A ground-shaking shift is underway within businesses, as the number of non-traditional endpoints connecting to corporate networks (generally referred to as the Internet of Things) seeks to challenge, if not overtake, the number of traditional endpoints, like laptops and desktops.
Who can even keep count anymore, as the explosion of connected devices continues to soar to epic levels? Their prevalence has already surpassed the population of the world, largely thanks to the consumer segment.
Businesses are doing their part as well. The ongoing infusion of smart and embedded devices into the workplace is troubling for organizations for many reasons, chief among them that a largely camouflaged attack surface is growing bigger by the day and being littered with an abundance of seemingly benign and often unknown devices that can't be outfitted with something like endpoint detection and response (EDR).
But most EDR products only support standard operating systems, such as Windows, Mac OS X and sometimes Linux. This limits their use for IoT devices. In addition, the software agents that need to be installed on endpoints have a relatively high processing overhead, meaning small devices may not be able to run them. (This is a problem that our PCI forensic investigators frequently encounter when they examine POS terminals).
Of course, this doesn't dismiss the fact that these lesser-considered endpoints - from printers and fax machines to routers (which we recently wrote about) and IP cameras to various sensors and medical devices - require protection, as these objects represent soft targets for attackers looking for a convenient way to latch onto a corporate network.
What makes them so susceptible to attack? Many embedded systems use older versions of Windows, operate with default configurations (such as weak passwords) that are vulnerable, or just run flawed software.
Safeguarding all your internet-enabled endpoints has become one of security teams' most critical missions - and spending projections are reflecting that - but covering them all should be less about an individual device and much more about defense in depth. Here are a few steps you can take:
Discover Devices and Look for Holes
Visibility is paramount. Before you can defend, you need to know what needs protecting (and whether it needs to come off the network). Non-traditional endpoints are notorious for hiding on the network. You must regularly scan and identify/inventory what is connected. Once you know what you've got, internal scanning and penetration testing will help detect vulnerabilities, misconfigurations and other weaknesses that could give rise to attacks.
Supervise traffic and activity to decipher if the endpoints are up to no good. Perhaps they have been compromised by an attacker to gain a foothold into your environment or they have been hacked with the intention of being entered into that will be used to wage some sort of cybercrime. Whatever the reason, you'll want to continually analyze and detect. In addition, threat hunting can search for advanced persistent threats that may have already crept into the network via vulnerable IoT devices.
Do the Little Stuff Well
- Research and vet IoT vendors before making new purchases.
- Once you have identified or installed IoT devices, change the default passwords to unique, complex passwords to reduce risk of compromise.
- Firewalls can be configured to stop incoming and outgoing traffic to these assets.
- Institute policies stating that if unauthorized or rogue devices are discovered on the network, they will be inspected for security or removed.
- Implement an agile methodology for quickly patching vulnerabilities.
- Restrict partner access to your network, where practical, to minimize the potential for IoT threats from entering.
Bring in the Experts
The rise of endpoints won't be quitting, so you'll be dealing with this issue for a long time to come. It's a big and important job, so if you lack the internal skills and resources to do it as well as you'd like, you can turn to an external provider for help. For example, they may be able to help analyze and correlate events from a broad array of devices with the goal of monitoring threat activity 24x7 and producing real-time intelligence. This will help you catch a breach earlier, reducing dwell time and the damage that attackers can do.