The security hole you probably forgot to close

How to make sure every back door is locked

If the past 20 years has taught us anything, it is that technology is a double-edged sword. For every advance in functionality and convenience, there is a corresponding increase in risk.

This has been highlighted lately by the attention given to digital photocopiers by the Federal Trade Commission, which is looking into the risks presented by the hard drives in the devices. But it is not just discarded copiers that pose a risk. Networked peripherals of almost any kind offer convenient backdoors for hackers into enterprises.

“If it’s got memory, it’s got a processor, and it’s on the network, it’s a computing device and we should treat them as such,” said Adam Bosnian, executive vice president of corporate development at Cyber-Ark Software.

But copiers, scanners, fax machines and other networked tools often are not managed by the information technology shop that has responsibility for securing the enterprise; and those who do manage them typically are not focused on security.

Related stories:

Snazzy printer features could open Pandora’s box

Making printers pay: Ways to lower costs, improve security

“There is a lack of communication in terms of the ever-evolving technology out there,” Bosnian said. “There is a disconnect between the organizations internally and things fall into a gray area.”

Peripheral security's profile rose recently when Rep. Edward J. Markey (D-Mass.) asked the FTC to look into the threats posed by discarded copier hard drives.

“I am concerned that these hard drives represent a treasure trove for thieves,” he wrote on April 29. He asked what the commission has done about the threat, and encouraged it to provide consumers with information about the risks. “Business and government agencies also should ensure that all the personal information in the hard drives in these machines is wiped clean before the machine is ... disposed of,” he wrote.

FCC Chairman Jon Leibowitz said the commission is increasing its outreach and educational efforts for both businesses and consumers.

“The FTC is now reaching out to copier manufacturers, resellers, and retail copy and office supply stores to ensure that they are aware of the privacy risks associated with digital copiers,” Leibowitz wrote. He said the commission’s practice is to obtain ownership of hard drives of copiers it leases, and to erase and destroy them when the copiers are returned.

But Bosnian points out that copiers and other devices, in addition to their large memory, also often contain root or administrative accounts for management. These privileged accounts not only make it possible for an attacker to take over a targeted network device if it is not adequately secured, but also to use it as a means of entry to the rest of the network.

“It’s not a new problem,” Bosnian said. Awareness of the risks date back at least to the 1990s. “The concerns are out there,” but they often are not addressed because of organizational issues and a lack of resources. Even if the IT shop has control of peripheral devices, resources often are stretched thin and they receive little attention. The risk is accepted until it can be dealt with.

Is it necessary for these privileged accounts to be built into these devices? There is a school of thought that says no. But the reality is that these devices often are critical business tools that must be kept functioning. The value of “one powerful account that multiple people can access” to keep document management tools running often outweighs the perceived risk, Bosnian said.

Faced with the realities of technology, organizational priorities and budget constraints, awareness of the tools and the risks they present is needed so that these risks can be managed, mitigated and — when necessary — knowingly accepted and provided for.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Thu, Jun 3, 2010

What about devices with embedded compact flash cards or SSDs? Who will bother to look for those when the regs come out about hard drives? They'll never keep up this way.

Wed, Jun 2, 2010 quantumrift Arizona

Nope. We did not forget to close that hole. We've been using HP digital senders for quite a while and from the get-to we understood it to be basically a 'dumb' computer with a disk drive that does two things - scan and email, and it's hard drive is just as susceptible to network dangers as any computer and needs to be locked down and segregates as much as you can. If the printer/sender needs to send copy or emails outside your immediate organization or network, you can further protect it by segregating them onto on "DMZ" (and even use private IP space with NAT if you desire). Otherwise, just move all your "at risk" devices onto a separate private IP space, and ACL ACL ACL.....

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group