The security hole you probably forgot to close
How to make sure every back door is locked
If the past 20 years has taught us anything, it is that technology is a double-edged sword. For every advance in functionality and convenience, there is a corresponding increase in risk.
This has been highlighted lately by the attention given to digital photocopiers by the Federal Trade Commission, which is looking into the risks presented by the hard drives in the devices. But it is not just discarded copiers that pose a risk. Networked peripherals of almost any kind offer convenient backdoors for hackers into enterprises.
“If it’s got memory, it’s got a processor, and it’s on the network, it’s a computing device and we should treat them as such,” said Adam Bosnian, executive vice president of corporate development at Cyber-Ark Software.
But copiers, scanners, fax machines and other networked tools often are not managed by the information technology shop that has responsibility for securing the enterprise; and those who do manage them typically are not focused on security.
Snazzy printer features could open Pandora’s box
Making printers pay: Ways to lower costs, improve security
“There is a lack of communication in terms of the ever-evolving technology out there,” Bosnian said. “There is a disconnect between the organizations internally and things fall into a gray area.”
Peripheral security's profile rose recently when Rep. Edward J. Markey (D-Mass.) asked the FTC to look into the threats posed by discarded copier hard drives.
“I am concerned that these hard drives represent a treasure trove for thieves,” he wrote on April 29. He asked what the commission has done about the threat, and encouraged it to provide consumers with information about the risks. “Business and government agencies also should ensure that all the personal information in the hard drives in these machines is wiped clean before the machine is ... disposed of,” he wrote.
FCC Chairman Jon Leibowitz said the commission is increasing its outreach and educational efforts for both businesses and consumers.
“The FTC is now reaching out to copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks associated with digital copiers,” Leibowitz wrote. He said the commission’s practice is to obtain ownership of hard drives of copiers it leases, and to erase and destroy them when the copiers are returned.
But Bosnian points out that copiers and other devices, in addition to their large memory, also often contain root or administrative accounts for management. These privileged accounts not only make it possible for an attacker to take over a targeted network device if it is not adequately secured, but also to use it as a means of entry to the rest of the network.
“It’s not a new problem,” Bosnian said. Awareness of the risks date back at least to the 1990s. “The concerns are out there,” but they often are not addressed because of organizational issues and a lack of resources. Even if the IT shop has control of peripheral devices, resources often are stretched thin and they receive little attention. The risk is accepted until it can be dealt with.
Is it necessary for these privileged accounts to be built into these devices? There is a school of thought that says no. But the reality is that these devices often are critical business tools that must be kept functioning. The value of “one powerful account that multiple people can access” to keep document management tools running often outweighs the perceived risk, Bosnian said.
Faced with the realities of technology, organizational priorities and budget constraints, awareness of the tools and the risks they present is needed so that these risks can be managed, mitigated and — when necessary — knowingly accepted and provided for.