For nearly every organization, the cyberattack threat landscape is made up of a mix of IT, Internet of Things (IoT), and operational technology (OT) like HVAC systems, offering plenty of “ways in” for cyber threat actors. Plus, the medical field has its own specialized set of IoT equipment, extending the targeting options for would-be bad guys even further.
To help organizations assess where danger might be lurking this modern, complex device landscape, Forescout Research–Vedere Labs examined nearly 19 million devices to determine which categories represent the greatest risk to organizations. The findings are based on the potential for misconfiguration, the number of vulnerabilities found, exposure to the Internet, and the potential impact to an organization in the case of compromise.
Baseline data points include the fact that IT devices still account for most vulnerabilities (58%), but that the category is down from 78% in 2023. IoT vulnerabilities, however, were up a whopping 136%, increasing the percentage of known bugs from 14% last year to 33% today.
Overall, the most vulnerable device types are: wireless access points (WAPs), routers, printers, voice-over-IP (VoIP) devices, and IP cameras. The most-exposed unmanaged gear includes VoIP devices, networking infrastructure, and printers.
Meanwhile, the top three riskiest verticals are: technology, education, and manufacturing. Healthcare had the biggest decline in risky devices for 2024, but the most-problematic devices in the Internet of Medical Things (IoMT) are all new entries for this year, indicating that this is a swiftly changing landscape.
Overall, it’s important to take a holistic view when risk-assessing one’s environment, according to Forescout.
“It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks,” according to Forescout’s report, out today, which includes a proof-of-concept attack dubbed “R4IoT” that starts with an IP camera, moves to a workstation (IT), and disables programmable logic controllers (PLCs).
“Modern risk and exposure management must encompass devices in every category to identify, prioritize and reduce risk across the whole organization,” according to the firm. “Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack.”
Here’s a breakdown of 2024’s most-risky connected devices:
IT Devices
IT endpoints have traditionally been the category most targeted by cyberattackers for initial access, but since the beginning of 2023, network infrastructure devices have outpaced endpoints in terms of riskiness, according to Forcepoint — largely due to increase in the number of vulnerabilities found and exploited in this category.
-
Thus, routers and wireless access points top the list of riskiest IT devices, followed by servers and computers, then hypervisors.
The hypervisors that host virtual machines (VMs) have become a favorite target for ransomware gangs since 2022 because they allow attackers to encrypt several VMs at once. Also, they’re typically unmanaged and do not support traditional endpoint protection agents.
The Internet of Things (IoT)
The list of the riskiest IoT devices includes one new entry: network video recorders (NVRs).
“NVRs sit alongside IP cameras on a network to store their recorded video,” according to the report. “Just like IP cameras, they are commonly found online and have significant vulnerabilities that have been exploited by cybercriminal botnets and advanced persistent threats (APTs).”
-
The “riskiest” list is rounded out with some usual suspects, with the top five being: network-attached storage (NAS), VoIP, IP cameras, printers, and NVRs.
NAS devices have been a growing target for ransomware actors thanks to a series of bugs and the valuable data they store; VoIP and IP cameras are commonly exposed on the Internet without proper defenses like strong passwords. But Forescout pointed out that printers are less well-known as conduits for cyber threats — a potentially catastrophic oversight.
“Printers include multifunctional printing and copying devices used in the connected office,” researchers explained in the report. “They also include specialized devices for printing receipts, labels, tickets, wristbands and other uses. Printers are also often connected to sensitive devices, such as point of sales systems and conventional workstations with privileged users.”
Operational Technology
With the Cybersecurity and Infrastructure Security Agency (CISA) issuing regular alerts regarding the rising tide of threats like Volt Typhoon to the OT footprint in the US, this is one area that organizations should prioritize for defense improvements, Forescout researchers noted.
-
The riskiest devices in this sector are: uninterruptible power sources (UPS), distributed control systems (DCS), PLCs, robotics, and building management systems.
The issues are myriad. For instance, UPSes, which are involved in power monitoring and data center power management, are often left with default credentials in place. Plus, the consequences of an attack could include power loss in a critical location or tampering with voltage to damage sensitive equipment.
Meanwhile, the PLCs and DCSes responsible for controlling industrial processes are “critical and insecure-by-design … often allowing attackers to interact with them and even reconfigure them without the need for authentication,” according to the report.
Robots have become ubiquitous in electronics and automotive manufacturing, and they’re on the rise for logistics and in the military. Still, they suffer from outdated software, default credentials, and lax security postures.
“Attacks on robots range from production sabotage to physical damage and human safety,” the researchers warned.
And last but not least, building automation and management systems, including things like smart lighting, HVAC, elevator operations, surveillance, door locks, and more, present a big risk to companies. Forescout warned that attacks could “render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage management workstations for initial access … they are often found exposed online even in critical locations.”
Internet of Medical Things (IoMT)
Forescout’s IoMT device breakdown contains all new devices this year, and includes a mix of IT equipment and dedicated embedded devices, all of which could pose enormous risk to patient safety and personal health information (PHI).
-
The riskiest IoMT devices include: medical information systems, electrocardiograph machines, DICOM workstations, picture archiving and communication systems (PACS), and medication-dispensing systems.
Medical information systems store and manage clinical data; they also connect to electronic health records and billing information. In addition to the criticality of the data, thousands of these systems are exposed online, according to the researchers.
Meanwhile, “electrocardiographs are risky because of their fundamental role and large impact in acute patient care. A peer-reviewed study showed that data breach remediation efforts in hospitals led to a 2.7 minute delay in performing ECGs, thus increasing patient mortality by 0.36%.” They’re the third most-vulnerable IoMT device in the dataset, after medication-dispensing systems and infusion pumps.
Furthermore, DICOM workstations and PACS used in medical imaging tend to run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and are often unencrypted, “which could allow attackers to obtain or tamper with medical images, including to spread malware,” according to the report.
And finally, medication-dispensing systems are the second most-exposed IoMT device type in the dataset, the researchers warned, and their disruption can affect patient care.
Source: www.darkreading.com