DNS as your first line of defense against shadow IT
At a glance this seems like a good thing.
For the IT departments of various organisations around the globe, this is a nightmare.
The implications of shadow IT enabled by unsanctioned devices in the workplace are numerous, and last May, Infoblox, the automation, security and network control company announced research to demonstrate how significant the threat posed by shadow devices on enterprise networks, really is.
According to the report’s foreword by Gary Cox, Technology Director of Infoblox for Western Europe, Bring Your Own Devices (BYOD) schemes and unsanctioned shadow IT operations is cause for concern.
But, before IT departments even had a chance to get a handle on unsanctioned devices and shadow IT activities, they are finding they now have to also contend with the massive array of personal devices latching onto these networks, that come in unexpected shapes and sizes.
The scale of the problem
IT directors and employees across the US, UK, Germany and even UAE gave their insights and feedback on their usage of non-business devices on enterprise WIFI networks.
The numbers are staggering, with even small businesses in the 10-49 and 50-99 employees ranges sharing that on an average day, over 1000 business devices get connect.
Over a third of companies in the US, UK and Germany (35 percent) reported more than 5,000 personal devices connecting to the network each day.
Employees in the US and UK admitted to connecting to the enterprise network for a number of reasons, including to access social media (39 percent), as well as to download apps, games and films (24 percent, 13 percent and 7 percent respectively).
The numbers in UAE are not as massive, with 16-percent of IT directors reporting having more than 500 personal devices connected on their networks.
The report also revealed that in the UK, 12 percent of organisations report having over 10,000 shadow IoT devices.
Now here, it is important to discern personal devices from these IoT devices.
Personal mobile devices we typically can identify are like laptops, smartphones and tablets. These are productivity and personal communications tools that IT departments can recognise and detect easily.
Other IoT-type or Internet of Things devices like wearable fitness trackers are less easy to identify and yet, they pose serious security risk.
The most common IoT devices found on enterprise networks included:
• Fitness trackers, such as FitBit or Gear Fit – 49 percent
• Digital assistants, such as Amazon Alexa and Google Home – 47 percent
• Smart TVs – 46 percent
• Smart kitchen devices, such as connected kettles or microwaves – 33 percent
• Games consoles, such as Xbox or PlayStation – 30 percent
Besides these, connected printers are also a vulnerable entry point that is often overlooked by organisations.
The security threats
Besides these devices posing risks by just being online, employees also widen the attack surface when they access social media and download apps.
These practices open organisations up to social engineering hacks, phishing, malware injection and also ransomware.
Such devices are easily discoverable by cybercriminals online via search engines for internet-connected devices, like Shodan, which provides even lower level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities. For example, in March 2018:
• There were 5,966 identifiable cameras deployed in the UK
• There were 2,346 identifiable Smart TVs deployed in Germany
• There were 1,571 identifiable Google Home deployed in the US
All of these are potential entry points for hackers to infiltrate and do their mischief.
For example, Project Sauron, is a DNS tunnelling threat that allegedly was undetected for up to five years at a number of organisations. Using this method, malicious actors were able to exfiltrate data via DNS port.
The 2016 Infoblox Security Assessment Report, showed that 40-percent of all files containing recent DNS traffic of 248 participating organisations, had evidence of DNS tunnelling in them.
This same report also revealed that 35-percent of all files researched showed evidence of botnet activity. In 2016, the Mirai botnet had utilised over 600,000 infected IoT devices, to target DNS service provider, Dyn.
All it takes is a large enough volume of connected but compromised devices to send repeated and frequent queries that bombard the Domain Name Server (DNS). This causes Distributed Denial of Service (DDoS), where the IT network slows down drastically and often to the point it isn’t able to function.
Many websites and services across North America and Europe, including Twitter, Netflix, Reddit and CNN were down, as a result of Mirai.
Hence, the criticality of DDI infrastructure to ensure the robustness of IoT deployments. DDI is an integration of core network services – DNS, DHCP and IP Address Management (IPAM).
Infoblox best practice
Eighty-two percent of organisations researched have introduced security policies for connected devices, but they are still limited as Infoblox found out during their survey. IT directors were found to be often misguided in their estimation of these policies’ effectiveness, and/or rarely followed the policies.
Infoblox recommends that network and security professionals must actively manage the threat of shadow devices.
Besides restricting access to certain sites in an automated way, threat intelligence integrated into DNS management can reduce risk of employees accidentally clicking on non-secured links.
Deploying these solutions can help with policy enforcement and review non-compliant activities in the organisation.
This goes hand-in-hand with full visibility into the network and the devices that are connected to it.
A unified visibility of these important components while devices are on-premises or roaming, provides the context required to prioritise action.
Besides this, it is important to secure the often overlooked DNS.
Over 91 percent of malware uses DNS to communicate with Command and Control (C&C) servers, lock up data for ransom or exfiltrate data. Existing security controls, such as firewalls and proxies, rarely focus on DNS and associated threats – leaving organisations vulnerable to highly aggressive, rapidly proliferating attacks.
When secured, the DNS can act as an organisation’s first line of defence. The DNS can provide essential context and visibility, so IT admins can be alerted of any network anomalies, report on what assets and/or devices are joining and leaving the network, and resolve problems faster