets GDPR
Sucuri
 
PDF
NTXISSACSC3 - EMV and the Future of Payments by Branden Williams
North Texas Chapter of the ISSA
 
When a Data Breach Happens, What's Your Plan?
Edge Pereira
 
Kill All Passwords
Jonathan LeBlanc
 
Mobile Authentication using Biometrics & Wearables
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Cyber Security Extortion: Defending Against Digital Shakedowns
CrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Webinar: eCommerce Compliance - PCI meets GDPR
Sucuri
 
NTXISSACSC3 - EMV and the Future of Payments by Branden Williams
North Texas Chapter of the ISSA
 

What's hot (10)

PDF
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
PDF
A Look Back at 2016: The Most Memorable Cyber Moments
Tripwire
 
PPTX
Identity Protection for the Digital Age
Intel IT Center
 
PDF
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
PDF
Blockchain usability report / research
Alessandro Benigni 🌕
 
PDF
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Venafi
 
PDF
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
North Texas Chapter of the ISSA
 
PDF
Trust Online is at the Breaking Point
Venafi
 
PDF
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
PDF
Building a Mobile Location Aware System with Beacons
Jonathan LeBlanc
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
CrowdStrike
 
A Look Back at 2016: The Most Memorable Cyber Moments
Tripwire
 
Identity Protection for the Digital Age
Intel IT Center
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
Blockchain usability report / research
Alessandro Benigni 🌕
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Venafi
 
NTXISSA September 2016 Meeting - How to Get More from Your Security Investmen...
North Texas Chapter of the ISSA
 
Trust Online is at the Breaking Point
Venafi
 
You Can't Stop The Breach Without Prevention And Detection
CrowdStrike
 
Building a Mobile Location Aware System with Beacons
Jonathan LeBlanc
 
Ad

Viewers also liked (6)

PDF
Understanding CIPs, Builder’s Risk, and Inland Marine Insurance Policies
Bradley Arant Boult Cummings LLP
 
PDF
The ABC's of Digital Literacy
Cheryl Biswas
 
PDF
Kindermusik program 2016-2017
Vicente Bayarri
 
PPTX
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Damir Bersinic
 
DOC
Online trust and perceived utility for consumers of web privacy statements
Remove Search Results .com
 
PDF
Grade 8 PE module(Q4)
Andrew Cabugason
 
Understanding CIPs, Builder’s Risk, and Inland Marine Insurance Policies
Bradley Arant Boult Cummings LLP
 
The ABC's of Digital Literacy
Cheryl Biswas
 
Kindermusik program 2016-2017
Vicente Bayarri
 
Prairie DevCon-What's New in Hyper-V in Windows Server "8" Beta - Part 1
Damir Bersinic
 
Online trust and perceived utility for consumers of web privacy statements
Remove Search Results .com
 
Grade 8 PE module(Q4)
Andrew Cabugason
 
Ad

Similar to What Lurks in the Shadow (20)

PDF
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp
 
PPTX
Progscon cybercrime and the developer
Steve Poole
 
PPTX
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Codemotion
 
PPTX
Office 365 Makes Data Protection Cool Again
Edge Pereira
 
PDF
Digit Leaders 2023
Ray Bugg
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
PPTX
Design Patterns for Ontologies in IoT
Mark Underwood
 
PDF
Internet of Energy Things IERC 2015
Paul Malone
 
PDF
Paul Malone of TSSG spoke at the IERC debate entitled “The Internet of Energy...
Walton Institute
 
PPTX
Effective Cybersecurity Communication Skills
Jack Whitsitt
 
PPTX
Is it safe
Richard Copley
 
PPTX
Security Awareness Presentation Fall 2013
COCommunityCollegeSystem
 
PDF
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
PPTX
Certified Banking TPM - Module 3 powerpoint presentation
trevor501353
 
PPTX
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
PPTX
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
PPTX
An Introduction To IT Security And Privacy for Librarians and Libraries
Blake Carver
 
PPTX
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Steve Poole
 
PDF
The ClearScore Darkpaper: The danger of the dark web 2020
Jayna Mistry
 
PDF
How to run a social media listening program, presented by Keith McArthur
SocialMedia.org
 
ITCamp 2018 - Tudor Damian - The cybersecurity landscape is changing. Are you...
ITCamp
 
Progscon cybercrime and the developer
Steve Poole
 
Eward Driehuis - What we learned from 20.000 attacks - Codemotion Amsterdam 2019
Codemotion
 
Office 365 Makes Data Protection Cool Again
Edge Pereira
 
Digit Leaders 2023
Ray Bugg
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
Design Patterns for Ontologies in IoT
Mark Underwood
 
Internet of Energy Things IERC 2015
Paul Malone
 
Paul Malone of TSSG spoke at the IERC debate entitled “The Internet of Energy...
Walton Institute
 
Effective Cybersecurity Communication Skills
Jack Whitsitt
 
Is it safe
Richard Copley
 
Security Awareness Presentation Fall 2013
COCommunityCollegeSystem
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Certified Banking TPM - Module 3 powerpoint presentation
trevor501353
 
Devnexus 2017 Cybercrime and the Developer: How do you make a difference?
Steve Poole
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
An Introduction To IT Security And Privacy for Librarians and Libraries
Blake Carver
 
Cybercrime and the Developer: How to Start Defending Against the Darker Side...
Steve Poole
 
The ClearScore Darkpaper: The danger of the dark web 2020
Jayna Mistry
 
How to run a social media listening program, presented by Keith McArthur
SocialMedia.org
 

Recently uploaded (20)

PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 

What Lurks in the Shadow

  • 1. What Lurks in the Shadow Addressing the Growing Security Risk of Shadow IT & Shadow Data By @3ncr1pt3d
  • 2. Cheryl Biswas • • Works for: JIG Technologies • Does what exactly: security researcher, analyst, writer of things • Trekkie, techie, maker, baker • Bridging the gap between tech and non-tech Necessary Disclaimer: All content is my own and does not reflect the opinions of my employer 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 2
  • 3. Security Lords 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 3
  • 4. Faster. Better. More. Tech. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 4
  • 5. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 5
  • 6. #GenMobile 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 6 #GenMobile “For the security of company data and IT systems, there may be cause for concern”. (http://www.arubanetworks.com/mobileriskindex/)
  • 7. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 7 BYoD
  • 8. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 8 Internet of So. Many. Things
  • 9. The Human Factor Fear of the Unknown 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 9
  • 10. The Dark World Shadow IT/Shadow Data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 10
  • 11. In the Land of Mordor Where the Shadows Lie Keep it secret, keep IT safe 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 11
  • 12. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 12
  • 13. “Employees in every cubicle are using Box, Workday and Salesforce, and they’re not waiting for IT’s permission to do so. They’re using their own apps on their own devices. Many are spinning up servers in the cloud for infrastructure in the cloud, a practice dubbed bring your own server. So privilege is now being consumerized like apps and devices.” - Forbes
  • 14. - ZDNET “When you agree to BYOD policies, you put employees within the security chain”. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 14
  • 15. Bad Apples 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 15
  • 16. Pass on the Passwords • 51% Single password/numerical PIN • 58% NO policies of software to enforce better passwords • 56% Shared passwords • 17% Used company-provided password mgr • 60% Accessed confidential corporate data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 16
  • 17. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 17
  • 18. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 18
  • 19. Unprotected and Connected • questionable WiFi networks via the local coffee shop hotspot • unapproved cloud storage • really, really bad USB
  • 20. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 20
  • 21. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 21
  • 22. Security means never having to say you’re sorry 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 22
  • 23. Cyber Insurance 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 23
  • 24. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 24
  • 25. A culture of indifference. Sharing as the norm – devices, data, passwords Indifference towards security – the assumption that security is somebody else’s problem; not worried about their own responsibility Self-empowerment succeeds over existing rules (Aruba Networks)
  • 26. “Businesses are ill-prepared for the attitude of next generation employees who own mobile devices, and may be placed at risk as the BYOD trend causes fractures in security enforcement.” - ZDNet 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 26
  • 27. Alien Vault Insider Risk Matrix 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 27
  • 28. “All identities are not created equal” With great power comes great responsibility 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 28
  • 29. Great Power, Great Responsibility • 92% orgs have user monitoring • 56% handle privileged identity mgmt. • 58% corps do regular password updates • 60% IT decision makers share creds • 52% share creds with contractors >20% analyze or audit privileged access 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 29
  • 30. “IT departments often give non- technical executives (e.g. VP of Sales, CEOs, CFOs, etc.) broad privilege inside corporate applications, figuring it is better to give too much freedom to upper management than get yelled at when someone can’t create a report.” - Forbes 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 30
  • 31. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 31 “It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone.” - David Gibson, VP at Varonis.
  • 32. The Loss of Privilege 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 32
  • 33. The hearts of men are easily corrupted. And the ring of power has a will of its own... 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 33
  • 34. Time for a little talk about B I G Data 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 34
  • 35. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 35
  • 36. Who Touched the Data? “It’s not good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home…” John McAfee 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 36
  • 37. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 37
  • 38. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 38
  • 39. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 39
  • 40. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 40
  • 41. What’s Mine is Mine & What’s Yours is Mine Too 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 41
  • 43. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 43
  • 44. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 44
  • 45. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 45
  • 46. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 46
  • 47. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 47
  • 48. Let’s do a little Demo https://www.shodan.io/
  • 49. Country. Company. Device. Password Default 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 49
  • 50. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 50
  • 51. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 51
  • 52. So Where Do We Go From Here? “Just Say No.” 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 52
  • 53. Current rules can’t apply when the game itself has changed. What was working isn’t working now 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 53
  • 54. Least Privilege: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily this principle limits the damage that can result from an accident or error.” - SALTZER, J.H. and SCHROEDER, M.D. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 54
  • 55. We’ve taken the lid off Pandora’s box. I don’t think it ever goes back on. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 55
  • 56. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 56
  • 57. What Are We Missing • Training and Awareness • Inventory and Monitoring • Secure Hi-Value Assets • ???? 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 57
  • 58. The Cloud 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 58
  • 59. No Idea What They’re Using, No Idea What They’re Losing • 15x more cloud services used to store critical data than CIOs authorized • IT says 51 active cloud services. Survey says 730 • Use growing exponentially. • 1000 external services per company by 2016 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 59
  • 60. 30% of business critical info is in the cloud. Most cloud apps are third party apps. - Ponemon Institute
  • 61. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 61 Shadow IT isn’t going anywhere … Gartner says so
  • 62. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 62
  • 63. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 63
  • 64. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 64
  • 65. To Build a Better Mousetrap, Draw A Bigger Circle 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 65
  • 66. The Way Forward • Ask what users really need and want • Show the CSuites why we are their strategic partner • Shift gears and adapt • Projections based on Cloud, Big Data, Everything as a Service 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 66
  • 67. As for that one ring that rules them all … The World has changed. And so must we. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 67
  • 68. Thank You So Much! BSidesTO Contact Deets: @3ncr1pt3d ca.linkedin.com/in/cherylbiswas https://whitehatcheryl.wordpress.com/ 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 68
  • 69. 09/11/2015 BSidesTO: What Lurks In The Shadow by @3ncr1pt3d 69