Often overlooked are the other devices on the network that, while not considered to be "computers," have the same core components: a CPU, and possibly also permanent storage, either a hard disk, or flash RAM.
For example, printers and multi-function peripherals can have sensitive data left on their storage, which requires proper safeguarding while the machine is in use, and when a company disposes of it. (See my InformationWeek SMB news article, Xerox Advises Securing Data in Printer Hard Drives.)
But there's additional peripherals at risk, and more types of risks and threats besides data sitting on the drives.
Kevin Brown, delivery manager of custom testing at ICSA Labs (which is an independent division of Verizon Business, which in turn is part of Verizon Communications), spoke about this in his talk, "Is Your Copier a Security Threat? How Hackers Are Exploiting Network-Connected Devices," which was part of InformationWeek and Dark Reading's August 11, 2010 Security Virtual Event, Hacking 2010: Understanding the New Wave of Cyberattacks.
I wasn't able to "attend"... but I was able to chat with Brown by phone later in the day, as well as get a copy of his presentation, "Network Attached Peripherals: Another door to your company's data." Here's a mashup (which I've run by him for an accuracy check) of our phone conversation and his presentation)
Q: In addition to printers and copiers, what else can network-attached peripherals be?
Brown: Network-attached peripherals include postage machines, UPS (Uninterruptible Power Supply) systems, Point-of-Sales systems, digital signs, security cameras, proximity readers, facility management systems, power, lighting, HVAC, and alarms. It's not just about "printers and copiers," but since these are devices that people can picture most easily, I tend to use these as examples. But assume that this discussion refers to any and every network-attached peripheral.
Q: What's the most important thing to know?
Brown: The key thing to start with: any device that you attach to your network has the potential to be at risk. That's the first lesson. From there, you need to identify what that risk might be. There are several ways of threats, depending on the device, how it's deployed, how it's used."
Q: My printer might be dangerous, or letting threats in? My printer!?
Brown: The phrase I hear from a lot of people is, "I don't understand, what's the big deal... it's 'just a printer.'"
Historically, these were single-purpose devices, with embedded operating systems with limited functionality, often proprietary, and which frequently did not attach directly to the network but were shared via a PC acting as a print server.
Over time, these devices have evolved, Now they run complete operating systems like Windows or Linux, and they have multiple services running. A printer can also do web printing, FTP printing, sending outbound email and FTP.
And some of these protocols aren't necessarily secure, meaning they're not encrypted, and the web or FTP server running them may have vulnerabilities, e.g., an old version of the APACHE web server, and have known vulnerabilities which haven't been patched on this machine... how many companies actually patch their printers? They know to patch their workstations and servers, but they may not even know they need to patch their printers.
And then you add the additional level of threat, like an old known hack to a specific printer, changing the message on the LCD screen, which isn't necessarily dangerous, but shows the vulnerability.
Every time you print or copy a document, a digital copy is stored on the hard drive. If you compromise the printer via the web server you may be able to access whatever documents have been printed, copies, scanned, etc.
And there have been cases where people have been able to access the hard drive to store malicious code there, outside the reach of virus scanners. There's no anti-virus software on the printer, so you can store malicious code there for later use. I haven't seen this, but I've read reports of this being discovered.
Here's some examples: One popular security camera was found to be vulnerable to a XSS (Cross-Site Scripting) attack on its administrative login page that allowed a hacker to gain access to the camera and change the source of the video feed
And back in 2001, the Code Red computer worm also affected some printers running web servers, creating additional headaches for IT departments that day.
Here's some questions to ask:
- Where and how is it installed on the network?
- Who has access to it?
- What services is it running?
- Is it still using its default password?
- What kind of storage capabilities does it have?
- Is cryptography implemented properly or even used at all?
It's important to remember, a device doesn't always require a custom exploit to be hacked. And it may be exploited using a web browser, telnet, or even via the included LCD screen.
Q: So if I take care of all this, my device and the data on it are secure?
Brown: No. The other way these devices -- especially printers and copiers -- is in terms of physical security. Servers are probably in a data center, with restricted access. Employees' computers not have quite as good security, but they're often in rooms you need a ID or key to get into, or in offices.
But copiers, printers, mailing machines and other devices are often in rooms where everybody has physical access. If you don't have some user authentication required to use a device, like an ID code or a security fob,, anybody may be able to walk up to the front panel, and print from the device, or yank the hard drive and copy it.
Q: So I make sure that strangers, or unauthorized employees, can't get to these devices, or can't be alone with them...
Brown: But what happens when you're done with that copier or printer? Remember, today's digital copiers aren't directly making a copy -- they're scanning the page to the hard drive, and then printing it from there, so the document is on the hard drive, just like it would be if you'd sent a file from the printer. Anyway, if it's on lease, the supplier may send it to the next company, or a refurbisher may ship them overseas... with your data still on the hard drive.
Q: What, in general, should companies, including small-to-midsize companies who don't have a lot of IT staff or time, or comprehensive security expertise, be doing?
Brown: My high-level advice is, treat every device on your network like you would any other PC, workstation or server, as much as you reasonably can, in terms of getting and using security.
This starts at the purchasing process -- investigate the products you're buying. Talk to the vendors, find out whether the device have storage, does it support encryption, does that cost extra? Is there a disk-wiping feature, does that cost extra? This extra cost up-front is likely to be less than getting it later -- or the cost of an "event." If it doesn't support the security features you need when you purchase it, so you can't enable them... you have to be able to deploy it securely.
Q: And these days, even if nothing goes wrong, failing a compliance check can be expensive, in terms of fines, or being forced to stop some aspects of how your business is done.
Brown: For me, the key is, be aware of these considerations, make an informed decision when you purchase the device, and be careful when you dispose of it. Don't overlook security when it's on the network.
Lastly, and this will be key for SMBs, if you don't have the expertise, hire people who do. If you don't know how to install a lock, hire a locksmith.
(Here's more information about ICSA Labs' Network-Attached Peripheral Security Program.)