Some enterprise security and management software could be quietly sharing sensitive and personally identifiable information with third party and without explicit user consent, a new report suggests.
According to enterprise cyber analytics company ExtraHop, security and analytics software was sharing valuable intel with third parties “in many cases”.
No names were mentioned in its report, but it did describe four separate places in which enterprise security software’s behaviour was questionable: endpoint security software, hospital device management software, surveillance cameras and financial institution security analytics software.
"Enterprise organizations put massive volumes of data into the hands of third-party vendors. In some cases, like SaaS applications, it’s explicit that enterprise data will live within a third-party environment," ExtraHop claims.
"With other products, particularly those that live within the enterprise data centre or cloud infrastructure, exactly how much data those vendors “phone home” to their own environment for things such as analysis can be a lot less clear."
The report stresses that gathering and sharing data is not illegal per se – as long as it’s done properly and with full user consent. That doesn’t seem to be the case here.
According to the report, the security cameras were sharing data with a Chinese IP address known for hosting malware, while the analytics software shared personally identifiable information with someone overseas.
There were also instances of trial versions that kept gathering data even though the trial license expired and a new one wasn’t obtained.
The report concludes that this activity doesn’t necessarily mean malice, but stressed that admins need to be extra careful about where the data moves.
"To be clear, we don’t know why these vendors are phoning home data. The companies are all respected security and IT vendors, and in all likelihood, their phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration," the report notes. But the fact that large volumes of data are traveling outbound from a customer environment to a vendor without the customer’s knowledge or consent is problematic."