fbpx
Boyce, VA 22620
540.850.4226
contact@db-c2.com

What is Shadow Tech and Why it matters to your business.

What is Shadow Tech and Why it matters to your business.

What is Shadow Tech and Why it matters to your business.

Shadow Tech is fancy scary word for unauthorized devices being attached and used on your systems. It comes in many forms. Everything from thumb drives, ipods and phones plugged into a users computer to people bringing in their own WiFi routers and plugging them in to have better signals in their office. Most seem mundane and are thought of as not dangerous by the person using it. Sometimes however there can be a much more nefarious intent.

A lot of business owners have never even considered this threat simply because they are unaware that it is one. That however does not mean the threat is not there. In many cases we have used items for so long without incident we have a false sense of security and never take into consideration how a hacker could turn it into a weapon.

If you remember before 9/11 it was unfathomable for most people to believe that such a thing could happen. On 9/12 the entire world had a different mindset than the day before. A complete and instant paradigm shift. That is what small businesses need, A paradigm shift about cybersecurity. It is especially true now in the midst of this pandemic when attentions are pulled in every direction,

These shadow devices are even more difficult to see now that employees are often working from home. Unfortunately many MSP’s (IT Service Providers) and internal IT teams do not address it with business owners. It may be from lack of knowledge/awareness or fear of bringing up a subject that may be viewed by execs as a drain on cash flow or a hindrance to productivity.

None of this helps in making a system secure. The blame of not addressing it falls on everyone’s shoulders, but the final responsibility falls on the execs if something bad happens that compromises data or jeopardizes the business.

Shadow tech

is a major insider threat to any business regardless of the intent of how it is being used or implemented. A case in point was related to me earlier today while on a phone call with a fellow cybersecurity professional.

He said one of his former clients never considered the perils of an open BYOD (Bring Your Own Device) policy. In fact he did not even know there was such a thing,  Anyway, one of his former clients employees had been downloading movies/videos to a usb storage device. When the employee then inserted the usb into his employer provided laptop and attempted to play a video, he soon found out what a bad idea that was. His employer found out pretty fast as well because the employee had to call and tell him. The video files were loaded up with malware.

When the video was opened, it played the video for a few seconds. It then flashed up what looked like a logon screen requesting he enter his credentials because his session had timed out. Not thinking and wanting to get back to the video, he complied. He then was instantly logged out of his laptop. He was lucky that he was not attached to the company network at the time because the malware that infected his system was very nasty and instantly spreads to any connected systems. If he had been connected via the VPN it would have been disastrous.

We have all heard that ignorance of the law is no excuse and this applies equally to cybersecurity. Relying on your In-house IT team or IT provider to keep you informed about cybersecurity laws and threats is like expecting the girl at the fast food drive up window to tell you good investment advice. If someone is not specifically trained in a skill how can you expect them to advise you in it. The truth is you can’t. So is it really even fair to expect your IT people to know about much less implement a cybersecurity defense program. No, it is not.

If you are not sure that your systems are properly protected then I would say you’re probably not. If you were, AND your IT Guy was doing his job, you would know because you would be getting updates at least monthly and quarterly reviews. You would also  know that you have solid policies in place that are enforced and reviewed annually at a minimum.

Having Policies in place and strictly enforced is the first step in avoiding potential fines and insurance claim denials in the event of a cybersecurity incident. Having policies in place is the first step to creating a solid cybersecurity program. They are also among the simplest steps as well. You can find well written policy templates many places such as NIST, ISACA, State and local authorities. It is also a service that any good Cybersecurity Consultant will provide as part of a standard package. At DB Cybersecurity Consulting we have a full suite of business policies that we customize for our clients. Reach out to get a free consultation to find out if we are a good fit for each other.

Contact Us

OFAC – The NEW LAWS

With the recent announcement from OFAC (The U.S. Department of the Treasury’s Office of Foreign Assets Control ), you need to really make sure your cybersecurity program is up to snuff.You should take the time to read what they have to say. In short they have made it a crime to pay ransom to cybercriminals when a system gets hit with a ransomware attack.
You can read the article here –  US Govt Takes a Hard Line on Victims of Ransomware

The entire OFAC advisory is available at the link below

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

The advisory states in its contents

As a general matter, OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.11 This also applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). In particular, the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction. Companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.

OFAC Licensing Policy

Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial

This should make it abundantly clear that a solid Cybersecurity program is expected of businesses that operate within the USA. Policies and Procedures written and enforced are part of that program. Strict BYOD and Acceptable Use policies are front and center policies that must be enforced at all levels of the organization. Failing to do so puts the company at serious risk of insider threats whether malicious or unintended.

AUP and BYOD policies need to be implemented and enforced at all levels or an organization. This will include what kind of devices are allowed to be connected to the company systems. It is much simpler to make a statement of what is allowed than it is to make an exclusionary rule of what is not allowed. My personal feelings are that BYOD should not be allowed under any circumstances. This would include attaching a cell phone to the usb port on a computer for the sole purpose of charging the phone. If mobile devices such as cellular phones, tablets or any other devices are only permitted if they are company supplied the task of securing the company assets is much less complex and therefore more effective by default. It also makes the process of remotely wiping a device such as a phone, laptop or tablet a more straightforward process as well as ensuring its security is up to date.

Ready to start your own Cybersecurity Defense Program? We have many free resources you are welcome to use to get the ball rolling. Creating policies is a great place to start. They will lay our the ground rules. After that the real work begins. That will entail a full system assessment and asset inventory. Now you can do this by running tools like Nessus or many other free and very effective tools. If you choose to go this route make sure that whoever is doing the work is well versed in using the tools. Many of them are actually tools hackers use to break into systems and if misconfigured can do irreparable damage very quickly. There are also paid tools you can use but the key to doing it yourself is ensuring it is done right to avoid becoming a victim of your own efforts. 

It is a lot of work. It does take a fair amount of time. If you are serious about getting started but want some guidance or just want to get it done professionally just follow the steps detailed below. Good Luck.

Step 1 Contact Us Now.

Contact Us

Leave a Reply