How to assess IoT risks that fly under the radar
In the last few years, it has become common practice to “improve” almost everything by adding an embedded computer and connecting it to a network.
Just one decade ago, the average enterprise network primarily consisted of PCs, servers and network devices. The only endpoint devices that were treated differently were the printers and multi-function devices, which have been the cause of much pain over the years.
Fast-forward to 2018, and that same network will include hundreds or thousands of connected devices—or endpoints—that are not treated like a PC or server.
Most of these connected devices, commonly called “smart devices,” are inexpensive and designed to have a simple setup, which translates to cheap and poorly secured. This, in conjunction with common “bring your own device” (BYOD) policies, has led to a drastic uptick in the number and type of devices that are connected to an enterprise’s network.
Even more alarmingly, many of these devices sit on the network unbeknownst to the security team, IT or anyone other than the person who connected it. In today’s healthcare environment, three major categories of devices are lurking quietly and bringing with them potential security risks: smartphones (BYOD), smart devices (such as thermostats, IP cameras, and connected coffee pots), and traditionally underestimated endpoints like printers and MFDs.
Most organizations have moved away from the model in which company mobile phones were owned and paid for by the organization. With the exception of a few select verticals, BYOD is the model used in an attempt to save money and to alleviate users from carrying two devices.
There are hundreds of software solutions available that can help segregate the user’s personal data from work-related items, but in most cases there is little separation and almost any user can at least access a corporate email account from their phones. Most allow many other functions as well, such as timekeeping, travel expense reporting, or whatever else the user puts on there. Users are frequently bombarded by links and ads for malicious software, or even non-malicious software, that is designed to seek corporate email accounts and other sensitive information.
Smartphones are capable of far more computing power than any of the other devices on this list and that makes them capable of executing more complex and damaging attacks. Many of these devices also have significant storage capacities, which can facilitate insider threats (whether intentional or not). While the safest model would be to go back to company-controlled devices for work-related actions, that is unlikely to happen. Instead, organizations need to educate users, be vigilant, and consider a solution to segregate personal data from enterprise data.
To see the extent of this issue, walk into a large electronics store or look online for connected devices and it quickly becomes evident that there are “smart” versions of every kind of device. It is common for these consumer-grade devices – a marketing term that really means inexpensive and poorly secured – to make their way onto corporate networks. During risk assessments, penetration tests, and the like, it is very common to find connected devices that are often forgotten about, like thermostats, coffee pots, and smart plugs that employees brought to work and set up without permission or checking for security readiness.
Unfortunately, this is not the only way these devices end up hiding on corporate networks. For example, most of the old closed-circuit TV systems used for video monitoring were supplanted by consumer-grade IP cameras that were not designed to be secure, only to be easy. This has been a growing security threat under the noses of network admins, and one of the first and most important remediation measures is to educate users on the dangers of these devices. Then, a simple network scan conducted by the security or networking team should be able to help identify unknown devices and find them, and secure or disconnect them before they cause the next big breach.
Businesses have been connecting printers to their computers, and eventually networks, for decades – ever since the advent of the dot-matrix printer. Since that first dot-matrix hit the market in the early ’80s, printers have become exponentially more complex with additional features and tools.
That brings us to the modern printer that is a full-fledged endpoint with as much computing power, storage, and ability to cause trouble as any PC of the last decade. These devices are designed to work out of the box with minimal “human” setup, which leads the majority of these devices to sit on enterprise networks in volume with default services, settings, and admin users and passwords.
The challenge with MFDs and printers stems from two specific issues that are almost ubiquitous across all enterprise verticals. First, printers are rarely considered an actual endpoint device and are even more rarely managed, inventoried, updated, or patched by IT or Infosec departments. Often, the printer fleet is either managed internally by operations or another department that has little understanding of how to secure these devices. In the worst-case, the printer fleets are managed by the manufacturer. In that scenario, more often than not, there are many unnecessary devices that are rarely if ever used, let alone secured or patched.
To get a handle on the printers and MFDs in the enterprise, start by taking an inventory, as there are almost always devices discovered that were previously unknown. Moving forward, begin testing the configuration of those devices: Have they been configured securely (for example, are there default accounts and services running)? Have they been patched? Who can update them? Testing how these devices are configured helps to paint a clear picture of what these often overlooked endpoints are actually doing inside the network, an important step toward improving security posture.