Risk management is a big part of running a business these days, especially in IT circles. Not only are threat actors always evolving and enhancing their attacks, but also the attack surface of organizations is constantly growing. The advent of IoT introduced literally millions if not billions of new devices for hackers to potentially exploit. Have you considered who really owns the risk associated with xIoT devices?
Imagine it’s 2014 and your router was compromised via the Heartbleed exploit. Would you try to recover damages from – the router manufacturer? The open source developers of the OpenSSL library? How would your company recover damages? If you sued, what would the financial burden to your enterprise be? How defocusing from your core business would it be? What’s the probability that damages could be recovered? Could you sufficiently pinpoint a successful exploit to a single vendor? I’m sure you can think of a thousand more questions like these.
While it’s easy to say the manufacturer is culpable for the risk, the reality is much different. It took an organization as large as the US government to successfully pursue a manufacturer for weak security. But there was no cash at the end of the rainbow, just 10 years of audits to ensure better security practices are being implemented.
Funnily, we don’t think that Microsoft owns the risk for our Windows systems. Businesses accept that desktops and servers are complicated systems and user behavior has a lot to do with the overall security of the devices. While xIoT devices are simpler systems, why would that absolve a business from its responsibility to secure these devices? Did you know that in July 2019 there were still nearly 100,000 devices on the internet that had not been patched against Heartbleed?
One of the difficulties with securing xIoT devices is that the systems are typically considered to be black boxes. How can a business hold its security team accountable when the software and tools internal to the devices are unknown? It’s widely accepted that security budgets are stretched thin, so adding the burden of deciphering opaque systems seems unjust. But, the threat vectors are real. Here are but a few examples of high-profile devices with serious security flaws:
- Implantable cardiac devices from St. Jude Medical
- TRENDnet Secure view IP cameras
- Owlet, Foscam, and other baby monitors
A popular buzzword in the security world today is “zero-trust”. But when it comes to xIoT devices, a better term might be “zero-awareness”. Let’s not mince words here – that’s not a good thing. Scarier still would be if your business fits in the “zero-awareness” category. How would you know? If you answer “no” to any of these questions . . .
- Does your risk management plan address xIoT devices?
- Can you identify all the xIoT devices on your corporate network?
- Do you know which xIoT devices on your network have security vulnerabilities?
- Are you aware of the underlying software and components that comprise these xIoT devices?
- Is there a well documented set of policies and procedures around updating these devices?
NetRise is here to pull the curtain back on the world of xIoT and start asking –better yet, answering – these difficult questions and challenges. How can a vulnerability and/or risk management program be considered complete if it virtually ignores these devices, which often outnumber traditional workstations and servers in an enterprise environment?
Addressing these challenges is not easy. It requires solutions that have simply not existed in the past, and a shift in the way we think about vulnerability management – but it is critical that organizations start now. Think about it – if you’re a threat actor, are you going to target the Windows operating system that is fully patched and has 5+ security agents running on it, or are you going after the internet-connected security camera that is running firmware that was built in 2010, which uses libraries and software components that were written in 2002?
Reach out to us today to see how NetRise’s solutions are securing the devices that have gone ignored for far too long, and how we can help extend your vulnerability management program to the xIoT.