Is this a copier? Is this a printer? Is this a facsimile? Is this a computer? Is this a threat? A...
-
Upload
joseph-hart -
Category
Documents
-
view
247 -
download
1
Transcript of Is this a copier? Is this a printer? Is this a facsimile? Is this a computer? Is this a threat? A...
Is this a copier?
Is this a printer?
Is this a facsimile?
Is this a computer?
Is this a threat?
A Security Tour of the Typical Multi-Function Printer/Copier/Fax
(MFD)
Presented by: Patrick McGuire State Board of Equalization
Familiar and friendly
Out in the open work area with no restrictions
Plugs into the wall just like my reading lamp at home
The jovial copier guy is always good for a joke or a story
I push a button, it hums, then it does something – makes a copy
Scary and cold
Behind a cage, in a locked room, that few people are allowed to enter
Special power, temperature, humidity, and fire suppression
The geek has few social skills and never makes eye contact
Let me see what happens when I push and hold down that button
From the typical user’s perspective, the MFD is:
From the typical user’s perspective, the server is:
So, where’s the RISK?It’s all about the data.
Asset Value – do your documents contain Confidential, Sensitive, or Personal (C/S/P) information?
Threat – the loss of custody and control of the information
Vulnerability – open peripheral ports, persistent storage, e-mail client, File Transfer Protocol (FTP) client, wireless protocols
Probability – absent security controls, a breach is likely
Impact – reputation loss, hard dollar costs associated with Civil Code 1798.29 notifications
Contingencies – rapid incident response, support contract, classify as an IT asset
Residual Risk – absent security controls, the risk is unacceptable
Mitigation – What steps can we take to reduce the risks
Do you see any vulnerabilities below?
So
ftw
are
Vu
lner
abili
ties
So
ftw
are
Vu
lner
abili
ties
Data Storage
-- Hard Drive
-- Flash memory
-- Removable storage – floppy, CD-ROM
Data transmission
-- SMB (file sharing)
-- FTP
Numerous connection points
-- USB, Firewire
-- Ethernet, POTS (telephone modem)
-- Wireless – WiFi, Bluetooth, InfraRed
-- Human Computer Interface (HCI)
Threat Vectors
• Add to your security awareness program• Train your procurement staff• Make the vendor accountable• Regulate the vendor’s behavior through solid contract language• Include in your internal audit program (FISMA)• Add to your risk management program (SAM 5305)• Stay aware of new features and capabilities• Assume C/S/P information will be exposed• Although today it’s not networked, tomorrow that will change• Add to your end of life program for proper disposal• Make part of your IT program, most suited to manage technical risk• Add to your penetration testing methodology• Stay on top of upgrades and security patches• Request, then support, State of California standards (DGS-PD)
Risk ManagementSuggested Mitigation Strategies
• Disable all peripheral ports• Each feature must have a clear business need, or turn it off• Enable ports and features only after a risk assessment• Have management accept any residual risk• Enable hard drive encryption• Enable memory wipe after each job• Limit emails to internal addresses only• Change all default accounts/password
Risk ManagementSuggested Mitigation Tactics
Whether the MFD is Owned or Leased
It’s Still Your Information
Tell them what you’re going to tell them, tell them, then …
… tell them what you just told them
Today’s multi-function printer/device (MFD) it an enterprise-class computer, treat it as such.
Awareness and training is your first layer of defense. Right now, your users (including procurement) do not see the threat.
The MFD of tomorrow will have more features, not less.
Stay with the basics – defense in depth, least privileges, access control, and separations of duties.
Think enterprise (agency and statewide) – Acquire the necessary controls when first purchased. Should DGS-PD only offer MFDs with the necessary security controls built-in?
Follow the Feds:
http://www.irs.gov/irm/part10/ch03s03.html
http://csrc.nist.gov/publications/PubsSPs.html
http://iase.disa.mil/stigs/checklist/index.html
Follow the Leader:
http://www.oispp.ca.gov/government/default.asp
http://www.pd.dgs.ca.gov/masters/MultifunctionalColorCopier.htm
Where do I go for more information?
Cloud ComputingAre the security risks real or just FUD?
Web 2.0 - 2010 and BeyondState agencies publish directly to Web 2.0, so it must be okay for our users to go there?
Future RisksCyber Prophecies
Questions