VPN gateways, security appliances, and NAS boxes enter the top 20 riskiest enterprise devices

A new study analyzed 19 million real world enterprise devices for risk factors such as known vulnerabilities, open ports, legacy operating systems, endpoint protection, internet exposure and more across different industries and device use categories like IT, IoT, operational technology or industrial IoT and medical devices (IoMT).

According to security firm Forescout who ran the study on anonymized telemetry data from enterprise customers, compared to the list of top 20 riskiest devices from a year ago, seven new device types made the ranking this year due to vulnerabilities and exploits revealed since then, including VPN gateways, security appliances, network attached storage (NAS) boxes, out-of-band management (OOBM) platforms, engineering workstations, remote terminal units (RTUs) and blood glucose monitors.

Thirteen devices remained the same as in the previous list and include some expected entries: computers, servers and routers in the IT category, printers, IP cameras and VoIP systems in IoT, uninterruptible power supplies (UPSes), programmable logic controllers (PLCs) and building automation systems in industrial IoT, healthcare workstations, imaging devices, nuclear medicine systems, and patient monitors in IoMT.

Forescout established the risk score of a device by looking at three categories of factors:

• Configuration — the number and severity of vulnerabilities and open ports present on the device
• Function — the potential impact to an organization based on what the device is used for
• Behavior — internet exposure and the reputation of IP addresses connecting to the device or to which the device connects to

More than 4,000 device vulnerabilities tracked

Forescout tracked over 4,000 vulnerabilities present in the 19 million network devices it had data from. As expected, the majority of these (78%) impacted IT devices, the category that includes the most common type of devices on enterprise networks such as computers and servers. The IoT device category accounted for 16% of vulnerabilities, industrial devices for 6%, and medical devices for 2%.

However, not all vulnerabilities are equal and not all are easy to patch. For example, for IT devices only 20% of vulnerabilities were critical, whereas for OT and IoT devices half were critical, and 80% of medical devices had a critical severity score. Critical vulnerabilities usually allow for complete device takeover. Moreover, specialized embedded devices like those used in OT and the medical field are harder to patch than a computer running Windows. They’re also more likely to run specialized firmware instead of a general-purpose OS like Windows or Linux.

It’s not surprising then that healthcare was the industry with the largest number of high- and medium-risk devices and the only industry where the number of such devices increased compared with Forescout’s previous analysis in 2022. This was followed by retail, manufacturing, finance, and government. In fact, the government sector had the biggest reduction in the number of medium- and high-risk devices since last year — from 40% to 10%.

The fact that the US Cybersecurity and Infrastructure Security Agency (CISA) maintains a constantly updated list of vulnerabilities that are known to be exploited in the wild — currently over 900 — and which government agencies have deadlines to patch, might have played a role in reducing the number of risky devices on government networks.

Challenges of patching enterprise devices

Since embedded devices running special-purpose operating systems and firmware are generally harder to patch, it’s no surprise that healthcare and retail have the highest number of such devices while also being the sectors with the highest number of medium and high risk devices.

“The variety of special-purpose OSes (we observe more than 2,500 unique versions on Device Cloud) is a nightmare for security teams to keep track of and is one of the main reasons for the need for visibility into networked devices,” the Forescout researchers said. “Embedded firmware is also well known for presenting systematic security issues, such as backdoors, hardcoded credentials and keys, and memory corruption vulnerabilities.”

Just because a device is running Windows doesn’t mean it’s easy to patch. Many special-purpose devices across all industries run versions of Windows that are no longer supported such as Windows 8, 7, XP, and CE. Healthcare and retail lead the pack in the number of such devices on their networks again and the device categories with the largest percentage of devices running legacy Windows versions is OT with 63% and medical devices with 35%.

Open ports a risk for exploitation

Open communication ports are another factor that can increase risk, especially if we’re talking about legacy protocols such as Telnet or commonly exploited ones such as SSH, SMB or RDP.

“Healthcare leads in every protocol except for SMB,” the researchers said. “Almost 10% of devices in that vertical still have Telnet ports open, whereas it is only present in around 3% to 4% of devices in other verticals. SMB is most popular in financial services (29%), but other industries have a similar level of exposure (27%), except for manufacturing, which is much less exposed at 24%.”

Not all devices can run endpoint security agents like antivirus, but even on those that have such agents installed, they are sometimes disabled. The financial services and government sectors had the highest number of devices that had endpoint security agents installed and disabled — 24% each — followed by healthcare with 21%, manufacturing with 17%, and retail with 10%.

It’s probably not surprising then that devices in government were frequently seen triggering alerts for known indicators of compromise (IoCs) such as communication with known malicious IP addresses and domains. Devices in government networks triggered detection for 63% of the IoCs monitored by Forescout, compared to 19% in healthcare, and 8% in financial services. Devices in retail and manufacturing only triggered alerts for 5% of the IoCs.

While direct exposure to the internet does not necessarily mean a device will be compromised, it certainly increases the risk if that device also has known unpatched vulnerabilities or patches are not deployed in a timely manner. As expected, routers and other networking devices along with security appliances made up around half of the internet-exposed devices with 25% and 33% respectively. This is expected since these are generally perimeter devices that control or inspect the traffic in and out of corporate networks. Next on the list were IP cameras that accounted for another 23% of internet-exposed devices, NAS boxes with 7%, VoIP systems with 3%, and printers with 2%. Around 5% were other IoT devices and 2% were OT devices.

Correlating these numbers by industry also reveals some interesting trends. For example, the government, manufacturing, and retail verticals have an unusually large number of NAS boxes exposed to the internet, government and the financial services also have many printers exposed. Financial services also have a larger number of OT devices exposed compared to other verticals, as well as many security appliances, matched only by the healthcare sector.

Reducing risk of enterprise devices

According to Forescout, organizations should take specific actions to reduce risk:

• The prevalence of legacy Windows and critical vulnerabilities in OT and IoMT means that organizations need immediate action plans to upgrade, replace, or isolate these devices as much as possible.
• The often-disabled endpoint protection solutions in IT devices means that organizations must adopt automated device compliance verification and enforcement to ensure that non-compliant devices cannot connect to the network.
• Commonly found exposed devices such as IP cameras and dangerous open ports such as Telnet mean that organizations must improve network security efforts, including segmentation.

“Modern risk and exposure management must encompass devices in every category to reduce risk across the whole organization,” the Forescout researchers said. “Beyond risk assessment, risk mitigation should use automated controls that do not rely only on security agents. Likewise, they must apply to the whole enterprise instead of silos like the IT network, the OT network, or specific types of IoT devices.”