They are our laptops, tablets and smartphones. But they can also be a printer or a camera – or even a refrigerator or thermostat.
They are all devices which – coupled with an IP address – create endpoints. In the modern world, they are ubiquitous and increasingly interconnected, especially as the pandemic continues to blur the line between work and home. The trend of bringing all of these endpoints together has only expanded the enterprise’s attack surface, posing new challenges to security teams which are often not patching or conducting vulnerability scans for remote laptops – much less the phones, tablets, printers and household appliances that are now connected to these company network-linked devices.
Four of five global office employees have worked from home since the start of the pandemic, in fact, and three-quarters say their personal and professional lives blur, according to research from HP. One-half feel that their corporate laptop also serves as a personal device, with many even letting someone other than themselves – such as a child or friend – use it. Seven of ten are accessing more company data more frequently during this time.
Not surprisingly, chief information security officers (CISOs) and their teams are dealing with the fallout, with the research revealing that at least one-half of organizationsare seeing compromised personal devices being used to access company/customer data; employees working on unpatched machines; an increase in browser-related infections; and a rise in phishing-caused infections.
In addition, security leaders and their teams are struggling with a large number of vulnerabilities in internet of things (IoT) and operational technology (OT) machines and systems: IoT devices – interconnected objects used for a vast range of functions both at work and home – account for one-third of infected devices, which is double the amount from 2019. There were 56.9 million IoT malware attacks in 2020, up from 34.3 million in 2019.
OT is needed to run energy grids, fuel lines, supply chains, factories, hospitals and telecommunications networks. Because these systems are sensitive, they uniquely bring on new risks since security teams cannot use traditional tools to analyze them for vulnerabilities.
It’s important to note here that disclosed vulnerabilities in TCP/IP stacks– the underlying communications components used in millions of IoT, OT, IT and industrial control system (ICS) devices – are further raising risk concerns. These stacks are rarely patchable, so major vulnerabilities could expose the devices along with the network and greater parts of the enterprise in which they’re deployed.
Adding to the complexities is the ever-growing list of federal, state and international regulations such as the General Data Protection Regulation (GDPR). The resulting compliance requirements create yet another onerous burden for CISOs and their teams to attempt to tackle.
How do you as a CISO or security team leader approach the safeguarding of endpoints, when they all bring different attributes, compliance requirements and potential issues? You should start by incorporating the following essential steps/practices/capabilities into your security program:
Raise visibility and awareness. You need to be able to see and “know” everything on the network to answer questions such as “What type of device is it – a laptop, a phone or a printer – and where does it exist?” When you gain clarity here, you can query and analyze endpoints to determine if vulnerabilities exist and whether the device activity complies with corporate and government regulations. Round-the-clock, real-time visibility enables security teams to classify connected devices across heterogeneous types and network tiers, leading directly to the deployment of rich, contextual intelligence for accurate asset management and risk prioritization.
Enforce segmentation. You must implement segmentation rules so that anythingwhich cannot be patched or upgraded will never interact with the network. Instead, they should communicate solely with what is required to function, so the threat potential is significantly limited.
Reinvent training/awareness programs. Generic training sessions no longer suffice in today’s times. You need to customize training for employees who are constantly blending “work” and “life” tasks and activities. Training should cover procedures for safely connecting devices and sound cyber hygiene practices, such as the routine changing of passwords. You should similarly customize training for those overseeing corporate OT and IoT assets and functions.
Model practices after Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) guidance. The NIST Cybersecurity Framework, of course, has led the way in helping organizations better manage risks. CIS has released Version 8 of its CIS Controls, which designates as a top priority the development of an inventory and control of enterprise assets, which include end-user and IoT devices; followed by an inventory and control of software assets; the defense of data; and the secure configuration of enterprise assets and software.
Let’s face it: There is no “new normal.” There is only “new.” As the digital universe keeps shifting around us, we should continue to build a foundation of practices and capabilities – including total visibility/awareness, segmentation, training and CIS/NIST-based policies and implementations – to stay ahead of change instead of struggling to keep up with it. With this, we won’t get overwhelmed so much by the number of connected endpoints out there, because we’ll know what they are and where they are, and how to secure them.