While reading the 'Declaration of Interdependence' series of articles in the July 1st issue of CIO Magazine (including an additional online article named 'Users Who Know Too Much and the CIOs Who Fear Them'), the term "Shadow IT" was used to describe the aggregate amount of personal, walk-in and employee owned software and hardware that makes its way onto corporate networks and computers.
This blog entry discusses strategies to look for applications that should not be running on your network as well as understanding which "unsanctioned" applications may be the most popular. It also discusses how the Passive Vulnerability Scanner can be used to detect Apple iPhones connected to the local IP network.
Review of Active and Passive Software and Device Enumeration
In a previous blog entry we've discussed how Nessus can use credentials to find UNIX and Windows installed software. Without credentials, Nessus can also scan for a variety of "client side" software that has open ports such as iTunes. It also finds a wide variety of operating systems, applications and network devices.
And lastly, the Passive Vulnerability Scanner (PVS) watches network traffic 24x7 and can identify client applications, servers, operating systems and network devices. The PVS is a bit more stealthy than Nessus in that it might be able to fingerprint that a host is running Ubuntu Linux, simply by watching how it makes queries for software updates.
When Nessus's advanced active scanning and credentialed methods to determine operating systems is combined with the PVS's 24x7 monitoring, a very accurate form of blended discovery can occur.
Each of these technologies can be used to look for authorized technology, as well as looking for those comprising your "Shadow IT" organization.
Supporting Un-supported Technology
Also in the CIO Magazine series of articles, there was a pie chart presented under a title named, 'If You Can't Win, Don't Fight'. The data reflected how surveyed IT departments dealt with unsupported technology.
- 42% said they'd monitor the activity for risk.
- 30% said they'd study the business case for mainstreaming the technology.
- 28% said they'd shut it down as soon as it was detected.
Reading this sort of data tells me that 70% (42% + 28%) of those surveyed need to monitor their networks for something they perceive as "bad" software. And for the remaining 30% that are interested in mainstreaming the technology, there still needs to be some sort of montioring solution to detect when certain technology becomes popular enough to mainstream.
We'll see in the next few sections that deciding what is indeed "bad" or even "not good" isn't as easy as we'd like it to be.
What is your policy? (What isn't on your White List?)
Unless your organization has a policy of what sort of software and devices have been authorized for use, the process of trying to detect "illegal" things can be very difficult. This is because there are millions of software titles and network devices available. It is much easier to enumerate what is allowed. Anything not on the list, by definition, isn't allowed and worth tracking.
There is no "Shadow IT" help desk that you can go to or open a trouble ticket with to see what has been deployed "outside" of normal channels. Instead, one needs to collect information many different ways to discover what has been deployed on their network.
Regardless of your technical or political environment, I recommend going "up the stack" when reporting things that are odd or unauthorized as outlined below.
- Networks and Devices. Audit any networks, devices or infrastructure that isn't documented or authorized. Your organization should be able to control which devices such as firewalls, wireless access points, SANs or routers are in place and even which IP addresses are in use. Sniffing with the PVS may be the easiest way to find which IP addresses are in use. Scanning with Nessus is also an option, but you will need to decide how deep of a scan you wish to perform.
- Operating Systems. Audit all discovered operating systems to ensure that authorized ones are deployed into the correct locations. Perhaps you have an AIX data center, but there should not be any AIX servers within the payroll IT closet or for the "development" lab. Consider the results of the audit by asset group (i.e., what are the OSes deployed in the DMZ?) as compared to trying to consider everything deployed across your organization.
- Server Applications. When auditing network services such as Web, Email, file sharing and so on, keep in mind that many products will OEM commercial solutions and also make use of open source projects. Don't be surprised if your new router is using a web server for the management interface which isn't on your list of approved servers.
- Client Applications. More an more client applications have a server component. P2P, chat tools, video conferencing tools and others open up a port to enable certain types of communication. These are discovered by Nessus network scans as well as by the PVS when these ports are used for communication. Traditional "client only" applications like web browsers, RSS readers, SSH clients and mail clients are identified by Nessus through the use of credentialed scanning, and by the PVS by observing network traffic and performing protocol analysis.
- Non-Internet-Connected Software. For software that does not connect to the Internet, it can still be identified by a credentialed Nessus scan. Plugin #20811 performs an audit of all Windows software and plugin #22869 audits all installed UNIX software.
Separating the "discovered" applications into these five groups can help simplify communication with senior management. There may also be some correlation between these groups such as detecting the presence of both Linux distributions, Apache web servers and Mozilla web clients in a supposedly 100% Microsoft environment.
If you are managing this active and passive security data with the Security Center, then using the dynamic asset filtering can help ensure that you are looking for the right software on the right asset. For example, if you have a "Data Center" asset group, then performing a list of operating systems within that asset can be accomplished with a few clicks of the Security Center interface.
Enumerating "Bad" Software, Devices and Operating Systems
I've run into several organizations that need to keep certain types of software or devices off of their network. They need a way to find it on existing computers, alert when it is in use and report that computers are "clean". Also, some organizations have active programs to keep certain OSes and network devices out of their networks too. Perhaps they've not paid maintenance on a previous network-wide license, perhaps there is a licensing issue with the vendor, perhaps the CIO is just anti-Microsoft, anti-IBM, anti-RedHat or so on.
With Nessus and the PVS there are really three strategies that you can use to look for things that are "bad".
- Monitor network traffic with the PVS to find evidence of a client or server protocol.
- Scan networks with Nessus to look for fingerprints of the particular software, operating system or network device.
- Log into the various OSes or network devices with a credentialed Nessus scan and look for the 'bad' software.
Starting from scratch, if you wanted to find out if Nessus could find a certain type of device, a good place to start is the Nessus plugin search tool located here:
If a plugin does exist, you should read the available description to see if this is a network check or if credentials are required. If you wanted to perform testing with the script by itself, you should considering using the 'nasl' command line tool. Also, the new Nessus 3 Client BETA makes it very easy for Windows, OS X or Linux users to select just the plugin in question and run it against multiple targets.
Also for Nessus, there are three plugins (find_services.nes, find_services1.nasl and find_services2.nasl) which will identify a wide variety of devices and services. If you have access to your "illegal" software, OS or device, scanning it with Nessus may likely produce a result that identifies it.
If you wanted to see if there are rules for the Passive Vulnerability Scanner to find your "Shadow IT" technology, you can check the list of published plugins located here:
This PDF file is updated daily and contains a list of all plugins available. Using the search tools available in most PDF readers, you can see if there exist rules for software products you are interested in.
Detecting the Apple iPhone
So what does all this have to do with detecting the brand new Apple iPhone? The iPhone is a classic example of a technology that can walk into any organization in any employee's laptop case or shirt pocket. It may or may not be sanctioned for use, can save data, connect to the local network and so on. It is on many people's "must have" lists and starting to show up on many organization's "must not have" lists.
When the iPhone is used to connect to a local IP network via wireless 802.11, it gets a real IP address and the email and web clients are easily fingerprinted. PVS rules #04134 and #04135 identify IP addresses that are likely iPhone by performing protocol analysis on port 25 and port 80 network traffic. Below is a screen shot of such a detection in the Windows PVS user interface:
At Tenable's demo sites, we've been seeing more and more iPhones used to connect to the local wireless networks and surf the Internet and send email.
The iPhone is just the latest type of technology to come to the
forefront of many organization's "must/must-not have" lists. If we had
written this blog post at various points during the past few years, we
may have used the Google Toolbar or Skype as examples.
Regardless if your organization needs to monitor technology to see if it is being adopted by your users, or to see if it should be blocked, using a combination of active, passive and credentialed auditing can help identify what is in use and what has been widely adopted.
Detecting a "Shadow IT" organization within your organization is doable if you know where to look and have some sort of monitoring program in place.