Alexander Van Nevel
Alexander Van Nevel Alexander is an Information Technology Engineer, graduated from the University of Ghent. In his last year he specialized in Information Security and Deep Learning. Currently he is working as an Information Security Engineer, empowering Information Security with State-of-The-Art Deep Learning.

What is Shadow IT?

What is Shadow IT?

Shadow IT is the use of IT systems without the knowledge of the IT or security group within the organisation. Software is an example, and as not all programs are up-to-date, this could mean a security risk.

One of the most efficient tools to manage Shadow IT programs is MCAS or Microsoft Cloud App Security. MCAS identifies all programs used within the organisation and evaluates the risk associated with these programs. These risks are evaluated and checked if they meet compliance standards like GDPR and other industry standards. After this, the usage of the programs is evaluated and if needed, the program is sanctioned.

Is there a free alternative?

Yes, a broad range of tools are available. Some creativity can always bring a solution. The first step consists of getting a list of all the installed software with its version. You can find programs with Sysmo, which is a Microsoft Windows service that gathers events and uploads these to Azure. Also, a complete CVE list is necessary that includes existing vulnerabilities in common software from the official site. With some creative parsing, you can quickly evaluate each program you found by checking if the program version number is higher than the program its version found in the CVE list.

When you find CVE vulnerabilities, there is a tool that you can get information of the vulnerabilities. By parsing out the CVSS (Common Vulnerability Scoring System) score, you can aggregate these results and create python graphs that visualize these results.

It’s important to note that some programs may have ambiguous names like ‘Update’ or ‘converter’. So I would recommend to filter out these results with a blacklist. Also a program was assigned a category, so graphs can represent these categories, e.g. ‘Productivity’, ‘Cloud services’, etc.

If you need any assistance or have any questions regarding cybersecurity within your company, don’t hesitate to contact us.