Identifying IoT Devices: Step One in Mitigating Threats
IoT devices are connecting to enterprise networks at a rapid pace. Gartner, Inc. forecasted that 8.4 billion connected things were in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020.1 In addition, by 2020 more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets.2 While visiting major customers and prospects, we tend to receive feedback that IoT is not top of mind for IT security teams due to the widely held assumption that IoT devices are not allowed on the network. This blog is my humble attempt to convince IT pros to reject that assumption while providing a few examples of IoT risk found on today’s enterprise networks.
IoT devices can be found on almost all enterprise networks, whether IT personnel are aware of them or not, and they can serve as launch pads for attacks. The Mirai and Reaper botnets are just the latest cases in point.
The Internet of Things has been dubbed the “Internet of Threats” due to several factors related to IoT and security—or insecurity, as the case may be. In general, IoT devices are basic, low-cost, purpose-built systems with very short life spans and time to value. Lightbulbs are a good example. They are made in vast quantities at extremely low price points and, these days, they are often networked. But given their low profit margins, lightbulb manufacturers see their products as “sell and forget” devices. Like most IoT device vendors, they lack incentives for investing in on-board security functionality.
This is a significant marketplace challenge that has led to weak authentication and authorization, usage of insecure protocols with no encryption, insecure web interfaces and unprotected firmware and software releases.3 In a flat network with few, if any, network segmentation controls in place, the impact of a compromised IoT device can be tremendous. The importance of network segmentation in dynamically isolating IoT devices and other networked assets and reducing the overall attack surface can’t be stressed enough!
IoT Visibility Is Key
In a recent meeting with a large healthcare organization, the CISO asked us to assess the current state of the IoT risk in his company’s back-office environment. Using Forescout visibility and our device library taxonomy, we were able to find thousands of building automation devices, physical security devices, healthcare IoT devices, office IoT devices (printers, signage, VoIP phones, etc.) and wireless security endpoints. This certainly came as an eye opener for the CISO, and we didn’t stop there. CounterACT’s visibility gives us deep insights not only into the type of device but oftentimes into the device’s firmware and opened ports. We uncovered some major vulnerabilities on previously undetected IoT devices, such as factory default usernames and passwords that hadn’t been changed, and insecure protocol usage such as HTTP and Telnet instead of more secure protocols like HTTPS and SSH. The most alarming thing was that vulnerabilities on these IoT devices were such that hackers could use them to infiltrate our healthcare customer’s IT computer environments. Not surprisingly, the CISO expressed deep concerns about the level of IoT risk and asked us to help in bringing comprehensive IoT visibility into his company’s IT ecosystem.
The Forescout platform continuously monitors and interrogates infrastructure, not just the devices, thus bringing full visibility into the IoT world. Forescout enables visibility into devices by collecting information from switches, wireless controllers, virtualization infrastructure, cloud providers and third-party tools on your network. As soon as an IoT device connects to the network, Forescout can detect the device and bring it into line with your IT risk program.
Detection of the connected device is just the first step of the process. Forescout can categorize the device based on our passive and active fingerprinting capabilities. You can then combine this objective assessment of the device with an understanding of your organizational context and policies. What’s this device doing on your network? What processes does it enhance or depend on? Is it a critical system or a fairly useless new gadget? Who owns it? Is it behaving the way it is expected to behave? Some of these types of questions can be answered by your CMDB or ITSM tools. The Forescout platform can consult with those tools and then perform additional assessments in order to determine whether an IoT device is a friend or foe, and then act accordingly.
A common but flawed approach is using 802.1X to identify IoT devices and their ownership via certificates. More than 80 percent of IoT devices can’t participate in 802.1X authentication, and can’t accommodate a certificate and encryption engine for purposes of a PKI exchange. As a result, some organizations simply use MAC bypass, which opens the network up to a slew of additional risks.
To amplify CounterACT’s visibility and detection capabilities, Forescout added device profiling and classification with an extensible taxonomy that automatically identifies and categorizes IoT and OT devices as well as traditional, mobile and virtual endpoints. In addition, the Forescout platform can leverage the power of the cloud to enhance the efficacy of IoT device management on enterprise networks. Forescout customers can upload newly discovered IoT devices into the Forescout Classification Cloud, which is used by our data scientists to enrich existing device fingerprints or create new ones. Forescout’s current device library comprises thousands of IoT and OT device profiles, which are available to our customers via our current product-updating mechanism.
1 Gartner press release, https://www.gartner.com/newsroom/id/3598917
2 Gartner press release, https://www.gartner.com/newsroom/id/3291817
3 Internet of Things Research Study, 2015 report, Hewlett Packard Enterprise, http://files.asset.microfocus.com/4aa5-4759/en/4aa5-4759.pdf