NIST outlines guidance for security of copiers, scanners
The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available.
The guidance covers protecting the information processed, stored or transmitted on replication devices (RDs), which are devices that copy, print or scan documents, images or objects. Because today’s RDs have the characteristics of computing devices (storage, operating systems, CPUs and networking) they are vulnerable to a number of exploits, NIST said.
Among the threats to RDs are:
- Default passwords that can be can be used to control the device.
- Data that is transmitted or stored unencrypted making it subject to unauthorized exposure and modification.
- Service interruptions from user interfaces, power outages and internal mechanical or software operations.
- Unauthorized use that wastes ink, paper and toner while denying service for legitimate users.
- Alteration/corruption of passwords or configuration settings.
- Outdated and/or unpatched operating systems and firmware.
In order to protect RDs and the networks they’re attached to, NIST recommends IT managers limit or restrict access to RDs by either placing the devices in secured areas or requiring identification and authentication for use. IT managers should also make sure that event logging is enabled so they can troubleshoot problems and investigate suspicious activity. Likewise monitoring and error handling capabilities should be configured.
According to NIST, not all compromises are easy to detect. The warning signs that may indicate misuse or a compromise include:
- Display malfunctions or shows incorrect information.
- Consumables (ink, paper, or other supplies) run out faster than usual.
- Increased number of failed or timed-out jobs or device completes processes slower than expected.
- Unexplained/unauthorized changes in configuration settings.
- Device uses more network time/bandwidth than usual.
- Time stamps do not align or make logical sense.
- Communications with unknown IP or email addresses increase.
Just as with any networked device, outdated or unpatched software and firmware is a common vulnerability. IT managers should regularly review vendor security bulletins and install patches and upgrades as needed.
When RDs are no longer needed by an organization, they should be wiped or purged, and all nonvolatile storage media should be destroyed. Passwords and user PINS should be changed, and the device configurations should be reset to the factory default settings.
The NIST document also includes a security risk assessment template in table and flowchart format to help organizations determine the risk associated with replication devices.
Connect with the GCN staff on Twitter @GCNtech.