Don’t Let Outdated Connected Devices Open the Door to Ransomware
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Chris Westphal, the Cybersecurity Evangelist and Head of Product Marketing at Ordr, explains the risks involved in outdated connected devices and how to avoid or resolve them.
The number of connected devices connecting to your network—personal devices, IT devices, IoT, and OT devices such as video surveillance cameras, HVAC systems, manufacturing equipment, and more—has increased steadily in recent years, and there are no signs that device proliferation will slow down any time soon. As such, the rise of connected devices means an organization’s attack surface will continue to increase, making it harder to retain control and maintain security.
Unsecured, unprotected, and outdated connected devices in your organization’s network can create a security nightmare. They can easily open a door for threat actors to break into your network and access critical information. If the worse case happens, proper device visibility and management are crucial for identifying the compromised devices and segmenting infected ones to stop lateral movement.
For example, in the case of healthcare facilities, the need for strong visibility and control takes on an added level of urgency, as security teams need to ensure critical patient care isn’t affected during an attack. The same can be said for other industries, such as manufacturing, where operator safety can be a concern during a security breach. Organizations need to improve their visibility and control of what’s on their network to solve the problem.
Connected Devices are Unsecure
The devices themselves are often the most significant security risk. About 42 percent of devices can be defined as IoT, IoMT, OT devices, and agentless devices that have not been designed with security in mind. Security has been an afterthought for most of these devices, as little to zero consideration has been given to updating them over time. In addition, these devices remain in operation for years. Think of hospital beds, X-ray machines, or welding assemblies—these are not the types of equipment changed on your typical laptop or mobile phone replacement schedule.
Another issue with these connected devices is that they cannot support traditional endpoint security agents, making them the ideal initial threat vector for an attacker to target. Cyber-criminals can use a connected device to access an environment and begin a lateral movement from the device to other parts of the network. One of the first high-profile cases is still the best example of this is when attackers used an HVAC system to break into a multinational retailers’ network.
Necessary Context
During an incident, to get from “detection to response,” you need to know the exact device that is compromised, where it’s located (the physical and network location), what it’s doing in the network, and what actions are possible (i.e., what is it able to connect to). That’s why visibility is critical to identifying, stopping, and preventing ransomware spread.
Every network has a mix of managed (laptops, servers, etc.) and unmanaged connected devices (mobile phones, IoT devices, sensors, etc.). Without insight into the whole picture, it is impossible to move from detection of a problem to a response. Those without visibility are stuck spending a great deal of time and effort identifying every possibility, or they’re left missing potential sources and infection points.
A comprehensive asset inventory is needed for security teams to do their jobs correctly.
Defining the Normal
Once you’ve developed a complete view of your assets and have them as up-to-date as possible with current versions, patches, settings, and protections, you should create a “normal” behavior baseline. Devices have specific functions, which means their behavior and communication patterns are deterministic. This baseline can identify and measure any strange behavior in the future, such as a connected hospital bed that’s suddenly communicating to Russia. This baseline is also essential insight and the foundation for creating zero-trust policies.
Common Issues and Actions
Once you have a complete inventory of what’s on your network, your efforts need to shift toward taking action. To be better prepared to ward off attacks, teams need to identify devices with outdated operating systems, for example. Many connected devices with long life cycles were not created to be updated past a specific operating system. This limitation becomes a problem when these devices can connect to the internet but cannot receive the latest security protections and updates.
Next, devices with default passwords, weak passwords, or expired certificates should be identified and updated. Then teams can move on to the more intensive actions, such as determining which devices may be susceptible to specific vulnerabilities and threats, such as Log4j.
For devices at risk, including those that cannot be updated or patched, the next step is proactive segmentation. Zero trust segmentation policies allow these devices to maintain required access to perform business-critical functions while limiting their exposure and the exposure of the entire organization. That way, the ability for an attacker to move from an infected welding robot to other parts of the network is minimal and can be identified and stopped quickly.
Widget not in any sidebars