Forescout researchers have uncovered the top 10 Internet of Things (IoT) device attack vectors for hackers to gain access to enterprise networks in the first edition of The Enterprise of Things Security Report.
In this study, Forescout Research Labs has undertaken the most comprehensive study of its kind within the greater cybersecurity industry to date to assess the risk posture of more than eight million devices deployed across five verticals: financial services; government; healthcare; manufacturing; and retail.
Using carefully defined metrics and data from the Forescout Device Cloud, Forescout has identified points of risk inherent to device type, industry sector and cybersecurity policies. These findings have been translated into data-informed recommendations to help cybersecurity and risk stakeholders mitigate and remediate these identified points of risk.
Rohan Langdon, regional director, Australia and New Zealand, Forescout, said, “Organisational leaders are starting to understand the inherent cyber risks that IoT devices pose; however, there are many questions around which devices pose the highest risk. Knowing the potential risk is critical in helping organisations identify which devices to proactively take action on or potentially block from the network.
“Cyber risk modelling, such as that made possible by Forescout’s Device Cloud data lake, provides boards and executives with a way to know where the highest risk is as well as benchmark against their peers.”
The data illustrates which devices in the cyber-physical realm are most likely to be compromised and exploited, helping security teams focus on key areas according to threat. The devices identified are:
- Physical access control solutions.
- HVAC systems.
- Network cameras.
- Programmable logic controllers.
- Radiotherapy systems.
- Out-of-band controllers.
- Radiology workstations.
- Picture archiving and communication systems.
- Wireless access points.
- Network management cards.
Key findings from the study include:
- The riskiest device groups include smart buildings, medical devices, networking equipment and Voice over Internet Protocol (VoIP) phones. IoT devices, which can be hard to monitor and control, exist in every vertical and can present risk to modern organisations, both as entry points into vulnerable networks or as final targets of specialised malware.
- The device types posing the highest level of risk are those within physical access control systems. These devices are ubiquitous and literally open the doors to the physical world, bridging the gap between the cyber and physical realms. According to the data sample, physical access control solutions are the systems at highest risk due to the presence of many critical open ports, a lot of connectivity with risky devices, and the presence of known vulnerabilities.
- Other top 10 riskiest device types include medical devices and networking equipment. These devices, especially medical devices, have enormous potential impact if compromised, and frequently have critical open ports that expose dangerous services on the network.
- Windows workstations continue to represent a major risk to organisations. More than 30 per cent of managed Windows devices in manufacturing and more than 35 per cent in healthcare are running recently unsupported versions of Windows. Additionally, almost 30 per cent of managed Windows devices in financial services are running operating systems that are not patched against the BlueKeep vulnerability.
- Commonly exploited network services are spread out across industry verticals. Almost 10 per cent of devices in government have default Telnet port 23 open, and almost 12 per cent have default FTP ports 20 or 21 open. In financial services, government and healthcare, close to 20 per cent of devices have default SMB port 445 open and close to 12 per cent have default RDP port 3389 open. These services leave devices open to attacks from automated threats, such as botnets and ransomware, and advanced persistent threats (APTs).
Rohan Langdon, regional director, Australia and New Zealand, Forescout, said, “The number and diversity of connected devices in virtually every industry vertical has presented new challenges for all organisations and indirectly made every business leader a cybersecurity stakeholder. Part of reducing this risk is applying security controls and tools that can help identify and automate controls.
“This includes: having device visibility across the network; accelerating the design, planning and deployment of dynamic network segmentation; enhancing endpoint manageability; automating and enforcing policy-based control; and highlighting operational technology IoT exposure by continuously and passively discovering, classifying, and monitoring network-connected OT and IoT devices.”