Gaining Visibility into Shadow IT: The Case of NASA JPL
What comes to your mind when you hear the term ‘Shadow IT?’ For some people, they first think about Ra’s al Ghul’s League of Shadows –formerly referred to as League of Assassins- in the film Batman. This answer is not far from the truth because Shadow IT is an assassin targeting organizations with huge adverse implications. Shadow IT refers to IT systems, devices, software, and applications used in an enterprise without the knowledge and approval of the IT department. It presents huge threats for organizations because of its monetary and security risks. According to a Gartner report, by 2020, an estimate of a third of successful attacks on organizations will be on shadow IT resources.
Organizations cannot afford to ignore shadow IT and its security risks anymore. They should take preventative measures against it and secure their networks. However, as opposed to the past when it was easy to identify and shut down shadow IT, nowadays it is not. Presently, finding shadow IT resources is hard because of the many applications stored in the cloud. This article sheds more light on shadow IT so that enterprises can learn about its risks and take preventative measures to tackle it.
Why do employees turn to Shadow IT?
Shadow IT can be hardware or software resources that do not have proper approval. In most cases, shadow IT resources are applications that employees use to perform tasks faster and effectively. Below are some of the common reasons for employees using shadow IT.
- Work more effectively. For instance, if an employee discovers a better file sharing app than the officially permitted one, he may decide to work around the organization’s security policies to use it and even share it with colleagues.
- Use the software they are familiar with.
- Avoid bottlenecks.
- Work with software or application that is compatible with their mobile devices. Employees want to use applications that extend beyond work to personal use.
- Operate with legacy applications that are no longer supported.
Although there are many reasons for employees using shadow IT resources, they only see the upside of it and do not understand the security risks they pose.
Effects of Shadow IT
· Introduces security risks
Shadow IT has the potential to introduce security risks because the unapproved hardware and software do not have the same security level as approved technologies. When software has a vulnerability, the software vendor offers a patch. IT professionals have the obligation of conducting patching and testing the patches. However, shadow IT lacks someone to conduct the patches and install updates to prevent security issues.
· Increases the likelihood of a data breach
The IT team has no control of who accesses the shadow IT resources as well as who modifies and copies data. An employee who has resigned or has been fired still has control over the data and who knows what he can do?
· Bring compliance issues
The hardware and software that are not IT approved are a compliance issue. A good example of this is an employee storing sensitive corporate data in his personal DropBox account. A Skyhigh Networks Cloud Adaption and Risk Report revealed that employees in an average organization use approximately 1,083 cloud services. Many of these are installed on the sly without IT team knowledge and vetting. In some cases, sensitive corporate data is stored in these services and hence jeopardizing it.
· Increase the probability of data loss
When an application runs outside the IT team’s control, it lacks backup and recovery procedures because it does not receive adequate attention from the team. Without appropriate recovery and back up strategy, in the event of an incident, data is lost. Data loss can also occur if you download software that has a cryptolocker which encrypts files in the server. For some organizations, like health institutions, the leakage of sensitive data can cripple it.
· Enormous financial implications
It causes cybersecurity issues that can be expensive for organizations. A study by EMC revealed that Shadow IT causes data loss and downtown costing approximately $1.7 trillion annually.
· Increases inefficiency
This point may seem contradictory because employees use shadow IT to help them work quickly and effectively. Nevertheless, before IT professionals introduce technology into the system, they test it for potential impact and any vulnerability. When a technology skips testing, it may cause bottlenecks or create a point of failure resulting in massive inefficiency.
The Case of NASA JPL
The US National Aeronautics and Space Administration (NASA) hit the headlines last year after speculations that its Jet Propulsion Laboratory (JPL) had been hacked. According to Forbes, NASA confirmed the allegations that its JPL was hacked after an unauthorized Raspberry Pi computer was connected to its servers. The Raspberry Pi is a small computer costing around $25 to $35 used to learn to code and make DIY projects.
This hack revealed greater security issues in the lab’s networks because devices can be connected to the IT network without explicit approval and vetting. The Raspberry Pi gave the hacker a security weak point that he could use to navigate JPL’s systems. It remains unclear who connected the Raspberry Pi in the JPL network and the identity of the hacker.
Background of the hack
NASA’s JPL is a research and development center situated in Pasadena in California. It is federally funded, and NASA has an obligation to ascertain that the agency’s data is safe. From 1959, California Institute of Technology (Caltech) has been managing JPL and all its activities from R&D activities to network security. In the last decade, JPL has encountered several cybersecurity attacks that have jeopardized part of its IT network. The most notable cybersecurity attacks took place in 2011 and 2018.
In 2011, cyber attackers accessed 18 JPL servers and got away with 87 gigabytes of data. In 2018, an external user account was compromised and 500 megabytes of data was stolen, including data about a mission in Mars. During the 2018 attack, the hacker discovered a weak point in the JPL system –unauthorized Raspberry Pi device. The hacker moved undetected in the JPL network for 10 months.
NASA is a good target for cybersecurity threats because apart from space-related activities, it has patents covering cutting edge science that countries can literally kill for. In short, getting access to NASA networks and data is a big kill for a cybercriminal. Following this hack, other NASA divisions like the Johnston Space Center disconnected from JPL to prevent lateral movement of the hackers. JPL was blamed for failing to maintain an updated Information Technology Security Database (ITSDB) –an application for tracking physical assets and applications on a network.
An audit report by the NASA Office of the Inspector General revealed that JPL has multiple security control weaknesses that hinder its ability to prevent, detect, and mitigate cybersecurity attacks. These weaknesses also expose the agency’s systems and data to attack by hacks and other cybercriminals. Among the main key issues that the audit exposed include; poor IT asset visibility, delays in patching known vulnerabilities, lack of security training, and lack of security certifications for system administrators. In a nutshell, the list of JPL’s security weaknesses feels like a security basics 101 ignored.
Potential solutions for Shadow IT
· Understand the drivers of shadow IT
To mitigate the problem of shadow IT, start by understanding the reasons why employees turn to it. Go a step further to propose safe and workable solutions.
· Secure your network
By securing your network, you can identify any unapproved devices or software connected and safeguard your IT infrastructure against cybersecurity threats.
· Implementing guidelines for introducing software
Organizations should have clear guidelines for the introduction of software into their IT infrastructure. The software should be tested properly in a sandboxed environment before it is realized. When software is introduced without the correct procedures being followed, the risk of attacks and data loss increases substantially.
· Employee training
Many employees do not know about shadow IT and a few who do have knowledge gaps. It is best practice to educate all members of an organization about shadow IT and the threats it poses. In the case of JPL, lack of training IT professionals for their roles was identified as a major security issue.
· Other remedies;
- Update all software so that everyone is on the same page.
- Adhere to best practices when bringing new servers and applications in the network.
- Passwords should be stored in encrypted form and never written down or set to default.
- Companies should establish a culture of acceptance and protection of shadow IT as opposed to detection and punishment.
Shadow IT is the next looming cybersecurity threat. NASA JPL hacking incident is a prime example of shadow IT and its implications. An inexpensive Raspberry Pi took down the astronomy giant’s lab. When organizations continue to ignore the implications of shadow IT, they will fall prey to cybercriminals just like JPL. It is therefore crucial for enterprises to secure, monitor, and audit their networks. This ensures that all hardware and software connected to the network are approved and vetted. Although no network is immune to attacks, securing your network decreases the probability of a cyberattack. Contact the experts at Applied Innovations to secure your network.