Any device attached to your network poses potential risks, in terms of stuff on the network, computers — desktops, notebooks, and servers — tend to get the lion’s share of press as tempting cyberattack targets, along with unsecured web sites, gullible/careless users, CD/DVD-ROMs, USB flash drives, PDF files, smartphones, VoIP PBXs and a few other things, not all of which, to be sure.
Often overlooked are the other devices on the network that, while not considered to be “computers,” have the same core components: a CPU, and possibly also permanent storage, either a hard disk, or flash RAM. For example, printers and multi-function devices can have sensitive data left on their storage, which requires proper safeguarding while the machine is in use, and when a company disposes of it. But there’s additional devices at risk, and more types of risks and threats besides data sitting on the drives.
Network-attached devices include postage machines, UPS (Uninterruptible Power Supply) systems, Point-of-Sales systems, digital signs, security cameras, proximity readers, facility management systems, power, lighting, HVAC, and alarms. It’s not just about “printers and copiers,” but since these are devices that people can picture most easily.
Historically, printers were single-purpose devices, with embedded operating systems with limited functionality, often proprietary, and which frequently did not attach directly to the network but were shared via a PC acting as a print server. Over time, these devices have evolved, Now they run complete operating systems like Windows or Linux, and they have multiple services running. A printer can also do web printing, FTP printing, sending outbound email and FTP.
And some of these protocols aren’t necessarily secure, meaning they’re not encrypted, and the web or FTP server running them may have vulnerabilities, e.g., an old version of the APACHE web server, and have known vulnerabilities which haven’t been patched on this machine… how many companies actually patch their printers? They know to patch their workstations and servers, but they may not even know they need to patch their printers.
Every time you print or copy a document, a digital copy is stored on the hard drive. If you compromise the printer via the web server you may be able to access whatever documents have been printed, copies, scanned, etc. And there have been cases where people have been able to access the hard drive to store malicious code there, outside the reach of virus scanners. There’s no anti-virus software on the printer, so you can store malicious code there for later use.
The other way these devices — especially printers and copiers — is in terms of physical security. Servers are probably in a data center, with restricted access. Employees’ computers not have quite as good security, but they’re often in rooms you need a ID or key to get into, or in offices. But copiers, printers, mailing machines and other devices are often in rooms where everybody has physical access. If you don’t have some user authentication required to use a device, like an ID code or a security fob,, anybody may be able to walk up to the front panel, and print from the device, or yank the hard drive and copy it.
But what happens when you’re done with that copier or printer? Remember, today’s digital copiers aren’t directly making a copy — they’re scanning the page to the hard drive, and then printing it from there, so the document is on the hard drive, just like it would be if you’d sent a file from the printer. Anyway, if it’s on lease, the supplier may send it to the next company, or a refurbisher may ship them overseas… with your data still on the hard drive.
Treat every device on your network like you would any other PC, workstation or server, as much as you reasonably can, in terms of getting and using security.
Six questions you should ask to assess security of networked devices.
- Where and how is it installed on the network?
- Who has access to it?
- What services is it running?
- Is it still using its default password?
- What kind of storage capabilities does it have?
- Is cryptography implemented properly or even used at all?
adapted from informationweek.com
