A recent study conducted by security firm Forescout analyzed 19 million enterprise devices to identify potential risk factors. The study examined various criteria including known vulnerabilities, open ports, legacy operating systems, endpoint protection, and internet exposure across different industries and device categories such as IT, IoT, operational technology, industrial IoT, and medical devices (IoMT).
Compared to the previous year’s list, the study found that seven new device types had made the ranking due to vulnerabilities and exploits that were revealed since then. These newly identified riskier devices included VPN gateways, security appliances, network attached storage (NAS) boxes, out-of-band management (OOBM) platforms, engineering workstations, remote terminal units (RTUs), and blood glucose monitors.
However, thirteen devices remained the same as in the previous list, including expected entries such as computers, servers, and routers in the IT category, printers, IP cameras, and VoIP systems in IoT, uninterruptible power supplies (UPSes), programmable logic controllers (PLCs), and building automation systems in industrial IoT, and healthcare workstations, imaging devices, nuclear medicine systems, and patient monitors in IoMT.
To establish the risk score of a device, Forescout considered three categories of factors: configuration, function, and behavior. Configuration factors included the number and severity of vulnerabilities and open ports on the device. Function factors considered the potential impact on an organization based on the device’s purpose. Behavior factors focused on internet exposure and the reputation of IP addresses connecting to or being connected by the device.
The study also revealed that Forescout tracked over 4,000 vulnerabilities across the 19 million network devices analyzed. The majority of these vulnerabilities (78%) affected IT devices, which are the most common type of devices found in enterprise networks. IoT devices accounted for 16% of vulnerabilities, industrial devices for 6%, and medical devices for 2%.
However, not all vulnerabilities are created equal, and some are more difficult to patch than others. For example, only 20% of vulnerabilities in IT devices were classified as critical, while half of the vulnerabilities in OT and IoT devices were critical. An even more concerning statistic was that 80% of medical devices had a critical severity score. Critical vulnerabilities often allow for complete device takeover, making them a significant risk to organizations.
Furthermore, the study found that healthcare had the highest number of high- and medium-risk devices among all industries. In fact, it was the only industry where the number of such devices increased compared to the previous year. This was followed by the retail, manufacturing, finance, and government sectors. Interestingly, the government sector saw a significant reduction in the number of medium- and high-risk devices since last year, decreasing from 40% to 10%.
One possible explanation for the reduced number of risky devices in government networks is the proactive approach taken by the US Cybersecurity and Infrastructure Security Agency (CISA). The agency maintains a constantly updated list of vulnerabilities known to be exploited in the wild, with government agencies having deadlines to patch these vulnerabilities. It is likely that this initiative played a crucial role in mitigating risks on government networks.
The study also highlighted the challenges of patching enterprise devices, especially those running specialized firmware or operating systems. Healthcare and retail industries, which have a higher number of such devices, also exhibited a higher number of medium and high-risk devices. These findings emphasize the need for organizations to implement robust patch management processes, particularly for devices that are difficult to patch due to their specialized nature.
Overall, the study conducted by Forescout offers valuable insights into the risk landscape of enterprise devices across different industries. It highlights the importance of prioritizing and addressing vulnerabilities, especially in sectors like healthcare and retail, where a significant number of high-risk devices are present. By proactively managing vulnerabilities and implementing effective patch management practices, organizations can enhance their overall security posture and safeguard against potential threats.