Alert: Tracking exposed OT/ICS: 2017 – 2024

Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Which company is next and why?

Cyber Bob, Principal Security Engineer and CTO at Forescout | June 12, 2019

Twitter: @MeetCyberBob

IoT security faces many challenges stemming from vulnerabilities present in many operating systems, including widely-used Windows releases. Without taking the time to regularly update and patch our devices, businesses face a myriad of IoT security threats.

The Common Vulnerabilities and Exposures database, more commonly known as CVE, lists 775 vulnerabilities for Windows 10.
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html

For the worst offending vulnerabilities – those with a score of 9 or above – this total drops, but still stands at a staggering 134.
https://www.cvedetails.com/vulnerability-list.phpvendor_id=26&product_id=32238&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=9&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=775&sha=41e451b72c2e412c0a1cb8cb1dcfee3d16d51c44

If we dig into the detail and roll back one version of the Microsoft operating line to Windows 8.1, we find 757 vulnerabilities. 19 of these were identified since the start of 2019.
https://www.cvedetails.com/product/26434/Microsoft-Windows-8.1.html?vendor_id=26

Windows 7? The number jumps way up to 1047 known vulnerabilities.
https://www.cvedetails.com/product/26434/Microsoft-Windows-7.html?vendor_id=26

These numbers really start to jump out as in the CVE total database there are 1548 different vendors listed. Microsoft, the largest vendor of operating systems, has a total of 6193 vulnerabilities.
https://www.cvedetails.com/top-50-vendor-cvssscore-distribution.php

For reference, the number of vulnerabilities listed in the CVE database change daily – sometimes even increasing. The list of the top 50 reads as a “Who’s Who” of celebrity operating systems – of user, IoT and OT device manufacturers. This leads to a couple of simple questions for all of you senior executives. How many of these different operating systems exist on your network? The average is at least 20 different types of devices for a small to medium business.

How many devices have to be compromised before the company or brand has to report to the board that an IoT security breach has happened? Usually… just one.

We are making our networks more fluid. Faster connection speeds and more transient devices, especially on wireless. How do you account for each device and ensure that each time it connects to the YOUR network that you understand what risks it brings with it?

A better thought? This can be addressed – by orchestrating the tools you already own including network, security, and endpoint management tools. Your teams might have purchased most of the tools already needed; now you need to bring them together and ensure that you increase team productivity, harmonize cross-group operations, and provide complete & continuous visibility. This is why your teams really need complete IoT security toolbox for device visibility and control with Forescout.

For more of my musings on all things cyber, click here.

Demo Request Forescout Platform Top of Page