Shadow IT: Centralised vs distributed IT Management

Historical when computers were first introduced into a company it was through individual departments, typically Finance and they purchased their own computer systems. As the usage of computers grew and IT become first a support function and then a core part of the business. The structure of organisations changed with as they introduced an IT department which managed IT and ensured commonality across the whole of the organisation. The governance of IT become centralised within the IT department.

IT Governance is a subset of corporate governance, focused on information and the technology and the performance and risk management around the handling of information and the technology. It is how organisations align their IT strategy with business mission, ensuring they stay on track to achieve their strategies and goals. 

The use of IT has continued to mature throughout organisations and IT has become a platform or service on top of which the functions of the company are built. If you examine an organisation today there is a core platform of servers, workstations and networks which underpin the finance systems, sales, marketing, production and other activities. Each of these activities has different requirements and expertise. IT decision on spending is becoming dispersed throughout organisations, according to a survey conducted by BT of 1,000 IT "decision-makers". This has been backed by research by Garner which estimates by 2020, 35% of organisations’ technology budget will be spent outside the IT department.

This is creating “shadow IT”, and has been given impetus by the growth of consumer technology and cloud computing, which make it increasingly easy to deploy technology without going through the corporate IT department. With businesses under pressure to innovative, flexible and adaptive it has been realised they can often deploy solutions more rapidly by bypassing the IT department. BT’s study showed nearly three-quarters of respondents say they are more concerned about security with the move to a more distributed approach to IT. The various departments are very keen to purchase and deploy IT based solutions however they don’t want to support them or take responsibility for them working and are happy for central IT to provide this function.

Ensuring that shadow IT is subject to proper governance is a challenging task for CIOs. Part of the solution is by supporting the business in meeting its objectives by liaising with all parts of the business. They are the experts on what they need; they need support on ensuring the requirements can be met within the corporate governance framework. Shadow IT should not be considered a problem but should be adopted as part of a distributed IT function.

Shadow IT – what are the risks?

Increasingly within organisations a shadow organisation is building up and will threaten the security of the overall organisation. This is not the mafia or a criminal sub culture, but an alternative to the organisations IT department.

Citizen Programmers + Rogue Devices + BYOD + Tech Savvy Employees = Shadow IT

Increasing, as the workforce becomes more tech savvy as the millennium generation are starting to become predominant as employees. Each department has its own group of geeks that the rest of the department turn to as first line of support. I have seen this everywhere I have worked, people like myself are asked questions or asked to fix things as we are immediately available and often understand IT and the business function and give advice quicker and trusted more than IT support who can live up to the reputation of the IT Crowd and associated with the phase “Turn it off and turn it on again”

In the 21st century business are increasingly facing employees who are “citizen programmers” where they have developed their own applications with macro programming languages in a lot of business software to manipulate raw data and draw useful information and reports. Citizen programmers can generate applications that become mission critical in the way they draw useful information from the organisation’s data. These applications are outside the control of IT and often not known to those doing the BC&DR activities.

The tech savvy employees and often those less technical aware are bring consumer technology into the office either as part of BYOD or often as rogue devices that IT and the organisation know nothing about. These can introduce a range of attack vectors that the organisation may not be aware of and unable to put appropriate controls in. I have seen employees set-up Google remote desktop to allow remote access to their workstation so they can be more productive out of the office and IT have not been aware of this remote access channel.

So what are the risks of this shadow IT within your organisation?

• No governance of the activities
• Lack of security awareness and alignment with business mission
• Increased risk of data leakage
• Increased attack surface area
• Dependence on unknown and uncontrolled applications

What can be done, IT like cyber security needs to be aligned with the business needs and this requires better integration with the end users to ensure they can do their jobs in a secure manner that does not affect productivity, allow initiative and innovation but does not impact on security which is the triad of confidentiality, the integrity and availability of assets.

Forthcoming talk

Hacking the Internet of Things (IoT)

Thursday 14 May 2015

8.00pm at the offices of Sopra Steria, Hemel Hempstead, HP2 7AH

The IoT is a paradigm of how devices are now interconnected by various media to each other locally and across the Internet, allowing them to exchange information or to interact with us. You can control the heating in your home from a smartphone or monitor the hundreds of buoys free floating in ocean currents. IoT has great potential for aiding both us and malicious activities. This talk discusses the IoT and its potentials, followed by discussions and demonstrations of how the IoT can be hacked to reveal details of our interactions or take control of the environment around us.

It includes a demonstration of RFID can be compromised by looking at an attack on a RFID based door access controller.

RFID Cloner

RFID Door COntroller

The event is being organised by the Hertfordshire branch of the BCS, details of the talk are on their event page

If you wish to attend this meeting, please would you book your places using this booking link.

What is phone hacking?

Phone hacking according Q762 on the ask the police website (https://www.askthe.police.uk/content/Q762.htm)  is where people gain unauthorised access to information that is held on a mobile telephone, in most cases these are voicemail messages. It goes onto explain that mobile phone companies set up a default voice mail service for all mobile telephones. This service can then be accessed from other telephones (both mobile and land-line) by dialling your mobile telephone number. Once the voicemail service message begins, all a hacker has do is dial * and enter a PIN number, which is a default PIN number unless it has been changed. It is this type of hacking that the newspapers in the UK have been accused and admitted to doing. This type of hacking can be stopped by changing the default PIN and not giving the PIN to anyone.

However phone hacking is more than this simple example of almost social engineering, for example I would identify the following as phone hacking activities

• Phreaking
• VoIP hacking
• Voice mail hacking
• Mobile phone network hacking
• Insecure wifi usage
• Smart phone app security

All of these can result in an unintended opportunity, ranging from free phone calls to intercepting and retrieving information.

• Phreaking involved manipulating the plain old telephone system that used to tones to control switching and functionality. By reverse engineering the tomes pheakers could route long distance calls for example. 
• VoIP involves the transfer of voice within the data packets on an internet protocol (IP) network. The hacking of VoIP allows eavesdropping, control of VoIP based private branch exchanges (PBX), the routing of phone calls and other activities.
• Voice mail hacking allows the retrieval of voice messages often by using default PIN numbers
• Mobile phone networks use a number of telecommunication protocols that have been hacked allowing interception of mobile phone calls and other malicious activities
• A lot of mobile devices including phones can make use of WiFi networks and in some instances route phone calls over WiFi connections using VoIP and related technologies. WiFi is difficult to secure and data can be intercepted.
• The top of the range phones now all come with apps, insecure doing practice and in cases malicious programming allows data leakage from phones due to the vulnerabilities in apps installed on the phone, or the apps can take control of the phone causing it to make premium rate connections via voice, data and sms.
• 
  

I will be looking at some of the phone hacking techniques and countermeasures over the next few months as I prepare a talk on the topic.

PCI DSS: outsourced eCommerce

A presence on the internet is considered essential for business; the UK government have a digital inclusion policy to get SME's online and being part of the digital economy. However for many small companies go online and taking payments for services online is new and uncharted territory.

Many companies don't appreciate the governance around trading within the digital economy with issues such as the Payment Card Industry Data Security Standard (PCI DSS) and distance trading regulations part of wide range of regulations, standards and requirements that a company must get to grips with.

PCI DSS

The PCI DSS was initiated by the Payment brands (VISA, Mastercard, American Express, Discover and JCB) to combine their individual security requirements into a single set of requirements. The standard is developed by the PCI Security Standard Council (SSC). It contains mandatory requirements for the storing, processing or transmission of cardholder data and includes anything that might affect the storing, processing or transmission of cardholder data. Merchants who receive payments from payment card from the 5 brands are responsible for ensuring the payment collection process is compliant to the standard. Merchants cannot delegate the accountability, even if all payment process is done by 3rd parties the Merchant still is subject to requirements of ensuring the 3rd parties are compliant,

One of the pit falls I came across when advising companies about the PCI DSS occurs when they have already got an eCommerce presence online before attempting to gain PCI DSS certification and their existing eCommerce operation is not compliant with the requirements of the standard.

For example, they have a website designed, hosted and managed by 3rd parties to card payment online rather than do it themselves; this is a good option form many companies as they may not have the expertise. However they find that instead of it being an easy process, it has become very difficult due to the use of suppliers that are not compliant to the PCI DSS requirements.

Outsourced eCommerce Compliance

For this type of situation of outsourced eCommerce; for companies not meeting the level 1 merchant status; there is a cutdown version of the questionnaire know as Self-Assessment Questionnaire SAQ A "Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced". It was been developed by the SSC to address requirements applicable to merchants whose cardholder data functions are completely outsourced to validated third parties, where the merchant retains only paper reports or receipts with cardholder data.

The eligibility criteria for completing a SAQ A is given with the document; however the critical point is cardholder data functions are completely outsourced to validated third parties. Validated parties means the service providers must be PCI DSS Compliant for the services they deliver and this includes the following services.

• Website Design
• Physical Hosting
• Managed Hosting
• Payment processing

There is a distinction between being certified for being a merchant and being certified for services offered. A service provider will have an Attestation of Compliance (AoC) for either a RoC or a SAQ D for service providers where the AoC will state the services being covered.

Some companies get caught out because their service provider is certified as a Merchant for taking payment and may not have the service being offered covered by the certification.

For example; you could pay for the creation and hosting of a website from a website design company that take payment by credit card. They may have outsourced their eCommerce operation and completed a SAQ A themselves. When asked for evidence of compliance, they may offer the SAQ A as proof of certification, but this only covers their merchant activity and not their software development and hosting services. They should have an SAQ D for service providers to prove their services are compliant and present the AoC for this when requested.

The Problem

In my experience companies get caught out by having a website designed and hosted and then find they have to be compliant to the PCI DSS when their acquiring bank asks for a SAQ to be completed. At this point they find out that their suppliers are not PCI DSS compliant for the services contracted and also they don't have sufficient information to complete a SAQ D; which is the self-assessed version of the full set of requirements, as they don't have control over the hosting or management of the website.

This leaves them in the situation where they have been asked by their acquiring bank to demonstrate compliance and they are unable to meet the request.

The options are

• Ask the suppliers to become compliant
• Audit the suppliers as part of the companies compliance
• Change to a certified supplier

None of these options are attractive or easy to complete. Whilst a company is non-compliant they could be fined by the acquiring bank monthly, pay additional transaction costs or in extreme cases have the ability to process payment cards removed.

Advice

My advice for companies thinking about starting an eCommerce operation is to contact an expert in the PCI DSS and get advice on the standard before actually implementing the website. This can save a lot of hassle, time and money in the long term,

There should also be more effort by governments, acquiring banks, payment brands and payment processors to makes sure those new to online payments can get the right advice.