Website security is kind of a big deal—not just because it's one of the most public-facing pieces of your infrastructure, either. It's also due to the fact it's often simultaneously overlooked and lacks ownership.
Chris Olson of The Media Trust lays it all out: "No one person or department is in charge of the website—marketing, legal, or IT. This lawless landscape is overrun with criminal activity manifested in the form of exploit kits, keystroke loggers, bot drops, and more."
A bold claim but not unfounded. You may not think of websites as the Wild West of your infrastructure, but shadow IT runs rampant here. To understand this dynamic better, we set aside some time to pick Olson's brain post-Black Hat 2017 and figure out exactly why website security is the Frodo Baggins of modern IT: unassuming, with a lack of oversight and significant risk to humanity. Okay, that last part may have been an exaggeration, but it still rings true (see what we did there?).
What's the single greatest threat posed by shadow IT?
Olson: "The biggest threat posed by shadow IT is the very fact that it's unknown. This gray cloud of uncertainty opens enterprises up to a range of security, regulatory, and reputation risks, with Gartner projecting 33 percent of enterprise attacks will be due to shadow IT within the next few years."
"Websites are the most overlooked aspect of shadow IT. When you consider the complexity and opaqueness of the digital environment, enterprises don't know what vendors execute to render content on the consumer browser. Frequently, we find there are three times more vendors than an enterprise expects. These vendors provide interactive functionality to engage users (video, social media tools, content recommendations chat features, etc.) and support back-end activities (analytics, content delivery network, data management, hosting, etc.). Frankly, how do you manage the risk of something that's unknown?"
What's the most common form shadow IT takes in the modern enterprise?
Olson "Inability to control the digital environment is increasingly an unacceptable risk. Best practices for online payments security (PCI DSS) and regulations regarding online marketing to underage consumers (COPPA) exist. The EU's General Data Protection Regulation (GDPR) ushers in a host of challenges for anyone with a website or app. Not only does GDPR expand the definition of personal information to include online behavior tracking, but it also extends territorial scope to any business touching an EU-based subject—a difficult and somewhat confusing task for a non-EU business that happens to have EU website traffic and app users."
You mentioned the "lawless landscape" of IT at Black Hat this year. Is this an issue of policy, leadership, or inadequate infrastructure?
Olson: "The biggest challenge with digital shadow IT is that there typically is no one individual or department in charge of managing it. Marketing delivers the content and design, IT/web operations makes sure it works, sales/e-commerce drives the traffic, legal/privacy provides disclaimers, etc."
"When enterprises realize they have no control or insight into the code executing in their websites, security teams will be forced to clamp down on the third-party vendors currently used to render consumer-facing content. The onus is on the website operator—media, e-commerce, insurance, travel, enterprise, etc.—to demonstrate compliance with GDPR regulations. Inability to ensure consumer data isn't tracked without explicit permission will subject the website operator to hefty fines."
What's your be-all, end-all advice to organizations struggling with shadow IT?
Olson: "To rein in digital shadow IT, it's simply not enough to identify the vendors executing in the enterprise digital ecosystem. IT/security teams must also sanction vendor presence, evaluate vendor activity, and assign ownership to an internal team to be responsible for managing the vendor. To effectively govern the digital environment, enterprises must also define, deploy, and then enforce—on a real-time, 24/7 basis—the policies needed to ensure a safe and secure browsing experience."
Shadow IT poses a significant risk to often overlooked aspects of IT and requires ownership, effective policy, and forward thinking to successfully rein it in. Whether it's websites or printer fleets, tackling these three aspects will go a long way toward bringing visibility to the growing issue of shadow IT.
Looking for coverage of Black Hat's shadier cousin, Defcon 2017? Check out, "Daniel Regalado schooled us on IoT cybersecurity at Defcon 2017."
If you missed the first parts of Tektonika's Black Hat 2017 journey, you can go back to where it all started with, "Black Hat 2017: It's just around the bend!"