Daily Archives: December 12, 2015

Every business wants to maximize profits and efficiency. Naturally, employees sometimes feel that the best way to do that is to bypass the IT department and use their own software or services.

Shadow IT refers to technology not supported by a company’s central IT department, and as personal devices become more sophisticated and as more employees turn to the cloud for new systems, shadow IT becomes easier to implement.

Of course, there is nothing inherently wrong with shadow IT. Many view it as an inescapable reality of any company that uses technology and data storage. In fact, IT departments are often aware of shadow IT within the company and make use of it themselves.

However, the reality is that shadow IT introduces security risks because it is not introduced to the same security measures as company-sanctioned technology. Cloud-based file sharing services are common forms of shadow IT, and many workers are unaware that such IT can be dangerous.

In this day and age, it would be so easy to use a simple service like DropBox to store corporate data. But something like this could result in a major security breach.

The advantages of some cloud services are that your data always remains secure and nimble. Some cloud services build a secure network between the cloud, your carrier, and all Peak cloud nodes with a 100% SLA guarantee to keep out “noisy neighbors.” Plus, in the ever-changing business environment where new technologies are constantly affecting your business, some cloud services provide you with whatever you need in the way of technology and security to help you focus on your core business.

With a Hybrid model, services can provide management and access to both enterprise private cloud and connected Shadow IT platforms. For example organizations can continue to allow business units to leverage AWS public cloud based environments where speed-to-market and flexibility is critical.   Corporate IT can then provide business units with similar levels of flexibility to deploy applications that contain customer sensitive date in a highly secure private cloud environment.

Regardless of how you store your data, having an honest assessment of your company’s shadow IT usage could go a long way towards increasing productivity and protecting your data.

We talk a lot about threats to data security on this blog, and personal experience has probably acquainted you with everything from Trojan Horses to phishing.

Here’s a particularly sneaky threat that’s becoming more and more common:
Fake patches.

Part of what makes them a problem is that, unlike those spam e-mails from people and companies you don’t know, fake patches can look like perfectly reasonable notices from software services or programs you’d expect to receive patches from, like Adobe or Google Chrome. The fake updates display the company logo, so they seem real enough. Just last year, hacker sent out a fake version of Java Update 11 in fact that contained malware.

How well-equipped you are depends, not surprisingly, on the security measures you have in place. Keeping the auto-update feature on is good practice, provided your software is designed to identify incoming patches and make sure they’re genuine. Even then, it’s possible for malware to use a fraudulent certificate to get around an auto-update program.

There are a number of things you can do to minimize risk. Cutting down on Shadow IT and foreign software on corporate machines makes it harder for hackers to send fake patches. A robust antimalware service is another step.

But at the end of the day, just being smart and cautious goes a long way. Fake patches often look suspicious in the same way spam e-mails look suspicious. They might have misspellings or they just don’t look like a software update you’re accustomed to seeing. They might even ask you to pay for the software they’re asking you to download.

Little things like avoiding pop-ups and scanning and cleaning your computer help, too. And, as always, talk with the IT department and back up your files. Communication and stored, safe files will ensure a small problem doesn’t become a big one.

If you’d like to talk more about security, you can connect with us through the

Despite some improvement, the Office of Personnel Management continues to lag in cybersecurity, according to the most recent info security audit from the agency’s internal watchdog. Failure to move on key vulnerabilities leaves OPM potentially open to another devastating attack, according to the fiscal 2015 audit from OPM’s Office of the Inspector General.

Despite an increased focus on IT security at OPM after a breach exposed the personal information of over 20 million current, former and prospective federal employees, the agency “continues to struggle to meet many…requirements” under the Federal Information Security Modernization Act, the report stated.

One key weakness: CIO Donna Seymour in April issued an extension on OPM system authorizations that had expired. A continued moratorium on authorizations “will result in the IT security controls of OPM’s systems being neglected,” the report said. “Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”

As many as 23 major OPM IT systems are operating without a valid authorization, according to the OIG. The agency agreed with the OIG’s recommendation that all active OPM systems have a valid authorization, but the OIG does not appear convinced of OPM’s intent to follow through on it.

“The [Office of the CIO] could not have made a ‘risk-based’ decision to extend the authorizations of these systems because it has not done any assessment to determine what risks actually exist within these systems,” the report said.

On the positive side of the ledger, OPM closed one recommendation to expand its network monitoring program to include the Continuous Diagnostics and Mitigation Program offered by the Department of Homeland Security on Sept. 30 of this year.

On Nov. 6, OPM’s tech team expanded its data collection to record “more meaningful data” on network events, while reducing the proportion of extraneous information, closing an OIG recommendation from 2014.

Changes made to information security governance this fall at OPM satisfied a long-standing weakness cited by OIG. At OIG’s urging, the agency implemented, “a centralized information security governance structure where all information security practitioners, including designated security officers, report to the [chief information security officer].”

Still, key weaknesses remain, according to the report. OPM does not have a thorough inventory of its servers, databases, and network devices, which “drastically diminishes” the effectiveness of the agency’s security tools, the report stated. In an age of telework, the OIG also found that OPM has not configured its virtual private network servers to automatically log out of remote sessions.

An ambitious project to revamp OPM’s IT infrastructure by migrating applications to a new “Shell” environment has impacted OPM’s FISMA reporting metrics. The audit compared OPM’s inventory of major IT systems with an inventory done in preparation for the Shell migration.

“There are significant discrepancies between the two lists, and our primary concern is that there are still unidentified systems residing on OPM’s network, and that existing applications are not appropriately classified as major or minor,” the report said. OPM has estimated that the first two phases of the Shell project will cost $93 million, and the agency has struggled to come up with the money for the project.

In comments on a draft of the OIG report, the CIO office said it was “proud” to report that it had closed 77 percent of recommendations made by OIG FISMA audits from fiscals 2007 to 2014. The OIG was less impressed with that number.

“The vast majority of those recommendations were closed many years ago, and are no longer relevant to the current cybersecurity threats that the agency faces,” the OIG report stated. “A more relevant statistic is that OPM has closed only 43 percent” of recommendations in fiscal 2013 and 2014 FISMA audits, it added.