Revelations by former Twitter cybersecurity chief-turned-whistleblower Peiter “Mudge” Zatko had tongues wagging across the industry Tuesday morning. Articles by CNN and the Washington Post included details from a 200-page letter Zatko sent to Congress, the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and Department of Justice (DOJ) detailing claims of poor security practices and management by the social media giant. Zatko alleges Twitter’s security program is rife with bad practice, vulnerable devices, and executive apathy in violation of privacy and security assurances it made to regulators following a major data breach in 2020.
According to CNN, one of the concerning allegations is that, “About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors.” The report also claims that, of the computers employees use for work—including accessing sensitive production environments—“4 in 10 devices do not meet basic security standards.”
Peiter “Mudge” Zatko (CNN photo)
Twitter denies Zatko’s accusations and told CNN in a written statement, “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”
Device Vulnerability is an Unavoidable Reality
Whatever the outcome of any subsequent investigation, the situation described by Zatko might have many CISOs sleeping fitfully tonight as an environment populated by vulnerable devices is more common that many will publicly admit. And it doesn’t mean that the tech and security leaders in those organizations are derelict in their duties. Often, running such at-risk gear is an unavoidable necessity.
Industrial IT environments frequently include state-of-the-art IoT (internet of things) technology on the same network as equipment and operational technology (OT) that is decades old, running with obsolete operating systems and unsupported software. Such devices were not built to be secure because they were never intended to be connected to the public internet.
In healthcare organizations the challenges are even greater. Many connected medical devices in the realm of what is known as the internet of medical things (IoMT) must remain in service for the sake of patient safety, even if those devices are known to exhibit vulnerabilities. And because of FDA regulations intended to maintain a device’s operational integrity, typical patch management practices cannot be followed when vulnerabilities are discovered.
While Zatko claims that half of the servers behind Twitter’s operations are vulnerable, in healthcare the problem may be worse. Security researchers recently found that as many as 75% of the 200,000 medical devices they studied contained security flaws that make them vulnerable to exploitation by threat actors. That is why hospitals and healthcare providers around the world are turning to Ordr.
Unknown, Unseen, Unmanaged
Compounding the challenge for cybersecurity leaders is that many of these devices are unmanaged, and may operate outside the view of IT management. That adds up to potentially thousands of IoTdevices, building controls, security equipment, consumer-grade tech, and other unknown, unseen, and unsecured devices operating at risk on the network. The result is critical healthcare, manufacturing, and public and commercial infrastructure environments with an enormous attack surface and, using legacy tools and traditional strategies, with no way to understand the scale of the risk and secure the enterprise. Fortunately, there is a solution to close this gap.
The Ordr platform “passively” scans an enterprise network to discover and classify all the devices that are connected, including medical devices, operational technology, building controls, traditional IT systems and more. Within minutes of deployment, Ordr provides full, real-time visibility of the environment fromIoT, IoMT, OT, and other connected devices comprising the organization’s complete asset inventory, as well as how the devices are connected, and what other systems they are communicating with.
Ordr has You Covered
Ordr identifies risks for every device via an integrated threat detection engine, threat intelligence feeds, and continuously enriching device profiles within the Ordr DataLake. Ordr also monitors and compares device activity against a baseline of “normal,” good behavior. Because devices are deterministic and therefore should operate within specific, narrow parameters based on functions, abnormal behaviors that may be indicative of a cyberattack are easier to identify. Any suspicious behavior or unexpected communications patterns trigger automated alerts. When that happens, Ordr can dynamically generate Zero Trust security policies to contain an attack, while keeping mission-critical devices in service.
Read more about the award-winning Ordr connected device security platform, here, or contact us with any questions you may have about how we can help you secure your enterprise environment.
Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.
Follow by Author