Exposed enterprise IoT devices can be an indicator of security issues to come, with firms sporting exposed devices having a 62% higher density of other security problems, new research shows.
For example, companies with exposed IoT are more than 50% more likely to have email security issues, according to a new report and blog post from the Cyentia Institute and RiskRecon.
But what does that correlation mean for chief information security officers? SC Media spoke to Kelly White, RiskRecon founder and CEO, to find out.
Is it surprising that there's a correlation between something like IoT exposure and other security issues?
This is something we see time and time again: Where there's smoke, there's fire. The data shows that smaller indicators of cybersecurity risk performance, particularly on the negative side are strong indicators of larger problems. And that's certainly borne itself out in the IoT report where you have a 62%, greater flaw density, observable flaw density and environments where they are operating IoT devices on the internet.
We've had other research papers that we've put forward, where we see that pattern happen over and over again, whether it's, if you're running a MySQL server database on the internet, that's a strong indicator of having much bigger issues. And something simple, like 'are you running the latest TLS encryption protocol?' That's another indicator of larger issues.
When you say larger issues, is that just in regard to the number of problems, or do the problems actually get worse from there?
The problems get worse from there.
If you have that IoT device, what had to go wrong? Let's say you had a printer operating on the internet. Well, a lot of things went wrong. You have systems of internal network accessible from the internet, so potentially, you've got internet access and firewall policy issues.
Then breaking down why those occurred, there's much larger problems behind that that led to that occurring, aside from the fact that it's just a bad idea. If it's an accident, then geez, you're not managing your environment and you don't have effective security architecture to prevent exposure of assets. Now, it's if you made the decision intentionally to do that opens up questions about judgment.
Now, of course, there are certain scenarios where, yes, operating an IoT device on the internet is justified and there are solutions for it. But the data bears out that it's an indicator of much larger problems, which results critical and high severity, software, patching issues and other issues being present.
So, how can CISOs operationalize that kind of information?
To do information security well, you have to take care of the details. As former CISO, I know that you have you have to have really thought through your systems and configurations. Whether that's in the operating system, the platform, the software, and these have to be all properly cared for. Information security is very much wanting lost in the details. So that's looking at your own enterprise.
The other component is as you're engaging third parties. If you have a partner that you've observed, that may be running an IoT device on the internet, or running telnet, or a database server or something that isn't appropriate, you can darn well be sure that there's other problems.