Industry analysts predict that by next year (2020), 1 in every 4 attacks in enterprises will involve an IoT device. Verizon’s 2019 Mobile Security Survey showed that over three quarters of respondents believe that IoT devices are the greatest cybersecurity threat facing organizations.
Despite these frank results and dire predictions, Symantec’s IoT research team discovered, quite alarmingly, that many security teams do not employ the most basic form of protection for these devices, that is, to use encrypted communications or proper authentication.
Many devices are not designed with the storage or processing capacity to run traditional security functions, thus presenting a challenge for security teams. However, a great number of devices simply go undetected. In a recent webinar with Jack Jones, Chairman of the FAIR Institute and Gaurav Pal, CEO of stackArmor, we discussed the risks posed by rogue devices.
What do we mean by a rogue device?
In human terms, the word rogue has a negative connotation. Corrupt, dishonest, unwanted and unauthorized come to mind. In the connected world, NIST simply defines a rogue device as “an unauthorized node on the network.” Are we talking about super-secret high-tech devices that only a few people know and have access to? No. InfoBlox reports that the most common IoT devices found on enterprise networks included:
- Fitness trackers, such as FitBit or Gear Fit – 49 percent
- Digital assistants, such as Amazon Alexa and Google Home – 47 percent
- Smart TVs – 46 percent
- Smart kitchen devices, such as connected kettles or microwaves – 33 percent
- Games consoles, such as Xbox or PlayStation – 30 percent
If undetected and unmanaged, these devices could become rogue devices. One common use case highlighted in Forescout’s IoT Strategy paper is Building Automation Systems. A typical building automation network would include smart lighting systems, video surveillance systems and devices such as the ones mentioned in the InfoBlox survey above. Although exploitation of insecure credentials is the most common attack, our report shows that attackers also exploit these systems with web application and API attacks, lower level exploits against firmware and protocol-based attacks. Malicious actors may leverage vulnerable IoT devices to penetrate your corporate network and perpetrate criminal activities such as exfiltrating confidential data and dropping ransomware.
What are the legal and regulatory implications from rogue devices?
‘If a breach occurs through [a rogue device] you can’t just say “oh, I didn’t know it existed,”’ says Gaurav Pal, CEO of stackArmor. “The legal implication of a rogue device on the edge is that you are liable. That presents a huge risk to the enterprise.”
Every year, there are over 50,000 regulatory changes. These changes are coming from a staggering 1,000 regulatory authorities. Data owners are responsible for the personal information (PI) of a company’s customers, prospects and employees. With the advent of data privacy acts like GDPR and the impending California Consumer Privacy Act (CCPA) with the potential for 7-figure fines, these data owners are the gatekeepers and ultimately a crucial part of the risk management and mitigation team within the enterprise.
How do popular frameworks help reduce vulnerabilities introduced by rogue devices?
Device visibility is foundational to comply with most cybersecurity regulations. As Gaurav states, “[device visibility] is now an imperative… This is not an IT hygiene issue. It’s an enterprise risk issue.” By selecting a comprehensive framework that meets the organization’s needs, companies can focus on quickly implementing the technical controls that address device invisibility issues. Let’s take a look at how three of the most popular frameworks pay a premium to device visibility and how the foundational/basic controls can help organizations identify rogue devices and improve the success of their risk mitigation plans:
- NIST Cybersecurity Framework1
Identify. This control family helps security teams develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities. The Asset Management set of controls focuses on ensuring that the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
The Forescout platform continuously discovers, classifies and assesses every IP-connected device—managed and unmanaged—that touches your extended enterprise network, allowing you to visualize the security posture of each device and have a complete picture of the network. It can even detect serial-attached ICS devices by monitoring communications between the programmable logic controller (PLC) and its management devices.
- CIS Top 20 Controls2
Control #1 – Inventory and Control of Hardware Assets.
Description: Actively manage (inventory, track and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Forescout offers a unified IT-OT platform that performs a thorough inventory of device information across the extended enterprise network, including campus, data center, cloud, OT and IoT environments. Forescout 8.1 includes expanded coverage to identify more than 500 OS versions and over 5,000 device vendors and models.
- NERC CIP3
CIP-002-5.1a BES Cyber System Categorization
Purpose: To identify and categorize Bulk Electric System (BES) Cyber Systems and their associated BES Cyber Assets for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to mis-operation or instability in the BES.
Forescout automatically generates an inventory of all active network assets by passively looking at industrial network communications. The inventory includes comprehensive details of each asset, including IP address, host name, vendor and model, OS version, firmware version of IT/ICS devices, and the device’s module information.
All assets and their communications are visualized in an interactive network map, grouped by device type and/or network. This provides you with a clear understanding of device type, location on the network and how they are connected. Furthermore, you can easily select assets and label them as High, Medium or Low Impact BES cyber systems. The result is improved efficiency and a NERC CIP asset inventory audit done with minimal input and effort.
As the number of devices proliferate and the business needs for new and innovative connected devices grows, savvy risk and security teams will continue to hone their risk quantification skills and set focus on the high-risk use cases that are personal to their organization. Identifying, managing and mitigating the financial and operational risk presented by unknown and unsecured systems is critical to risk mitigation success.
Listen to an excerpt of our recent webinar entitled CEO Speaks: Top 5 Risks That CISOs Need to Quantify. In this 6-minute video snippet, Gaurav Pal, CEO of stackArmor will do a deeper dive into the reasons why it is so vital for CISO teams to focus on device visibility as the most important step to complying with high-impact regulations.
- NIST Cyber Security Framework v. 1.1: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- Center for Internet Security Top 20 list of controls: https://www.cisecurity.org/controls/cis-controls-list/
- NERC CIP Standards: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx