Forescout report lists the riskiest devices in your enterprise - Image by Kmeel.com from PixabayForescout Technologies has published its latest research on the enterprise’s riskiest devices. Those devices are actively sought out by attackers who search them out as an entry point and once inside the network. They focus on issues such as poor configuration and what a compromised device offers them in future attacks.

Vedere Labs, Forescout’s research arm, looked at nearly 19 million devices to understand the riskiest devices. The research took place over the first four months of 2024. The results have now been published in a report titled: The Riskiest Connected Devices in 2024Forescout Technologies, Inc.

Elisa Costante, Cybersecurity Researcher Leader @ Forescout Research Vedere Labs (image credit - LinkedIn/Elisa Costante)
Elisa Costante, Cybersecurity Researcher Leader @ Forescout Research Vedere Labs

Elisa Costante, VP of Threat Research, Forescout, commented, “The device has evolved from a pure asset to a reliable, sophisticated, intelligent platform for communications and services, driving a transformation in the relationship between devices, people, and networks.

“We analyzed millions of data points to publish the Riskiest Connected Devices report to integrate important threat context into how organizations use different devices and to redefine what it means to connect and interact securely. Forescout is committed to delivering device threat intelligence that helps organizations respond faster to potential threats and take advantage of opportunities to enhance security postures.”  

The methodology and top five riskiest devices

In any study like this, it is useful to understand how the researchers went about the research. In this case, the researchers decided on a formula that would help them quantify device risk. The report lists three factors that were central to the study:

  1. CONFIGURATION is the number and severity of vulnerabilities on a device, plus the quantity and criticality of open ports.
  2. BEHAVIOR tracks inbound and outbound malicious traffic to devices and inbound internet traffic towards the devices.
  3. FUNCTION is the potential impact on the organisation if a device is compromised.

Vedere Labs then divided devices into IT, IoT, OT and IoM. In each category, it listed the top five riskiest devices. The table below shows the devices by category:

Riskiest connected devices per category (Image Credit: Forescout)

A closer look at the four categories and the devices in them

Some of those devices and their position will come as no surprise to IT Security teams. Others will raise eyebrows, especially given their visibility inside organisations. For example, most IT people will be unsurprised that printers are a problem. They will be surprised to discover that they are less risky than NAS and VOIP devices.

The same level of surprise is likely to occur with those working in healthcare. Despite the concern over PACS systems, especially given the data they hold, to see electrocardiographs as riskier is something other than what would be expected.

IT Devices

This group of devices is constantly under attack, and a significant amount of IT awareness and security budget is spent on protecting them. Given the constant rise in attacks, it is easy to wonder if that money is achieving anything. However, Vedere showed that while they still account for the most vulnerabilities (58%), that is markedly down from 78% last year.

Another change has been the increase in risk from network devices such as routers and wireless access points. That shouldn’t come as a surprise to anyone. They are connected to the Internet, poorly maintained and patched, making them easy targets. In 2023, one US-based ISP had to physically replace 600,000 routers when an unknown attacker exploited a vulnerability and rendered them useless.

Wireless Access Points are new for 2024. As the report authors point out, they provide access to a business and its guests, often through the same device. That makes them ideal targets as attackers can connect as a guest and try and take over the device to gain access to the business. These devices’ risk level is shown in that they have overtaken endpoints.

The report calls out Virtual Machines and hypervisors. It says, “Hypervisors or specialized servers hosting virtual machines (VMs) have become a favorite target for ransomware gangs since 2022 because they allow attackers to encrypt several VMs at once.”

IoT Devices

When IoT is mentioned, it is often in the context of IP cameras, sensors and similar devices. Yet, this is an extremely broad category. The researchers call out NAS devices for special attention. Exposed to the Internet to make it easy to access data, these devices are a prime target for attackers. Forescout reports several ransomware gangs now focus their time on NAS devices.

The new entry in this group for 2024 is the Network Video Recorder. It is often used to store video from cameras and is increasingly being exposed online. One reason for this is that organisations do remote physical security where they want to monitor remote sites. The challenge is that many NVRs run outdated operating systems and are prone to unpatched vulnerabilities. It allows attackers to wipe data or use them as a host.

The risks posed by IP cameras and their hijacking and use as part of botnets are well documented. Despite that, many remain unpatched and, therefore, at risk. One reason is confusion over who is responsible for looking after them. Are they IT devices, or are they under the control of building security teams? That gap in control makes them easy to exploit.

Printers have long been an attacker’s friend. As they have become more powerful, network devices have become usable hosts for malware. Hewlett Packard even went so far as to commission videos to warn people of the danger unmanaged and unpatched printers posed. That campaign is over a decade old and still relevant.

Of concern is that vulnerabilities in these devices are up 136% since 2023.

OT Devices

The report states, “The riskiest OT devices include the critical and insecure-by-design PLCs and DCSs.” There are many reasons for this, not least the need for more awareness or visibility of them to security teams. They are generally purchased and managed by engineering teams who need more skills to maintain them. They are often embedded into other components and are not listed in CMDBs.

Another invisible device group is UPSs. They are essential to keeping systems running during power brownouts and allowing server farms to shut down gracefully. However, they fall into the category of boring devices nobody gets excited about or cares about. Nobody, that is, apart from attackers who see them accessible online and know how quickly they can cause chaos by shutting them down.

The same is true of building management systems. These control physical elements like heating, cooling, water, and security locks. Turn them off, and everything stops. Doors cannot be opened, and people must leave offices due to excessive heat and cold. However, they are another group of devices that nobody knows who is responsible for security.

However, this group also includes industrial robots, which are on the list for the first time. They are so important that many hacking competitions feature an exercise to find a vulnerability. The bigger concern is that they are increasingly replacing humans on production lines and running autonomously. Attacks are as much about impacting manufacturing as they are causing service outages.

Internet of Medical Things (IoMT) devices

With five new devices, it might seem like a new category. It isn’t, and that is a major concern. It shows that after all the attention in 2023 on healthcare, the attack surface has changed as attackers pivoted. Forescout says that a simple move from using Telnet to SSH for remote management is responsible for improving security. The number of open ports dropped from 10% to 4% in a year.

However, attackers know the value of medical data, especially when it comes to multiple tiers of ransom against facilities, vendors, and patients. Like many categories of IoT/OT devices, healthcare devices are designed for longevity, unlike many traditional computing devices. That means software gets out of data, and there is more time for vulnerabilities to be found and exploited.

This year’s concern is the shift to dispensing devices, such as insulin pumps and other related devices. If these are attacked, patients cannot rely on what medication they are getting. It creates uncertainty and risk for patients and clinicians alike.

Detailed analysis gives no detail

The report goes on to address the industries with the highest average risk. Unsurprisingly, technology tops the list with an average score of 8.3. Education at 8.14 and Manufacturing at 7.98 are close behind.

Surprisingly, despite the risks in healthcare, it has achieved the most. It has moved from first to last place in this survey with an average of 7.25. Just above it in ninth place is Retail at 7.37, which was in second place last year. Services are just above these two at eighth with an average of 7.41.

Unfortunately, the detailed analysis offers no explanation as to why the changes occur across industries. Nor does it provide trend lines or offer insights into best practices.

The detailed analysis is interesting when comparing a wider view of operating systems and their age. Legacy device use where operating systems are no longer supported is always a risk. However, there are ways of managing it but that depends on an organisation’s risk appetite.

There has also been a shift in vulnerabilities. That might be down to the attention on IT risk over the last year or attackers pivoting to new and easier targets.

Looking at the number of open ports per industry shows that much work still needs to be done. Telnet has almost disappeared, and RDP has also decreased significantly. However, there is still much work to be done with SMBs, which is still extremely high, especially in the technology, financial, services and government sectors.

Enterprise Times: What does this mean?

There is much more to be uncovered from this research. While it was conducted by a research team at Vedere Labs, there is little qualitative insight. Instead, it relies on quantitative research, throwing up a lot of numbers that can be interpreted in several ways.

What is important, however, is that the report looks hard at what is going on with device security rather than application security. In doing so, it casts a more realistic look at where the risks are for organisations. In turn, that provides a focus that can be used to reduce risk, something that both healthcare and retail managed last year.

Forescout does suggest three steps that organisations can take to reduce device risk:

  1. Upgrade, replace or isolate OT and IoMT devices running legacy operating systems known to have critical vulnerabilities.
  2. Implement automated device compliance verification and enforcement to ensure non-compliant devices cannot connect to the network.
  3. Improve network security efforts, including segmentation, to isolate common, exposed devices such as IP cameras and dangerous open ports such as Telnet.

Where will your organisation, industry and devices rank in the next report?

LEAVE A REPLY

Please enter your comment!
Please enter your name here