‘Rise of the Machines’ report fingers disturbing number of ‘agentless’ devices

The annual report on the state of connected devices, from California-based virtual security company Ordr, highlights the risks of vulnerable connected devices at a time when new ransomware attacks are increasingly rapidly.

In its 2021 report, 'Rise of the Machines 2021: State of Connected devices - IT, IoT, IoMT and OT', Ordr addresses pandemic-related cyber-security challenges, including the growth of connected devices and the related increase of security risks from these devices as threat actors have taken advantage of unintended opportunities to launch attacks.

The research incorporates security risk and trend analysis of anonymised data for 12 months (June 2020 to June 2021) across more than 500 of the company's deployments in the healthcare, life sciences, retail and manufacturing verticals.

According to the report, 42 per cent of connected devices were 'agentless' or 'un-agentable' devices. This was up from 32 per cent of such devices in 2020. These devices include medical and manufacturing devices that are critical to business operations, along with network devices; IP phones; networked printers; video surveillance cameras and facility devices (such as badge readers) that are not designed with security in mind, cannot be patched, and cannot support endpoint security agents.

With almost half of devices in the network either agentless or un-agentable, this potentially represents a gaping hole in an organisation's security. In this situation, endpoint security strategy should ideally be complemented with a network-based security approach to discover and secure these devices.

Ordr also discovered that popular consumer 'devices' are often connected to the enterprise network, including Peloton exercise bikes, which grew rapidly in popularity over the year and have been deployed in enterprise gyms, hospitality verticals, and healthcare organisations. Many of these exercise devices are deployed without security monitoring or segmentation, despite recent proven leaky API issues.

Other consumer devices identified include Sonos smart speakers; gaming machines; Alexas (e.g. used in healthcare organisations to control patient room amenities and as nurse call buttons), and Teslas (e.g. employees connecting to the network from the company car park). While the usage of unsanctioned shadow IoT devices was highlighted in Ordr's 2020 report, the number of personal devices has doubled over the past year, exponentially increasing the threat landscape and delivering a wealth of data for threat actors to use to profile targets.

Devices running outdated operating systems are also a persistent challenge. 19 per cent of deployments were found to be running Windows 7 and older, while almost 34 per cent had devices running on Windows 8 and Windows 10, which are expected to reach end-of-life in 2023 and 2025 respectively. In healthcare specifically, 15 per cent of medical devices and 32 per cent of medical imaging devices were identified as running on outdated operating systems. This is primarily because expensive medical devices typically remain in use for many years and cannot easily be replaced. Segmentation is the only way to ensure security of these devices, the report suggests, to keep them in operation and avoid the costs of replacing devices early.

Greg Murphy, CEO, Ordr, said: "Once again, we found an astonishing and worrisome number of vulnerabilities and risks in connected devices, which is a crucial reminder that organisations must have comprehensive visibility as well as security for everything connecting to their networks. As the number of connected devices climbs, the number and sophistication of attacks targeting them will grow.”

The report also found that 46 per cent of all connected devices are vulnerable to medium and high severity attacks. Top attacks included external communications to malicious URLs, such as Darkside and Conti ransomware sites, followed by attacks due to vulnerable operating systems, and finally lateral movement such as exploits and active threats/tools such as Cobalt Strike or Eternal Blue.

55 per cent of deployments also have devices with orphaned user access, e.g. when an employee has left a company. Devices with orphan accounts retain the same access rights as when they were associated with an active user. These orphaned user accounts provide a gateway to privilege escalation and lateral movement. Local users created on devices for ease of access similarly impacts cyber security and physical security.

The report also includes Ordr's suggestions about the steps organisations could take to implement 'Zero Trust' for all connected devices that exist on its network.

Earlier this year, the head of GCHQ warned that the UK is facing a ‘moment of reckoning’ surrounding its cyber security because of the rising technology threat from countries such as Russia and China.

Last month, the UK government and its allies - including the US - accused the Chinese government of being responsible for orchestrating the Microsoft Exchange hack in an act of “systematic cyber sabotage” which affected a quarter of a million servers around the world.

In April, the UK government unveiled the details of its proposed laws to improve the security of “virtually all” smart devices, including banning easy-to-guess default passwords and forcing manufacturers to confirm when their devices stop receiving security updates.

In May, Ireland’s health service (HSE) was hit by a “very significant” ransomware attack, forcing it to shut down its IT systems, causing some disruption. The attack struck the Irish health service’s national and local systems.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles