Having worked in Endpoint Privilege Management (Privilege Elevation and Delegation Management) and more recently the wider Privileged Access Management (Privileged Account & Session Management) space for a number of years now, I’ve witnessed an increasing awareness about, and concern for, what I will refer to as ‘forgotten endpoints’.
Most businesses have a good understanding of their desktop and server estate—they know what tools are used to protect them and can give you a pretty accurate account of what desktops and servers are in their environment, the OS they’re running, and other basic characteristics.
However, with internet of things (IoT) continuing its expansion at breakneck speed, businesses are suddenly realizing that they have numerous devices in their network that have been long overlooked – POS systems in retail, gambling and gaming machines, and things like pumps and switches in legacy OT networks. These are what I consider the ‘forgotten endpoints’.
In my experience, there tend to be three areas businesses should focus on when considering these forgotten endpoints:
From my daily discussions with Security, Architecture and Infrastructure teams across numerous industries, it seems that, while some organizations can effectively scan their network to understand if any new assets have been added, for other organizations, this remains a lengthy and cumbersome manual process.
So, what can be done? In my experience, automation of asset discovery, when implemented, is a sure-fire method for reducing a large amount of cyber risk exposure.
Microsoft recently reported that the notorious Russian state-sponsored hacking group, Fancy Bear, is actively attacking businesses through internet of things IoT devices. According to Microsoft, the IoT devices observed in the exploits included a VOIP phone, an office printer, and a video decoder. These IoT devices enabled the attackers to establish an initial foothold on the victims' networks. In some cases, the IoT device’s embedded password had not been changed from the default. IoT devices with the default credentials intact are easy pickings for hackers with basic device knowledge.
2. Supply Chain / Vendors
In most cases, businesses require third parties to support and maintain their systems and devices. The majority of these third parties require admin access to undertake this support, often without any control over what they can and can’t do, with little-to-no audit capability.
Vendor access / vendor remote access tends to be the number one risk businesses are worried about when considering these forgotten endpoints. The perception is that “we cannot get in the way of these third parties providing their support as efficiently as possible.”
Organizations understand that vendor access is often a necessary risk to ensure the business continues to effectively operate. A great example here are third parties managing gaming/gambling machines in betting shops and casinos, or third-party engineers maintaining pumps and switches in OT Networks. These businesses cannot/will not risk downtime as it directly affects revenue.
However, vendor access is too often applied in broad all or nothing strokes—as opposed to managed granularly. There is no longer an excuse for this dangerous approach. Modern solutions can provide secure, third-party access, while maintaining a least privilege model and layering on full session auditing capabilities. This essentially means you’re extending to vendors and remote workers the best practices privileged access management (PAM) you’re applying (or should be applying) to your own employees. We can ensure mandates such as NIST and CPNI are met, without impacting the ability for these third parties to perform their roles.
Supporting, managing, and maintaining these forgotten endpoints can be costly, in at least several significant ways:
- The time that business spend manually trying to maintain an asset inventory is often high.
- Vendors are frequently required to be onsite when managing these devices as connecting to them remotely is too insecure (at least, when they don’t have robust remote access security in place).
- If users maintaining these devices lack the correct level of privilege due to internal security policies, they are often unable to perform their roles in a timely manner. Without a mature PAM program, it may require a very manual and time-consuming processes to provision just the right level of access.
By discovering all devices and assets within their organization, streamlining and safeguarding support, and reducing the need for external third parties to be onsite to maintain systems, enterprises can reduce risk exposure and increase operational efficiency.
In my experience, the organizations that have been successful in implementing these measures have done so by adopting unified PAM solutions that can automate asset discovery, provide secure remote connections for internal and external parties, and audit all activity—enabling organizations to efficiently secure all types of endpoints at scale. Using a unified solution provides businesses with a holistic view of risk across all assets and allows them to take informed action on audit data quickly and effectively, limiting risk exposure.