A new study analyzed 19 million real-world enterprise devices for risk factors such as known vulnerabilities, open ports, legacy operating systems, endpoint protection, Internet exposure and more in various industries and device usage categories such as IT, IoT, operational technology or industrial IoT and medical devices ( IoMT).
According to the security company Forescout who conducted the study on anonymous telemetry data from enterprise customers, compared to the list of the 20 most dangerous devices from a year ago, seven new types of devices made the ranking this year due to vulnerabilities and exploits that have since been revealed, including VPN gateways, security devices, network attached storage (NAS) boxes, Out-of-band management (OOBM) platforms, engineering workstations, remote terminal units (RTUs) and blood glucose monitors.
13 devices remain the same as in the previous list and include some expected entries: computers, servers and routers in the IT category, printers, IP cameras and VoIP systems in IoT, uninterruptible power supplies (UPS), programmable logic controllers (PLC) and building automation systems in -Industrial IoT, healthcare workstations, imaging devices, nuclear medicine systems and patient monitoring in IoMT.
Forescout determined a device’s risk score by looking at three categories of factors:
- Configuration – the number and severity of vulnerabilities and open ports that exist on the device
- Function – The potential impact on an organization based on what the device is used for
- Behavior – Internet exposure and reputation of IP addresses that connect to the device or that the device connects to
Monitor more than 4,000 device vulnerabilities
Forescout tracked over 4,000 vulnerabilities in the 19 million network devices it had data on. As expected, most (78%) affected IT devices, the category that includes the most common type of devices in corporate networks such as computers and servers. The IoT device category accounted for 16% of the vulnerabilities, industrial devices for 6%, and medical devices for 2%.
However, not all vulnerabilities are equal and not all are easy to fix. For example, for IT devices only 20% of vulnerabilities were critical, while for OT and IoT devices half were critical, and 80% of medical devices had a critical severity score. Critical vulnerabilities usually allow complete control of the device. Moreover, specialized embedded devices such as those used in OT and the medical field are more difficult to repair than a PC running Windows. They are also more likely to run specialized firmware instead of a general purpose operating system like Windows or Linux.
It’s no surprise then that healthcare was the industry with the largest number of high- and medium-risk devices and the only industry where the number of such devices increased compared to Forescout’s previous analysis in 2022. This was followed by retail, manufacturing, finance, and government. In fact, the government sector had the largest decrease in the number of medium and high risk devices since last year – from 40% to 10%.
The fact that the US Cyber and Infrastructure Security Agency (CISA) maintains a constantly updated list of vulnerabilities that are known to be exploited in the wild – currently over 900 – and that government agencies have deadlines for fixing them, may have played a role in reducing the number of dangerous devices in government networks.
Challenges of corporate device repair
Since embedded devices running proprietary operating systems and firmware are generally more difficult to repair, it is not surprising that healthcare and retail have the highest number of such devices, while also being the sectors with the highest number of medium and high risk devices.
