“Celebrity” vulnerabilities like BlueKeep attract the attention and resources of security teams, often hogging the spotlight, allowing other, less visible, but just as dangerous, weaknesses that could be exploited by bad actors to go unnoticed. IoT devices are a perfect case in point.
Last week, Infosecurity Magazine reported on the discovery of a series of new zero-day vulnerabilities, dubbed “Ripple20”, that puts hundreds of millions of IoT devices at risk. Found in power grids, data centers, small businesses, and Fortune 500 companies, the flaws could lead to data theft from printers, tampering with medical devices, or the forced malfunction of industrial control systems devices.
To protect their digital assets, organizations must act quickly to mitigate the risks posed to their IoT devices. Below are several measures to consider.
Achieve visibility into cyber risk across the digital ecosystem
To mitigate against the risk of Ripple20 and other vulnerabilities that can open the doors to a breach, organizations must have broad and continuous visibility into their expanding digital footprint.
Bitsight for Security Performance Management addresses this need by enabling organizations to gain additional context into everything that’s connecting to their network, including older or forgotten IoT devices. Through the Bitsight platform, organizations can continuously monitor for and identify gaps in cybersecurity controls — such as misconfigurations, vulnerabilities, and unpatched systems — in the cloud; on-premise; and across geographies, subsidiaries, and their remote workforce. With this visibility, security teams can quickly prioritize remediation and allocate resources more effectively.
These insights can also inform where network segmentation strategies should be deployed, allowing teams to isolate key networks based on their potential for risk. Segmentation is particularly effective at mitigating vulnerabilities like Ripple20 that take advantage of connected devices that have yet to be, or cannot be, patched.
Despite its effectiveness, segmentation can be quite an undertaking and organizations need to make informed decisions about when and where to implement it. As such, it’s critical that they have a good understanding of their organization’s overall cybersecurity risk posture.
Understand cyber risk in the supply chain
The JSOF research lab, which detected Ripple20, named it as such to reflect the widespread impact or “ripple effect” of the vulnerabilities as a natural consequence of the supply chain. "A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote the researchers.
Given the massive proliferation of Ripple20, it’s likely that most companies do business with affected vendors or partners — increasing the attack surface and exposing them to cyber risk from a potential attack on a connected IoT device within a nth party’s network. Perhaps the most famous example of such an incident was the 2013 Target breach. An opportunistic hacker exploited a vulnerability in the network of the retailer’s HVAC vendor to access network credentials and steal data from Target’s point-of-sale devices.
To combat the threat from their supply chain, organizations must incorporate cyber risk management across the life cycles of their partner relationships. This means defining thresholds for acceptable risk during the vendor onboarding process and using contracts to hold third parties accountable for their security performance. Importantly, they should also implement continuous third-party cyber risk monitoring practices that provide assurance their vendors are maintaining good security postures. These practices can flag vulnerabilities as they arise so that both parties can work collaboratively together to remediate risk.
Security teams must act quickly
Ripple20 may become the latest “celebrity” vulnerability, targeting the less visible aspects of the digital ecosystem of potentially millions of organizations — namely, IoT devices and their supply chain.
Attacks on IoT devices are no longer a theoretical “what if;” these devices have become low-hanging fruit for attackers. Indeed, studies show that 98% of all IoT device traffic is unencrypted and more than half of devices are vulnerable to medium- or high-severity attacks.
In order to maintain the desired security posture, organizations must have increased visibility and insight into all of the devices and endpoints that are connecting to both their own networks and those of their vendors. This context will allow teams to pinpoint where the greatest risk lies, identify changes over time, and make informed decisions about where to concentrate resources so that all of their security bases are covered.