Multi-Function Devices – Will they comply…?
Okay, so you did a Penetration Test and all you found was an insecure printer right? The fun things that you can find on Multi-function Printing devices and how it might affect compliance…
Printers, scanners, copiers, and fax machines have become more and more complex over the years.
I find that this is largely due to a Dilbert comic strip character named “The Feature Creep” who would annoyingly want to cram more and more features into a new product line.
These devices are doing more than what they were intended to do while opening additional security risks. Not only do these Multi-Function printers (MFP) scan, copy, fax and print, but now they can send email, host web-based administrative pages and send you an email to say when the toner, paper and fuser units need replacing.
We are not talking about the all-in-one printer, scanner and copiers the home user can pick up from the local high street for £30-£80 but the much bigger floor standing devices often the footprint size of a standard vending machine.
These devices are designed to print, scan, copy, fax and email on a commercial scale in professional office environments which requirement large printing, copying and scanning facilities.
Each of these multi function devices occupy a standard hard disk drive the same as that found in the likes of your PC or laptop. Once an item (birth certificate, insurance documents, proof of identity etc) are scanned, copied, faxed or emailed by the multi-function device these are then stored on the hard drive.
There may no concern for this providing the device storing these items is stored itself in a secure physical location. However what happens when the device develops a fault and is sent a way for repair, is replaced by a temporary loan multi function device or the hire period has expired and is returned to the manufacture for recycling or disposal?
The fact is many of these multi function printing devices are leaving large public and private sector organizations with all of their company secrets on board.
These risks were recently publicized in a CBS TV news broadcast
The news cast showcased some sensitive personal identifiable information (PII) and even sensitive investment reports of a high profile investment firm. Even though some of these security concerns may be trivial, these devices should be addressed.
PCI does not say I need to protect my printers, who cares!
Compliance in many cases is one of the biggest drivers for security. Compliance such as PCI, HIPAA, Sarbanes Oxley etc. Many not exactly require you to secure your MFPs/MFD’s or other devices but it might be around the corner. Since most organization generally want to do the right thing, it may be required in certain situations to go beyond compliance.
To a level of ‘reasonable expectations’ for example
When news stories continually pop up with the subject of sensitive information being breached by recycled copy machines, compliance may one day be addressing these types of issues. Since compliance is just not there yet, here are some general questions to ask when trying to understand the criticality of these systems and show some due diligence:
- Are these devices accessible on the network? If so, how is “Administrative” access controlled?
- How long are the image files retained on these systems?
- If the device was compromised could you actually capture sensitive data?
- If a hard drive fails, does the replacement process follow the normal Standard for securely destroying the disk?
- What are some of the services enabled on these devices? Is there an administrative website, SNMP client, SMTP server? How about the accounts and passwords of the administrative websites, are they set to default accounts and passwords?
Ideally if you had answered “No,” or “I don’t know” to these questions more than likely some of the issues may need to be addressed.
In addition when making procurement decisions around such devices. Particularly when procuring in bulk for medium to large organizations.
- See what additional options are available – such as secure file erase.
- Can third party solutions be used and ir so how does this affect any warranty’s or support agreements.
- Can the organisation purchasing/hiring the devices removing the hard drives for secure disposal prior to the item being repaired/replaced?
My supplier made me do it!
In many cases MFPs and other such devices are quickly configured and are plugged into a network. Normally these devices are not looked at or updated until it is time to get a new one. Unless during its life span it stopped working or started belching fire, additional settings were likely not addressed or disabled.
Vendors try to sell these devices with more features while the customer may not have considered the risks involved. One example of these features is the ability to send faxes or scanned documents through email. This sounds like a good economical feature however internal policy may state that anonymous emails are strictly forbidden.
Now that disgruntled employee has a way to send threatening or harassing emails through the printer to that one person he/she does not like. Additionally in order to even securely wipe the internal hard drive on these devices it may require voiding warranties or service contracts if the only way to securely wipe the hard drive is by totally dismantling the device.
Some vendors are currently taking a proactive approach in implementing security features such as secure deletion of image files after a print job is finished however, there really are no best practices currently developed for MFPs and other devices.
Just like any network appliance these MFPs and other print devices are small computers that are connected to the network. They have memory, storage, processors, and an operating system just like a router or a firewall. Even though these may not be directing critical network traffic or blocking unwanted packets these devices can hold sensitive information.
Before that old printer is finally decommissioned ensure that the hard drive is securely wiped. When looking at your current devices or when the new one is purchased with all the cool features check the settings, you may be surprised at what you will find.
It’s better you find it then someone else.