Federal agencies have long been concerned about the cybersecurity threat of shadow IT, where employees create accounts for unvetted and unsecured online services such as word processors, cloud storage or messaging. Information transmitted by or stored on those accounts is vulnerable and can even pose a threat to broader government systems.

Now, the Department of Education is using open-source intelligence to battle the potential threat of shadow IT, said Steven Hernandez, CISO of the Department of Education, at CyberCon 2019 Nov. 12.

In some ways, the shadow IT challenge is a generational development, said Hernandez. Employees who grew up using online services can be reluctant to migrate to working on agency-approved programs and services, which either operate differently or aren’t as easy to use. Some employees will ultimately circumvent the approved systems to create online accounts for services like document processing or cloud storage. While that may make the employee’s work life easier, it puts information on those systems at risk.

“If all of your work around a particular project is taking place in Slack Teams ... it’s now outside of email. You’ve now shifted that attack surface to one that is public,” Hernandez said. “Getting people to shift about how they work or where they put work products is foundational for helping us protect the enterprise moving forward.”

By purchasing open-source intelligence on their employees, the department is able to see which unauthorized services employees have created accounts for and whether information from those accounts is for sale on the dark web.

“A lot of your users will go out there and they will create accounts for shadow IT services and you won’t find out about it until it shows up in a breach or it shows up in one of these reports saying, ‘By the way, did you know we on the dark web found all these .ed.gov accounts?’” Hernandez said.

“Security brokers play a vital role in not only making sure that we have all the right people with the right access to the right services, but also finding where, ‘Geez, this person also appears to have accounts over at Cloud X, Y and Z. Those aren’t authorized for our use and we probably need you to delete that,’” he said.

Not only is the department able to use open source intelligence to identify shadow IT accounts being used by employees, in some cases passwords for those unauthorized accounts are for sale on the dark web as well. That presents its own cybersecurity threat, especially if employees aren’t using best practices for passwords.

In order to combat these types of problems, federal agencies need to provide tools that are equally effective and easy to use as the commercial services employees want, said Hernandez. But until then, federal agencies can use open source intelligence to find shadow IT accounts and have them shut down before they become a security breach.