Devices Lurking in the ShadowsBy Tom Carpenter On 03/24/2020
The phrases shadow devices, shadow IoT, shadow nodes, and shadow clients all refer to the same concept: many devices connected to your network are not organization-owned devices. These devices can introduce serious security concerns and should become a known element in your processes.
Shadow IoT has gotten some press over the past year and shadow devices are a reality we must contend with. Forescout Technologies, an company in the device visibility and control space, even has a calculator that will estimate the number of devices you really have on your network (though I think their algorithm needs updating as it seems far too low to me, they increment by 24% regardless of the number you put in, so I suppose now that you know the secret, there is no real reason to use the calculator). These shadow IoT and other devices introduce security concerns because you do not patch, configure and monitor them, if you're like most companies.
In the general shadow devices category are devices like personal phones, laptops, tablets and such. In the shadow IoT space are any number of consumer IoT devices which could include smartwatches, smart TVs brought from home, digital assistants, and such. The point is that, if these devices are on your network and have vulnerabilities, they may be exploited as an ingress to your network.
According to a 2018 report from Infoblox (available here: Infoblox Report), the following devices were reported as discovered on enterprise networks:
- Fitness trackers, such as FitBit or Gear Fit - 49 percent
- Digital assistants, such as Amazon Alexa and Google Home - 47 percent
- Smart TVs - 46 percent
- Smart kitchen devices, such as connected kettles or microwaves - 33 percent
- Games consoles (yep on the enterprise network), such as Xbox or PlayStation - 30 percent
In the 2020 InfoBlox report, reporting on 2019 numbers (available here: Infoblox 2020 Report), "only 20% of IT leaders claimed to have not discovered any shadow IoT devices." As you can see, the shadow world is real.
If you think that your policies related to personal devices will completely solve the problem, know that one fifth of USA and UK employees that know policies exist admit to rarely or never following such policies and one fourth of all employees say they don't even know the policies exist. In the end, about 50 percent of employees either don't know about the policies or don't follow them even though 88 percent of IT leaders think that their policies are either effective or very effective. (Source: Infoblox 2018 report linked previously)
So what are you to do? Consider the following among many possible options (if you desire to constrain the use of personal devices):
- Block sites in your firewall rules, DNS or proxies used by such devices
- Track any and all devices added to your network
- Run IPS solutions to be alerted to known attacks
- Use what you have
The last point is important. Many organizations are simply not using what they have. Look at your network management software. What monitoring features does it provide? You might be surprised to find that it can report newly added devices or at least give you the ability to filter reports to locate them. You may already have IPS features available to you that aren't being used or aren't being used appropriately.
The moral of the story is simple: shadow IoT devices and other shadow devices are lurking on your network. What are you going to do about it?Tagged with: shadow iot, shadow devices