Too many enterprises have shadow IT

New report says far too many firms have too many IT assets they cannot see or aren’t using, with some Windows servers lacking endpoint protection and patch management.

If you are lucky enough to have a Lambo in your garage, you’ll surely have cameras at least on the garage door, back door, cellar door and probably the bathroom windows.Translating that to enterprise cybersecurity, a sphere in which the losses could amount to that of countless exotic cars: Organizations need visibility on all outward facing assets, as well as a comprehensive review of licensed but unused tools that generate hidden costs.

Unfortunately, according to asset intelligence platform Sevco Security, too many organizations have windows (and Windows) and doors that their IT and security teams may not even know about, or may have no proper digital locks. In its second annual State of the Cybersecurity Attack Surface Report, which culled data from 500 organizations and nearly one million IT assets, Sevco reports that the vast majority of the organizations it looked at do not have comprehensive visibility of the assets they need to secure.

According to the report, approximately 20% of IT assets are invisible to security teams. These are ingress points to corporate networks, but do not appear in an enterprise source, such as endpoint protection, configuration/patch management systems, directory services or mobile device management tools.

“These assets consist largely of employees’ personal devices connecting from home, as well as devices and servers used in shadow IT projects conducted outside the scope and purview of IT and security teams,” said the firm’s CEO J.J. Guy in the study. “In either case, these devices are missing the security tools that will protect your IT environment if the device is exploited. The risk here is clear: you can’t protect the assets you can’t see.”

SEE: Visibility across assets overlaps with cloud security, a critical practice, but daunting for the C-suite (TechRepublic)

Jump to:

Windows, some macOS devices lack protection

Besides the IT assets missing endpoint protection, the firm said nearly 27% of IT assets are uncovered by enterprise patch management solutions. The firm said:

• 23% of Windows servers are missing endpoint protection.
• 21% of Windows servers go uncovered by patch management.
• 6% of Windows servers are not in any enterprise software inventory.
• 14% of Windows clients accessing corporate assets are not enterprise devices.
• 5% of macOS devices accessing corporate assets are not enterprise devices.

The report’s authors said the Windows clients evading detection are on personal devices or systems, or at least on devices that are accessing a company’s software-as-a-service office automation assets or other IT infrastructure, but happen not to be in the company’s mobile device management technologies (Figure A).

Figure A

“While connecting to SaaS automation tools may be permissible, doing so at scale and without visibility into what assets are accessing the network introduces significant risk,” said the study.

SEE: Learn how data theft can come from inside the house (TechRepublic)

The study said the fact that 6% of Windows servers are not in any enterprise software inventory is a problem. “The likelihood is that these are the result of Shadow IT: instances unsanctioned by IT or security teams that were spun up — likely without applying the company’s security protocols — to accomplish some sort of specific task,” said the authors. “Instead of decommissioning these servers, teams may have simply abandoned them. As a result these servers remain connected to the network as a potential attack surface access point. In other instances, the servers may be actively being used as part of an ongoing Shadow IT initiative.”

Stale licenses are invisible costs

The report also looked at “stale licenses,” which represents devices or systems whose licenses expired, don’t exist or were taken offline incorrectly. The study found:

• Approximately 17% of endpoint protection software is licensed but not in use.
• Approximately 6% of patch and configuration management software is licensed but not in use (Figure B).

Figure B

It also reported that orphaned assets — those that appear in the security control console with a source agent installed, but have not checked in for a considerable period of time — pose a threat.

“Organizations with orphaned devices are rife with unknown security gaps, and organizations with stale licenses are overpaying for software,” said the company.

Finding cracks in the window, and tools you aren’t using

The Sevco report suggests steps IT teams can take to secure their exposed assets, including:

• Audit security/IT tools for coverage gaps, by correlating and deduplicating devices across sources.
• Find orphaned devices that might be vulnerable.
• Implement mobile device management to better secure personal devices.
• ID and remove any stale licenses in devices that haven’t been checked or used in a month.
• Either reallocate the licenses to other devices, or downgrade the licenses to save costs or use the budget for more productive ends.

“IT environments are constantly changing as new devices and new tools are introduced,” from the study. “Malicious actors have become very adept at leveraging those changes to take advantage of vulnerabilities.”

The firm suggested taking stock of all devices and systems offering ingress to networks. “In order to maintain the upper hand against sophisticated adversaries, it is critical for IT and security teams to maintain an accurate and up to date asset inventory that reflects the reality of their dynamic IT environment.”

Download: This Shadow IT policy from TechRepublic Premium.