Research analysis on nearly 19 million real world enterprise devices for risk factors such as known vulnerabilities, open ports, legacy operating systems, endpoint protection, internet exposure and more across different industries and device use categories like IT, IoT, OT or industrial IoT and medical devices (IoMT).
From the telemetry data, researchers compared to the list of top 20 riskiest devices from a year ago, seven new device types added to the list due to vulnerabilities and exploits revealed since then, including VPN gateways, security appliances, NAS boxes, out-of-band management (OOBM) platforms, engineering workstations, remote terminal units (RTUs) and blood glucose monitors.
Other Thirteen devices remained the same as in the previous list and include some expected entries: computers, servers and routers in the IT category, printers, IP cameras and VoIP systems in IoT, UPS, PLC and building automation systems in industrial IoT, healthcare workstations, imaging devices, nuclear medicine systems, and patient monitors in IoMT.
The risk score of a device by looking at three categories of factors:
Nearly 4,000 vulnerabilities present in the 19 million network devices it had data from. The majority of these (78%) impacted IT devices, the category that includes the most common type of devices on enterprise networks such as computers and servers. The IoT device category accounted for 16% of vulnerabilities, industrial devices for 6%, and medical devices for 2%.
However, not all vulnerabilities are equal and not all are easy to patch. IT devices differs from OT and IoT devices and medical devices differs from others. Healthcare was the industry with the largest number of high- and medium-risk devices and the only industry where the number of such devices increased and followed by retail, manufacturing, finance, and government.
The US CISA maintains a constantly updated list of vulnerabilities that are known to be exploited in the wild and which government agencies have deadlines to patch, might have played a role in reducing the number of risky devices on government networks.
Since embedded devices running special-purpose operating systems and firmware are generally harder to patch, it’s no surprise that healthcare and retail have the highest number of such devices while also being the sectors with the highest number of medium and high-risk devices. Just because a device is running Windows doesn’t mean it’s easy to patch.
Many special-purpose devices across all industries run versions of Windows that are no longer supported such as Windows 8, 7, XP, and CE. Healthcare and retail lead the pack in the number of such devices on their networks again and the device categories with the largest percentage of devices running legacy Windows versions is OT with 63% and medical devices with 35%.
Riskier Port Exploitation
Open communication ports are another factor that can increase risk, especially if we’re talking about legacy protocols such as Telnet or commonly exploited ones such as SSH, SMB or RDP. Not all devices can run endpoint security agents like antivirus, but even on those that have such agents installed, they are sometimes disabled.
While direct exposure to the internet does not necessarily mean a device will be compromised, it certainly increases the risk if that device also has known unpatched vulnerabilities or patches are not deployed in a timely manner.
Routers and other networking devices along with security appliances made up around half of the internet-exposed devices with 25% and 33% respectively. This is expected since these are generally perimeter devices that control or inspect the traffic in and out of corporate networks. Next on the list were IP cameras that accounted for another 23% of internet-exposed devices, NAS boxes with 7%, VoIP systems with 3%, and printers with 2%. Around 5% were other IoT devices and 2% were OT devices.
The government, manufacturing, and retail verticals have an unusually large number of NAS boxes exposed to the internet, government and the financial services also have many printers exposed. Financial services also have a larger number of OT devices exposed compared to other verticals, as well as many security appliances, matched only by the healthcare sector.
Reducing the risk posture
Organizations should take specific actions to reduce risk:
- The existence of legacy Windows and critical vulnerabilities in OT and IoMT means that organizations need immediate action plans to upgrade, replace, or isolate these devices as much as possible.
- The often-disabled endpoint protection solutions in IT devices means that organizations must adopt automated device compliance verification and enforcement to ensure that non-compliant devices cannot connect to the network.
- Commonly found exposed devices such as IP cameras and dangerous open ports such as Telnet mean that organizations must improve network security efforts, including segmentation
Beyond risk assessment, risk mitigation should use automated controls that do not rely only on security agents. Likewise, they must apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.
This research was documented by researchers from Forescout
Source : ForeScout & CSO Online