How Shadow IT Impacts Your Phishing Strategies
Welcome to Gone Fishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phinsecurity, and welcome to Gone Fishing.
Connor Swalm:
Hey, everyone. Welcome back to another episode of Gone Fishing. I'm your host, Connor, the CEO at Phin, and I am joined once again by a great friend of mine, John Harden. He is the senior product marketing manager of SaaS at Awvik. John, how are you doing?
John Harden:
I'm good. When I. When I joined here at Awvik, I asked him to give me the longest title. That way, when people introduce me, it's super hard to say.
Connor Swalm:
It is a lot of syllables, and I always have to make sure I slow down to not try to run through it too quickly. So I appreciate you saying that.
John Harden:
I tried to get a couple more syllables in, but that's the max I could get.
Connor Swalm:
Maybe if you added, like, reverend or junior at the end. So your senior product marketing manager. Junior or something like that.
John Harden:
Maybe next time maybe I can be senior at the tail of it. Senior, senior. We'll figure that one out.
Connor Swalm:
I'm here for it. If you need someone to vote on your behalf, I'm happy to cast my vote in that direction. The longer the better. Vote for the one with the most syllables.
John Harden:
That way you have to introduce me. You're done introducing me now. So.
Connor Swalm:
So we've had you on the podcast before. We chatted about what shadow it, what shadow SaaS actually is, where MSP's fit, why it's important for them to understand what is actually going on in their clients. A question that I had that I actually asked before we hopped on the podcast. Here is where does shadow it? Where does shadow Sass fit into compliance frameworks? Whether that's NIST 800 171, NIST 853. The CIS controls, even though it's not technically a framework, those are the really popular three. Where does this fit into it?
John Harden:
Yeah, I'll talk on CIS. I do like CIS because it's really prescriptive. It gives you not only what needs to be done, but how to go about resolving it. So sass in general, I always adhere it down to on the apps layer of CIS 212325 and then on the account layer of 5153 or 5155.
Connor Swalm:
Sorry.
John Harden:
So let me step back that way. I'm not just rattling off numbers in general with most of these frameworks or with CIS, it's saying you need to have a software inventory. And I really don't care what compliance your business is. If it's PCI, HIPAA, if you have CMMC requirements, FCC safeguards, like whatever requirements you have on a compliance layer, every one of these things requires a software inventory. I just have yet to find a framework where it's just like, yeah, we don't need to know what software you have. It doesn't matter because why is it so important? Because that's where your business data is. And every cybersecurity framework and every cybersecurity program and every cybersecurity it stack is designed to protect data. And so in the heart of all those software assets is data.
John Harden:
Now, CIS doesn't exclusively call out SaaS applications, but CIS does say where required. It must include the URL or App Store or the source at which it came from. So it's starting to lean into understanding that SAS is there. So that's your inventory. But on like two, three, the discussion is around addressing unauthorized software and it recommends reviewing monthly or more frequently the software assets inside of your business to ensure that they're not unauthorized software. This is where I love, especially in the MSP sector, integrating into the QVR because it's not monthly, but at least it's quarterly where you're addressing unauthorized software as a part of your recurring practice. So two, three and then 2.5 is really around the allow list of software. You can't build allow lists without knowing your inventory to get started. That's why it's an advanced control below that 2.1.
John Harden:
But having a map of what's out there is really critical. So from the software inventory there's that and then I'll quickly go through. There's also the account inventory. You don't ever access a SAS tool as John Hardin. John Hardin doesn't access salesforce. John Hardin has an account, jhardenawvic.com that accesses salesforce. And so account inventory is just as critical. So not only knowing what SaaS assets are out there and what shadow it assets are out there, but how they're accessing them. And even further, last thing here on the service account side, are they accessing them with service accounts? So what are those audit logs that are building up behind that SaaS access so that you know, okay, my three its using admin which I don't think we have that practice. Admin are accessing these tools.
John Harden:
So when that employee leaves I need to make sure we re evoke them out of there. And we rotate that admin account. So in general, it's software inventory and account inventory and access logs that all need to be built. And that's where something SaaS manager can help plan.
Connor Swalm:
That compliance framework that makes sense. If you think about compliance frameworks from a top level, it's what risk are you aware of, making sure you're aware of and then mitigating as a result, and the accounts that people use to log into software on devices, those hardware software accounts, that's typically the three levels of risk, or three places that risk ends up introducing itself into an organization.
John Harden:
Yep. And that's why I always make sure I talk about accounts, too. It's not just what is the tool, but it's what is the access. You know, is that access secured with SSO? Does that SSO of MFA? Is that account being used by multiple people in the company? That's really critical, because I know companies that have that it policy that don't let them log in with their corporate domain into a lot of these apps, so they choose to log in with a personal domain. And if it's going to happen, it needs to at least be monitored and auditable for your cybersecurity framework to make sure that you know that there's business data in these systems where personal accounts are accessing them.
Connor Swalm:
I. Every time I have a conversation with a group of MSP's, whether that's. I have a talk at a conference, or whether that's just talking with a group of. Of our partners, I usually make the statement like, don't raise your hand because you're not going to want to, but how many of you all share accounts? Or worse, how many of your it folks just use the password and the accounts that are in the it documentation tool that you all have access to, it's like everyone who just giggled in this room, it's like you're who you should be worrying about. That why you actually just laughed? Yeah, because it happens far more often. Even if it's your company policy, it happens far more often than you believe.
John Harden:
Well, and that's where I think the key thing here is. That's why identify is before all these other measures, right? Because at a minimum, even if you know it's happening, you need to know who had access, who was using it, where they were using it. Because if you go to get rid of one of your texts, you need to know who is impacted and what they have access to so that you can go rotate the credentials and secure that account back to another state. Now, there's obviously advanced tools that can help you like get rid of this problem. But if you don't want to invest in those tools, at least document that it's occurring so that you can have a manual process to remediate.
Connor Swalm:
That makes sense. Now if this has a place in at least the CIS controls in some capacity is shadow sass and it is that also fit into cyber insurance somewhere. Are you starting to get questions or field questions on behalf of MSP's about it today?
John Harden:
So it doesn't have a direct layer and it surprises me a bit. They do call, they do call it software inventory. And I think I, you know, this might be a little bit of a gap where I'm not 100% sure, but I know they call software inventory exclusively. Most of them haven't matured down to SAS inventory. But that doesn't mean that some of the larger questionnaires, maybe in the enterprise space where I don't have as much conversations, isn't getting these questions because I know the questionnaires aren't getting easier. But there is one place that is slam dunk right in the middle of all of this and it's that single sign on.
John Harden:
If you are logging into Salesforce with John Hardin, the user on Jharden, the account into Salesforce, the application jhardenvic.com needs to be protected via multifactor and I need to make sure I'm accessing it via a single sign on mechanism. And so if you are adhering or you are attesting to that cyber insurance piece that you have single sign on all your major systems, if one of those major systems wasn't secured with single sign on or multi factor, but you adhered to it, that's where your risk begins. That's where the risk starts to come into the organization because you are no longer in that cyber insurance affidavit that you made around SSO and MFA. So that's probably the big piece. That's why I go back to that account inventory. You know, who's accessing it and what measures are behind that level of account access.
Connor Swalm:
That makes a lot of sense. That information that you just mentioned, the accounts that people are using, the software they're logging into, how could that be used maliciously to. I don't. The word hack is overused. But do something bad at an organization, whether that's exfiltrate data or gain access where others should not.
John Harden:
Yes. So that's where you start to get into supply chain attacks. You start to talk about exposing an account and a breached system and trying to leverage that same account to promote levels of access up. So, for instance, let's take Godaddy. They were part of a breach, I think it was a couple of years ago or something like that. I can't really actually recall if passwords were exposed, but let's just go with the sense that there's a million different vendors being breached, there are clear text passwords being exposed.
John Harden:
If I'm able to be part of one of those systems, I, as the IT administrator, needs to know that my user accessed that system when that vendor breach occurs, so that I can go resolve the issues with my users, rotate their accounts that they were using to access it, make sure that they weren't using that password externally in different areas of the organization. So I, as a it admin, need to know whether it was an account that was for work or for personal, that this thing was breached so that I can go rotate those accounts and move forward. That's one of those key areas.
John Harden:
Because when it comes down to the third party attack surface, having access to more information on the user is going to also put you at risk for things like phishing, where they know what you use, they know those tools you use, they know that you're using a shadow it assets. You maybe aren't as alert on what's going on. And so if a Dropbox email comes through, you don't think maybe it's your company phishing, or you don't think about it because it's just shadow, its asset you're using, so you're less vigilant.
Connor Swalm:
Let's explore that thought for a bit. One of the most effective things, you know, even people coming up to me at conferences saying, you guys fished me because I was expecting a slack invite, and then you sent me one somehow it's like, well, you know, if you send enough emails with enough tools, you'll catch one at the right time and surprise, that is exactly how phishing works in the real world. It's most often not this incredibly targeted attack. It's just send enough fishes, send enough attacks with enough variety, you'll catch somebody at the right point, mentally, physically, emotionally, spiritually, whatever, that something happened in their work and they'll just shut off their unconscious. The gut check doesn't happen, the warning bells don't go off and they just follow that path blindly. So how could we use phishing?
Connor Swalm:
Maybe phishing simulation, how do you think we could use that to reduce shadow it if that's exactly what the IT team wanted yeah, I mean, I think.
John Harden:
Around the phishing elements to reduce shadow it, you're probably just, I'll be honest, that's a tough challenge for me. You know, I think when it comes down to phishing, it's all about the education and awareness, right? It's not about getting hit, it's about learning the mechanisms that are coming in. And I think that the same way that it administrators are working to educate their employees on how phishing attacks come after them, they can look, they can do another way of educating their customers around how, you know, using shadow, it can open them up to third party vendor attacks. I do think shadow, it is a big entry point though, where phishing can occur in the sense that again, their guards are down and even further more so because they're in a shadow it asset.
John Harden:
So being able to attack those assets where it may not even have visibility to where a phishing attack can happen, escalation can happen, and it didn't even know it's happening.
Connor Swalm:
I think that's absolutely right. There is not just little visibility, there's no visibility into phishing is occurring on shadow it because of the accounts that are used. To give a, an example that I could see happening is if you have, in Microsoft Defender, if you have an allow listed set of tools and somebody's getting phished with one of those tools, so it's not coming from the right domain, Microsoft's probably going to catch that. It's probably going to say, hey, this is a big red flag. It's going to get escalated in the right way or it's just flat out just going to get blocked to begin with.
Connor Swalm:
But if you don't have a tool that Microsoft is aware that your people should be logging into and accessing on a regular basis and receiving communications from, that's just ripe for somebody to come along, send the right kind of communication and get the employee in the process.
John Harden:
Well, take, yeah, take that example. We transfer Dropbox, Box, Citrix, file share, you name it, like any of these file sharing tools. I mean, there's that case with the Tesla engineer that exfiltrated code out of Dropbox using a personal account. A lot of people sign up for these file sharing tools with personal accounts and the, it doesn't know about it because it's a personal account or because it's a shadow it asset or a mix of both. And if they were able to expose that personal account to Dropbox, nobody would ever have any indicator that there's a lot of sensitive data in there.
John Harden:
Like, you know, how many times have you worked with a vendor where you're uploading your customer list to get the system loaded up like a CRM or ERP or something like that, where you're transferring critical data or you're putting it into a finance tool, and so you put the data in a third party SaaS tool to get it over, and then all of a sudden that get exposed. But it never documented the account, they never documented the software, the exposure. They don't even know what's happened. That data is now something that they can use to escalate further internally into the organization or just hold you ransom for your data or you're even open up data that's in there, if it's a customer list where you now expose your customers and to a third party supply chain attack.
John Harden:
So that's the risk of shadow it with phishing is because if you escalate into a shadow it asset through via phishing, a lot of murky things can go on, and it has no visibility.
Connor Swalm:
No visibility at all. You touched on a really good point that actually led to a debate I had with several other security awareness folks in the industry. And it was, if your goal was to just have this gotcha moment of, oh, we caught you using shadow software. Like you said in one of the previous episodes, our goal was not to slap people on the wrists and say you did a bad thing here. It's to help educate and to bring them into the fold. A quote I made actually recently is, I remember in high school playing lacrosse, my coach made a statement that didn't make sense to me at the time, and we ended up having to run a lapse for it because we didn't answer the question right. But it was, all of you play defense.
Connor Swalm:
It doesn't matter what side of the field you're on. And so these employees are whether or not you'd like it, in some ways an extension of your it team. If they introduce risk to a company, that is your IT team's responsibility, because that's their whole job, is to know what risk that people have introduced and your company is assuming in the process so well.
John Harden:
And that's what it boils down to. That's why shadow it visibility is so critical, because it's not, again, about slapping the wrist. It's not about saying no. It's about knowing. It's about fostering a relationship with the employees to know they can come to you when they want to try new tools, or they can come to you to get approval. It's about educating them the risks of it so that they know to come to you at the it to vet those risks.
Connor Swalm:
Yeah. Wes Spencer, when he was the, I don't know if he was the CISO at a bank, but he tells the story all the time, is when he was in charge of security at a bank, he would ask quite very simple questions, which was, hey, if an employee does notice that they did something incorrectly, do you want them to try to hide that because they're worried we're going to punish them? Or do you want them to come to us and say, hey, I screwed up. Could you please come help me fix this? It's like, well, as an it, as it folks, you know exactly what you want. You want to gain 150% visibility into exactly what's happening and what's going on, which means you need that to be brought to you. So this wrist wrapping, you know, smack them on the wrist.
John Harden:
Yeah.
Connor Swalm:
Doesn't, it doesn't work. It only creates this toxic culture of security that people want to check out of completely.
John Harden:
Yep, exactly. And that's the key thing there. It's about building a culture and the culture has to be top down from it. And again, it's not, you know, the reason we're doing phishing campaigns, the reason we're getting visibility, the reason we're doing all this is to understand risk and to mitigate risk and to educate around risks so that the next time it gets done correctly by the employee. So I think that's probably the best way to wrap it up there. Connor.
Connor Swalm:
Awesome. So where should people go? Learn more about SaaS management, about you, if you'd like them to get in touch with you.
John Harden:
Yeah, of course. I mean, I'm on LinkedIn. Feel free to follow me, give me a holler, shoot me a message. I'm active on there and always happy to engage or around SAS management. Feel free to go to Auvikaum and click on our SAS management link at the very top. Learn a little bit more and try the platform if you want to see what shadow it's in your environment.
Connor Swalm:
Awesome. For the folks that are listening or if you're watching, we will have links to not only John, but also Alvik. So you can reach out and take a look if you'd like. Thank you everyone for listening. John, thank you so much for joining today and sharing a bit of your wisdom. I had a blast.
John Harden:
I had a blast too. Thanks for having me, Connor. Always good to chat.
Connor Swalm:
Thanks everyone for listening and we'll see you on the next episode.
John Harden:
Cheers.
Connor Swalm:
Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phinsecurity at PhinSec IO. That's P H I N S E C IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.