logo

Protecting yourself against IoT malware with shadow IT and shadow IoT

Posted by Marbenz Antonio on September 13, 2022

Securing shadow IT – May the force be with you!

Many of us have laptops, tablets, and phones in our Internet-connected homes. With a few servers and associated storage devices, some of us may even have home labs. We’re also more likely to have things connected to the Internet of Things in the future (IoT).

What is the Internet of Things?

Devices like smart TVs, security cameras, thermostats, smart lamps, game consoles, DVRs, and other items are included in the Internet of Things. Your refrigerator, washer, and dryer, as well as kitchen scales, blenders, sous, vide cookers, and outdoor grills, may all be connected household appliances.

At the very least, we should change the factory default credentials and create secure passphrases when installing these devices. But many of us forget to keep updating our gadgets’ software once they’re up and running. We’re all busy, and if we care to check at all, it’s so simple to click “Remind me later.”

These linked gadgets may not immediately come to mind as targets for cyber assaults, but they can serve as ports of entry for hackers to enter other systems, putting your data and privacy at risk.

Examples of IoT at the office

How does the Internet of Things work at work? In addition to connected security cameras, DVRs to record video footage, smart locks and badge-reading devices, environmental controls, and fire suppression systems, smart TVs may be employed as digital signs.

Consumer-grade IoT gadgets may also show up in our networks and businesses. When they brought in Pat’s streaming stick to watch the big game on the big screen in the conference room last spring, it was a big hit. Brenda’s treasured toaster and Steve’s smart kettle might be in a break room near you right now!

What is shadow IT?

Shadow IT refers to the use of information technology by people or groups outside of the main IT department of a company. These unofficial systems are usually established as a result of real or imagined flaws in centralized information management systems.

We don’t usually encounter questionable individuals when we look at cases involving shadow IT. Instead, we select intelligent, hardworking individuals who genuinely want to solve issues and contribute to their fields of endeavor. Workers occasionally lack knowledge of available options and offerings that might satisfy their demands.

Shadow IT examples

The colloquial “server beneath the desk,” cloud provider accounts, and productivity applications like chat, file-sharing, and note-taking programs are all examples of shadow IT. When time constraints, frustrations, and the need for flexibility collide, employees, resort to Shadow IT. When deadlines are approaching, it seems unworkable to wait for the IT department to deploy a new program (much alone go through the contract negotiation process).

Take tech professionals as an example who frequently need to cooperate in close to real-time.

Most of them have advanced technical skills, and some of them are roadies who frequently travel to work with their clients. They want a chat app that works on both their PCs and phones, doesn’t require a VPN connection, enables lengthy discussions, and meets their technical feature needs. Their preferred threading experience in group conversations, APIs that enable them to design chatbots that interface with other tools, and a variety of ways to express oneself beyond text are all must-have features.

They are aware that they have some options if they are unsatisfied with the company’s current chat program, including setting up their chat server, using personal messaging services or social media accounts, or registering for a free Software as a Service (SaaS) option online.

Shadow IT consequences

What possible effects could pursue shadow IT have? In the given case, our tech staff members’ chat software might not use end-to-end encryption, passing their conversations in clear text. It might lack a reliable authentication system and most likely won’t be included in the business’ SSO.

Who will oversee the accounts, add new workers when they come on board, and more importantly, remove them as they depart? Old accounts that were abandoned without being checked on might still have access to all chat history and could be compromised and used for corporate espionage or other illegal acts.

What would happen if the chat solution was later abandoned if business processes grew to depend on the service, such as ChatOps connectors with CI/CD pipelines?

What happens if only a part of the company uses the alternative chat program? This could result in scattered islands of various groups of workers, or even worse, overworked employees who must monitor talks across different platforms.

What information would be made public if the chat software was compromised? How could a potential compromise be explored if the chat solution has insufficient logging capabilities or the logs of a social media app or SaaS product are just not accessible to end users?

Did the team carefully study the terms and conditions of any services they paid for to comprehend the agreement they signed on behalf of their employer? They might have consented to the sale of their data or the provider’s exclusion from responsibility in the event of a data breach.

It may be devastating for their business if the conversations our tech workers have about their clients, their data, and their contracts are made public. A significant loss of customer information could lead to brand-damaging public disclosures and penalties under the GDPR and other privacy rules.

How to stop shadow IT?

In a perfect world, we would be able to stop shadow IT before it even gets off the ground by offering IT services that fully meet the requirements of our staff members and the training necessary for them to take full advantage of those services. However, it may be impossible to completely prevent shadow IT as the universe of possibilities continues to grow and our users’ needs get more specialized.

We may make decisions as IT professionals to lessen the risk posed by shadow IT. We can start by looking for the use of unauthorized systems. If we start with an accurate and current inventory of all of our hardware and software assets, this task will seem less difficult.

A complementary strategy might be to simply speak with our users to find out what demands aren’t being satisfied by the services provided by IT and how they get around such restrictions. These discussions may offer an opportunity to further inform our users on the features and capabilities of our current IT offerings. We might also find an unusually large number of existing shadow IT systems.

Managing existing shadow IT

The original reaction may be a strong urge to completely shut everything down when we do discover existing shadow IT networks. Instead, keep in mind that our users who took the time to build up shadow IT systems are trying to communicate with us, and we would be wise to take a moment to do so.

We may learn about the problems experienced by our employees and the limitations of our systems when we approach shadow IT with curiosity, and we can then develop a strategy to appropriately solve those problems. If we discover that our users aren’t making use of the current services, this gives us the chance to enhance our education programs. We can work with our users to suggest a strategy for switching to authorized systems.

Our strategy may involve collaborating with teams to bring their system in line with corporate IT and security requirements when our users’ shadow IT systems are unable to adequately answer a demand. The risk of compromise and data leaks can be reduced with the use of this kind of solution, which can also enable users of the system to have realistic expectations for system maintenance.

The ideal strategy may be to guide the teams managing the shadow IT systems through the “becoming legit” process, which can involve carrying out security and data protection assessments, negotiating an enterprise agreement with a service provider, and setting centralized authentication and logging. Our users will feel heard, believe that their IT team is attentive to their needs when we can bring a shadow IT system into the open as an official IT system, and the final product will likely be acceptable to all.

Shutting down shadow IT

We might need to pursue a shutdown if a Shadow IT system cannot be made compliant. Some of our users may find this upsetting and difficult to accept, but open and honest communication is helpful. Goodwill toward the IT department can be maintained or restored by explaining why a shutdown is unavoidable, defining expectations on sunset timescales, and defining our plans to address unmet needs with an alternate solution.

We choose inaction when we don’t move toward a managed risk strategy, the road to legitimacy, or a controlled shutdown. Not only does ignoring shadow IT encourage its growth and fail to address its risks, but it also communicates negative information about our IT organization. Whether or not our users understand our quiet as incapacity or indifference, it does not favor us. On the other hand, adopting constructive action along with openness and two-way communication results in the perception that IT is a trusted partner, not a burden.

What is a botnet?

A botnet is a group of computers that have been infected with software that enables remote control of the entire network without the owners’ knowledge or consent. To give orders to their hordes of machines, botnet controllers use covert channels. These orders tell the machines to transmit spam, click fraud, steal personal information, use password-cracking software, or launch Distributed Denial of Service (DDoS) attacks.

Botnets can be centralized, in which case new hacked devices connect to a central command and control (C&C) server to open a channel of communication. The C&C can then instruct its bots using this command channel. Other botnet organization strategies have emerged because a centralized C&C server is usually a single point of failure for a botnet (that is, knocking it down can minimize the effectiveness of the botnet).

Layers of various C&C servers may be present in tiered C&Cs. Decentralized or peer-to-peer botnet members act as C&C servers that issue commands to other botnet members as well as clients that receive commands. Some botnets even attempt to hide in by using public communication channels like Pastebin.

What is an IoT botnet?

IoT botnets function similarly to traditional botnets and are simply botnets made up of compromised IoT devices. While searching for open ports and default passwords, many IoT botnets also look for more devices to corrupt to attack as many as possible with their malware. Modern IoT botnets can scale up more than typical botnets that depended on infecting sensitive PCs and servers since thousands of similar-configured (and similarly vulnerable) IoT devices may be deployed at once.

Because IoT devices are often always on and linked, attackers find them appealing (think DVRs and security cameras). IoT botnets are particularly well-suited to launch powerful DDoS assaults because of their potential size. Some, like Mirai, have even generated more traffic than 1Tbps.

Malicious executable and linkable format (ELF) binaries, a file format usually present in the firmware of embedded systems, can target IoT devices that use Linux and Unix-based operating systems. By using the hardcoded default credentials (admin/admin) when these devices are directly linked to the public Internet, malware can be distributed quickly and easily using the SSH or telnet network protocols.

Exploiting security bugs in unpatched, factory-shipped firmware versions is one of the other possible strategies. Once a connection to an IoT device has been made, the malware payload is sent to finish adding the device to the botnet. To maintain control, attackers may then alter the default credentials, blocking access from the device’s owners (or other attackers).

Many infected IoT devices don’t show any performance decrease even when actively taking part in a DDoS attack and just carry on operating as planned. Because of this, their owners may never learn about the compromise or decide to fix it. Attackers can utilize IoT devices for weeks, months, or even years without being discovered because many of them aren’t kept up with regularly or constantly monitored.

How to avoid IoT malware?

Shadow IT and the IoT combined can have negative outcomes on IT and security teams, well-intentioned workers, and even the bottom line. The good news is that protecting yourself from IoT malware is rather easy:

  • Any embedded device’s default credentials should always be changed, and a secure passphrase should be used in its place.
  • To be protected from potential dangers, users should frequently check with the manufacturers of their devices for firmware updates.
  • You can still minimize your exposure if a smart device is the best option to meet your needs. It is possible to disable the “smart” characteristics of some devices, such as televisions. Using different VLANs and firewall rules, you can take action to isolate these devices on your network. If the features aren’t required, you can also decide to avoid connecting the device to the network altogether.

 


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights