Shadow IT - Are employee's guilty of putting businesses at risk ?

In late August 2016, a huge cache of personal data from the cloud based file sharing and storage website Dropbox was leaked online. The data leak contained over 68 million credentials stolen in a hack which first occurred back in 2012. As a result, Dropbox warned its customers to reset their passwords if they had signed up for an account prior to mid 2012.

Being a user of Dropbox, my reaction was to try to obtain a copy of the leaked credentials to check if my account was within the data, considering the size of the data breach I would have been amazed had I not found my account. Thankfully, Dropbox had ensured that all passwords were encrypted using either the SHA1 or bcrypt algorithm, thus making it difficult to malicious individuals or criminals to crack/decrypt the passwords back into a plain text format.

So, how does this relate to the title of this article? The breach got me thinking about the number of employees in organisations who may be using services not officially sanctioned by centralised IT services. "Shadow IT" refers to devices, software and services used outside of the control of IT organisations. Services such as Dropbox are often used without authorisation, and as a result the unsanctioned use of these services could contribute towards an increased risk of sensitive company data being accidentally leaked.

Now imagine the scenario - An employee uses a cloud based service to store information relating to business activities. A data breach occurs and the employees email address and password is exposed. Now what if, the employee had used the same password for a variety of different services, such as logging into corporate email or accesses resources on a company network - as an attacker I would be trying to leverage this information to further attack resources within the company or organisation.

So, I asked myself a hypothetical question - which companies/businesses would I expect to possibly have a exclusion on using such services?

I started with a quick review of the amount of users from some of Scotland's regional councils:

Aberdeen City Council - 91
Aberdeenshire Council - 42
Angus Council - 20
Dundee City Council - 32
Edinburgh City Council - 29
Fife Council - 20
Scottish Government - 47

I then turned my attention towards a financial institution -The Royal Bank of Scotland, noting 79 individuals using the service.  I then examined the information further, looking for email addresses associated to NCR, a company that designs and develops cash machine.  To my amazement I noted 407 individuals from NCR using dropbox. Should a bank and company who helps the design and distribution of cash really be using a services such as Dropbox ??

I started to imagine the severity of the problem of using these services in an unregulated manner. Regardless of the type of content that is stored, or how securely or well encrypted the users passwords are stored, I now have 79 addresses which could potentially be used in a email phishing attack at RBS, 407 for NCR, 91 for Aberdeen City Council - the list goes on and on.

So why publish this article, haven't I just helped some malicious hackers in creating a new target list for a phishing attack?  I doubt it, anyone intent on doing damage with this information, will most likely have done it already.

On one final note, it should be noted that many of the afore mentioned councils and businesses may permit the use of such services. With the correct guidance and user policies, there is no reason to fear the use of these online services, however due care and attention should be taken, without guidelines your employees could well be putting your IT infrastructure and network at risk.

Note this article was previously published in 2016, however due to technical errors it was lost.  Republished in May 2017 with some slight amendments.