This post first appeared on Risk Management Magazine. Read the original article.
Businesses everywhere should be increasingly concerned about the risks posed by unsanctioned shadow apps—any software applications that have not been cleared by a company’s information security team, but that employees use anyway. Because these apps are not sanctioned, they usually are not monitored or secured in the same way that approved apps are, making them vulnerable to exploitation by criminals and insider threats. Some of the most common kinds of shadow apps and the dangers they pose to the wider organization include:
Browser extensions. Web browser extensions are historically difficult to secure but pose a significant threat to data security, making them a perennial favorite among cybercriminals. A compromised browser extension can be used to deliver malicious URLs, turning that browser into a potent cyber weapon. Every day, Google is forced to remove dozens of such browser extensions from its Chrome Web Store, and that is just one vendor.
Many recently discovered malicious extensions have been loaded with malware used for cryptocurrency mining and click fraud campaigns. Cryptocurrency mining in particular can have a devastating effect on an organization’s network, with the strain generated causing major performance issues and running up big electricity bills.
Instant messaging. Instant-messaging programs can be found in nearly every workplace and while the most popular ones tend to be on the list of authorized apps, it is the use of unknown, unsanctioned messaging apps that can introduce risk. For example, Pidgin is an open source client used by millions of people worldwide, but it can do much more than just enable communication between coworkers—in some environments, it can also be used as a tool for running arbitrary commands on infected endpoints and controlling backdoors.
Pirated apps. In recent years, a growing number of apps have been sold outside of official stores. Many of these have been designed to look legitimate, but are instead laced with malware, spyware, or worse. When installed, they can expose a network and the data held within to all kinds of cyberattacks.
The Wider Issues With Shadow Apps
Aside from the inherent risks that unsanctioned shadow apps present, they also create wider issues for IT teams. One of the biggest is the fact they are not patched like sanctioned apps are. The majority of large organizations operate strict patching regimes across all of their main applications, keeping them updated with the latest bug and vulnerability fixes. As shadow apps fall outside of this scope, however, it can be weeks, months or even years before the employees using them actually update, leaving them open to exploitation and unauthorized access.
In other situations, these apps could be rigged to leverage network functionality to third-party sites that an organization may not even be familiar with. For example, after gaining access to sensitive data, an attacker using an FTP application that the organization does not monitor could then exfiltrate that data via the FTP without the organization even knowing about it.
Once an organization has established an ecosystem of sanctioned apps, it needs to take great care to ensure third-party apps that integrate with those sanctioned apps do not proliferate without the IT team’s knowledge. Popular cloud storage solutions like Dropbox and Box are often authorized for use in organizations, but they also interact with a large number of other apps that do not have the same authorization. If these avenues are not identified, they can quickly pose a threat to the organization’s data security.
A growing number of security technologies can be used to gain valuable insight into the apps employees are using, both sanctioned and unsanctioned. For example, some software can give the IT team complete visibility into the types of data flowing through their system and even block unauthorized apps from executing. Other software can be used to educate employees by alerting them when they attempt to open unsanctioned apps that are against company policy. Over time, these kinds of prompts help to change employee behavior, teaching them to think more carefully and understand when they are behaving in a risky manner.
Shadow apps inevitably find their way into the majority of organizations. While not all of them pose a threat, many can if they are not carefully monitored and/or controlled. While IT teams may not be able to prevent all use of these apps across an enterprise, taking steps to know what they are, the data they are accessing and who is using them will all play a key role in minimizing the threat.