The firewall -- has the "magic" box lost its mojo?
May 3, 2016
Avoid "Replicating" Your Security Exposures
March 4, 2015
Some time back, while working for a company, I was approached by three different people in the same week who were concerned about the security of information stored on the copier hard drives. I had to chuckle to myself a bit, because, there were so many other security exposures easier to exploit, that the copiers were low on the list.
That being said, replication devices do pose a growing security risk. In our age of hackers exploiting just about every network-connected device, this class of office equipment can no longer be ignored. It seems that the National Institute of Standards and Technology (NIST) agrees, because they released report 8023 on this topic just last month.
Reading the NIST 8023 report is a good cure for insomnia, so I have spared you the pain (and I got an hour nap in the process). The primary concerns stated in the report are:
Default admin passwords allow unauthorized access (I don't recall ever working on a commercial copier that did not have the default password.
Storage or transmission of data without encryption could lead to the capture of confidential information.
Denial of service - copiers can be hacked, and disabled by the hacker, leaving them unavailable for use (it is amazing how a down copier can still bring an office to its knees).
Unpatched operating systems and firmware. Just like PCs, copiers can have vulnerabilities. The OS and firmware are rarely updated by the copier maintenance folks to correct these issues.
Since most modern copiers have email capabilities, they can be used to propagate spam.
Internet accessibility. Replication devices are often Internet accessible, and therefore can be used as a gateway for unauthorized access to internal network resources.
Hard drive disposal. If a copier with an internal hard drive or storage device goes off lease or are otherwise disposed of, it is possible to capture documents from the storage device. Shorter term, someone with access to your facility could actually steal your hard drive.
Wireless capability can allow people outside of the facility to access the internal network.
Now, if my network did not have a firewall, malware protection, or other key security elements, I would not ignore those to secure my copiers. They need to be somewhere on your to do list however.
NIST provides a long list of recommendations about how to properly secure replication devices. I will attempt to break them down into some common sense suggestions below.
Securing a replication device begins at the time you acquire it. You need to confirm that it has certain features, including:
Lockable hard drive or storage device, requiring a key for removal.
OS and firmware upgradable by internal staff, rather than having to depend on the service tech.
Encryption of data at rest and during transmission.
Ability to overwrite data on the storage device, such that newer copied and scanned documents overwrite the older ones.
Audit trail for device events.
Availability of WPA2 or better wireless protocols.
These features should be verified during the sales cycle, and should impact your selection process.
Once you have a replication device, there are important related elements to include in your operating procedures:
The device's admin credentials should be changed (by you and not the tech) during installation.
Periodically check for new firmware, and apply as available. If you end up with a device that is not user upgradable, stay on top of available updates, and make sure your service company applies them.
If your device has overwrite capability, enable it. Enable encryption, assuming it is available.
Setup appropriate wireless security.
Use secure email settings.
Enable event auditing. Monitor the logs, and tie them to your log consolidation software, if you have it.
Monitor the copier technician while the machine is being maintained.
Upon disposal, reset passwords to default, and purge or destroy any non-volatile storage.
Disable the copier's ability to "phone home" to the maintenance company.
As the devices in this class expands to include 3D printers and similar technology, they will likely become a more attractive target for hackers. It is important to establish policies and procedures up front that will allow you to stay on top of the problem as new devices are acquired.
If you have managed to slog through the above details, and made it to this point, you deserve some fun. So, unplug your office copier, put a sign on it saying "Now Voice Activated", and sit back and enjoy the fun.