Okay, so as a 90’s born kid who grew up in the 2000s, the whimsical spectacular “Dude, Where’s My Car” was a huge intro to my love for comedy. If you haven’t seen the flick – TL;DW is this: Jesse (Ashton Kutcher) and buddy Chester (Seann William Scott) have a wild night and can’t remember anything that happened. They walk outside and realize Jesse’s car is missing, and all kinds of weird drama happens whilst trying to piece together the previous night’s shenanigans. Oh yeah, there’s some alien stuff in there too. Just think The Hangover meets Star Trek and you’ve pretty much got it nailed.
So as I’m watching this blast from the past-erpiece (get it, masterpiece? Huge portmanteau fan) the other night, it dawned on me that this is the exact type of thing that IT/Security professionals deal with all the time, and I’m not just talking about saving the universe from aliens. (on a gaming console, of course.)
Shadow IT and Unstructured data are real, dude – and they’re definitely not sweet.
The biggest problem in the movie is that they were being held responsible for actions that they had no idea had occurred – supposedly they had this Continuum Transfunctioner and they didn’t even know what that was much less that they had it. Spoiler: They did have it, and it was under the guise of a Rubik’s cube. Sound familiar? Something crazy deadly for an environment and it was just walking around in a pocket under the guise of being something innocent?
The IT/Security department(s) are viewed as the “offices of NO” because a lot of people don’t understand how many threat vectors are out there - much less how they work. So when marketing wants to purchase a new tool and is afraid of being told no, they do it anyway. (Trust me, I’ve utilized this to my advantage before.) They’re not thinking about the ramifications of uploading data into an unapproved cloud so that they can send out new campaigns. When sales downloads a document that is supposed to be internal only and sends it out via email to their customers because “it’s a really great selling piece!” how do you know? Moreover, how do THEY know that they’re causing an issue?
Unfortunately, there is an “and then” here: A bad actor gets a hold of that data or IP and the next thing you know a Super Hot Giant Alien is tromping all around your putt-putt golf course of data. It’s really not a great scenario.
The biggest problem with unstructured data is that traditional email filtering/anti-virus/database security isn’t going to catch these exploits. They are looking for signatures, access profiles, etc. to determine if something can be a downloaded or is a known threat, but that’s about it. They aren’t accounting for the human component.
What about screen grab? What about copy/paste? Even if it’s allowed to be downloaded how are you keeping tabs on where it goes after the fact? It probably looks like an innocent action but could be turned into something malicious. It’s like seeing an ostrich but thinking it’s a llama – and man are those ostriches mean.
Just like anything in InfoSec, there is no singular solution to the problem. It has to start from the bottom: making sure your people understand the importance of keeping IT/Security in the loop. Setting policies to stop it before it goes out. Having the tools to not only catch it, but actually pull back any data that wasn’t supposed to be ex-filtrated.
A Native Texan now living in the magnificent New York City, Tricia Howard is an artist gone rogue who ended up in the wonderful world of security. With a B.A. in Theatre Arts and interests ranging from Star Wars to Opera, she brings a unique and artistic perspective to her clients and the tech world. When she’s not solving business problems, you can find her singing, painting, and doing copious amounts of jigsaw puzzles. (Spoiler: This is my sales hat talking.)
The good news is there are plenty of great organizations who can help you with this, whether it be the tools, help writing/enforcing policy, or even managing it themselves. Wanna chat? Hit me up with the links below and I can tell you how Optiv can help.