Shadow IT in the corporate digital footprint: the fight against digital Diogenes

Shadow IT is one of the most forgotten problems in companies. With the passage of time and the Digital Diogenes, dozens of services and assets that could expose important corporate information are becoming indexed and accessible on the Internet. Services that, if not correctly inventoried and controlled, could become the gateway to our networks. This problem is increased by the high internal bureaucracy and the attempts to skip certain administrative steps in order to go to production sooner (Does the photo sound familiar to you?). At Zerolynx we very often see how certain departments end up hiring, for example, external hosting, to save time when publishing a new service that, internally, would require them to go through a series of flows, audits and controls. Obviously, skipping these processes is irresponsible that ends up having consequences, and for this, awareness is a key tool, but these things end up happening and it is our responsibility to fight against it.

Given this fact and seeing that it was something very common in the market, we decided to incorporate into our Corporate Digital Footprint service a previous phase of recognition of digital assets, very similar to that carried out in intrusion services by our colleagues from the Red Team. In this phase, we carry out both an automated detection of the assets and a manual identification task that allows us to cover a broader level and also carry out a first analysis of said assets. 

During this asset analysis recognition, we identify which of them are vulnerable or likely to be vulnerable. For example, although it may seem common to find an exposed link from a client subdomain whose headers include the server technology, as well as the version and software of the service used, this can pose a risk. To illustrate with a real case: some time ago during the analysis of a client's assets, we identified and reported a VPN access interface with an obsolete version. A few months after the discovery, our client contacted us to analyze an advertisement in Raid Forums about remote access to his company and in which it was observed that the origin of said access was related to the link that we had previously provided. notified.

We must not forget that an important piece to contribute to reducing the attack surface is the application of digital hygiene measures. Given the huge amount of digital assets that companies currently present, it may happen that not all of them are under their control, which gives the opportunity to third parties to obtain a benefit from them. From the exploitation of vulnerabilities, the acquisition of domains that were owned by the company (once they have stopped being renewed) or, even, the use of these as a means to carry out illegal acts in its name (taking advantage of redirections from an apparently legal site to another). All of this, with consequences such as affecting your reputation and causing other indirect damages, such as loss of trust on the part of suppliers or customers.

Sometimes measuring the level of risk is complex, but we must always pay attention to the magnitude of the evidence identified and its probability of occurrence. Analysts know that this second part is the most complicated. Nowadays, finding individuals motivated to break access and enter our clients' systems is not so complicated. Therefore, although sometimes the risks we identify may be low, it is always advisable to analyze, mitigate and remedy them for what they may mean tomorrow.

The truth is out there!

Noelia Baviera , Intelligence Analyst