Even if the number of employees working in the office is shrinking, there’s one thing that continues to grow in empty workplaces: enterprise IoT security risk.
As chronicled here recently in expertIP, work-from-home (WFH) is grabbing everyone’s attention as the new frontier of cyber risk. Is your WFH employee’s video doorbell a bigger threat to your enterprise network than you thought? Probably. But don’t let that distract you from the IoT devices that actually expose your workplace to the highest risk: HVAC, building access control systems and IP cameras.
A report from ForeScout Labs is a sobering reminder that while WFH threats are on the rise, threats to IoT devices within traditional enterprise environments are escalating as well.
Internet of T(hreats)
The researchers crunched data from more than eight million connected enterprise devices deployed across five verticals: financial services, government, healthcare, retail and manufacturing. The study covered three types of connected enterprise devices: IT, IoT and OT (operational technology, which is more prevalent in industrial settings and often highly automated).
“We’re seeing a massive scale of these devices. Many of them are third party (devices), which you can’t own,” ForeScout’s senior engineering director, Shane Coleman, said during a virtual presentation at this year’s SecTOR security conference.
“We’re seeing that about 75 per cent of these are IoT devices that you can’t put an agent on,” he said.
As stated in the ForeScout report, “IoT devices, which can be hard to monitor and control, exist in every vertical and can present risk to modern organizations, both as entry points into vulnerable networks or as final targets of specialized malware.”
Most dangerous devices
Where does the greatest IoT risk lurk inside your workplace environment? According to ForeScout’s findings, these are the 10 riskiest connected enterprise devices:
1) Physical access control: The irony! These authorized badges used to open and close door locks pose the biggest risk of letting bad guys into your network. PAC tops the list “due to the presence of many open ports, a lot of connectivity with risky devices, and the presence of known vulnerabilities,” ForeScout explains.
2) HVAC systems: Noting that ‘smart’ HVAC systems are particularly prevalent in retail and government buildings, ForeScout adds this observation: “Smart buildings perfectly exemplify a cross-industry domain where IT and OT are converging and where IoT devices are proliferating.”
3) IP cameras: “These cameras have dozens of serious vulnerabilities associated with them,” ForeScout warns, including CVE-2018-10660.
4) PLCs (programmable logic controllers): These computers operate industrial robots and automate manufacturing processes such as assembly lines.
5) Radiotherapy systems: ForeScout’s report says these healthcare devices “were found configured with many critical ports open (including Telnet) and connectivity to other risky medical devices.”
6) Out of band controllers: for network and device management.
7) Radiology workstations: ForeScout researchers say these medical devices are risky because “common attacker tools can be easily adapted (there) to achieve persistence or to pivot within a healthcare network.”
9) Wireless access points
10) Network management cards: used for remote monitoring and control of individual UPS devices.
Risk within industry verticals
Merely running connected devices on outdated versions of Windows is a significant security risk, according to ForeScout researchers, and it’s an issue across every industry vertical.
“Windows workstations continue to represent a major risk to organizations,” the ForeScout report states. “More than 30 per cent of managed Windows devices in manufacturing and over 35 per cent in healthcare are running recently unsupported versions of Windows. Additionally, almost 30 per cent of managed Windows devices in financial services are running operating systems that are not patched against the BlueKeep vulnerability.”
In the government sector, ForeScout estimates that 21 per cent of connected devices are exposed to potential CurveBall attacks due to Windows vulnerabilities.
While you’re warning your WFH staffers their smart watches could compromise your business networks, keep a close watch on IoT devices back at your office, manufacturing facility or store, too.