Phin Security

How Shadow IT Impacts Your Phishing Strategies

In the podcast "How Shadow IT Impacts Your Phishing Strategies," Connor Swalm and John Harden discuss how shadow IT and shadow SaaS complicate compliance with frameworks like NIST and CIS by necessitating comprehensive software and account inventories—including details on access and security measures such as SSO and MFA—to effectively manage risks and protect business data from social engineering and phishing threats.

Welcome to Gone Fishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.


Podcast Discussion: How Shadow IT Impacts Your Phishing Strategies

Participants:

  • Connor Swalm (Host, CEO at Phin Security)
  • John Harden (Senior Product Marketing Manager of SaaS at Awvik)

Shadow IT and Compliance Frameworks

Connor asks where shadow IT and shadow SaaS fit into compliance frameworks such as NIST 800-171, NIST 853, and the CIS controls.

John explains:

  • CIS is prescriptive, providing both what needs to be done and how to do it.
  • SaaS generally falls under the application layer (CIS 2.1, 2.3, 2.5) and the account layer (CIS 5.1, 5.3, 5.5).
  • All compliance frameworks require a software inventory, regardless of the specific standard (PCI, HIPAA, CMMC, FCC safeguards, etc.).
  • The reason is that business data resides in software assets, and cybersecurity programs are designed to protect data.
  • CIS doesn't explicitly call out SaaS, but it does require inventory to include the source (URL, App Store, etc.), hinting at SaaS awareness.
  • Regular review of software assets (monthly or more frequently) is recommended to address unauthorized software.
  • Allow lists of software can't be built without knowing your inventory.
  • Account inventory is equally critical: knowing not just what SaaS assets exist, but who is accessing them and how (including service accounts and audit logs).

Risk and Account Management

Connor summarizes that compliance frameworks focus on being aware of and mitigating risk, which often comes from accounts used to log into software and devices.

John emphasizes:

  • It's not just about the tool, but about access: Is it secured with SSO? MFA? Is the account shared?
  • Some companies have policies against using corporate domains for certain apps, leading employees to use personal accounts, which must be monitored and auditable.

Connor notes that shared accounts and using passwords from IT documentation tools is common, even if against policy.

John adds:

  • Identification is the first step: knowing who had access, who was using it, and where.
  • If an employee leaves, you need to know what they had access to in order to rotate credentials and secure accounts.
  • Even without advanced tools, at least document occurrences for manual remediation.

Shadow IT and Cyber Insurance

Connor asks if shadow SaaS and IT are addressed in cyber insurance.

John responds:

  • Most cyber insurance focuses on software inventory, but hasn't matured to SaaS inventory specifically.
  • Single sign-on (SSO) is a key area: if you attest to having SSO and MFA on all major systems but miss one, that's a risk.
  • Account inventory is crucial for knowing who is accessing what and what security measures are in place.

Malicious Use of Account Information

Connor asks how account and software information could be used maliciously.

John explains:

  • This is where supply chain attacks come in: a breached system can expose accounts, which can be leveraged for further access.
  • IT admins need to know which users accessed breached systems to rotate accounts and ensure passwords aren't reused elsewhere.
  • Third-party attack surfaces increase phishing risk, especially if attackers know what tools are used, including shadow IT assets.
  • Employees may be less vigilant with shadow IT, making them more susceptible to phishing.

Phishing Simulation and Shadow IT

Connor asks if phishing simulation can help reduce shadow IT.

John replies:

  • It's challenging; phishing education and awareness are key.
  • IT admins should educate employees about the risks of shadow IT and third-party vendor attacks.
  • Shadow IT is a major entry point for phishing because of reduced vigilance and lack of IT visibility.

Connor gives an example:

  • If a tool is not allow-listed in Microsoft Defender, phishing emails related to that tool may not be flagged, increasing risk.

John adds:

  • Many file sharing tools (Dropbox, Box, Citrix, etc.) are used with personal accounts, making it hard for IT to detect data exfiltration or exposure.
  • Sensitive data can be uploaded to third-party SaaS tools and exposed without IT's knowledge, leading to further internal or external risk.

Building a Security Culture

Connor discusses the importance of not punishing employees for mistakes, but instead fostering a culture where they feel comfortable reporting issues.

John agrees:

  • Shadow IT visibility is about knowing, not punishing.
  • Building relationships with employees encourages them to seek approval and report risks.
  • Education helps employees understand why they should involve IT.

Connor shares a story about a security leader who emphasized the importance of employees reporting mistakes rather than hiding them.

John concludes:

  • Building a security culture must be top-down from IT.
  • The goal is to understand, mitigate, and educate around risks so employees do the right thing next time.

Where to Learn More

  • John Harden is available on LinkedIn for questions and engagement.
  • For SaaS management, visit Awvik's website and explore their SaaS management platform.
  • For security awareness training, visit Phin Security at PhinSec IO.

Thanks for listening to Gone Fishing. For more on security awareness training campaigns that engage employees and change habits, check out Phin Security at PhinSec IO.