auditing security controls of printers, scanners, and multifunction devices 2010 nsaa it workshop...
TRANSCRIPT
![Page 1: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/1.jpg)
Auditing Security Controls of Printers,
Scanners,and Multifunction
Devices
2010 NSAA IT Workshop and Conference
Brian Rue Chris Gohlke
Go Noles! Go Gators!
![Page 2: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/2.jpg)
2
Presentation Agenda• 1st Half
– MFD Functions/Services & Security Weaknesses
• 2nd Half– Preparing a MFD Audit Program
![Page 3: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/3.jpg)
3
In the Beginning…
Chester Carlson with the first xerographic apparatus
30’sNot much to audit
![Page 4: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/4.jpg)
4
Manual process – Thermal Paper Transfer
Still not much to audit…..
![Page 5: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/5.jpg)
5
Xerox 914 was the first plain paper photocopier using the process of Electro-photography
No USB/No Tape Drive/No Hard drive/It did come with a fire extinguisher due to heat & ignition issues
![Page 6: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/6.jpg)
6
The image above shows the channel-attached version of the 9700, as the tape tower isn't present. Under the LS100 terminal, Xerox had placed a modified DEC PDP-11/34. An extra cage contained a few proprietary cards to facilitate the page ripping. There was a Control Data 14" hard drive (the removable platter type) on sliders.
CPU/ Memory – Tape Drive added..
![Page 7: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/7.jpg)
7
Printer/Copier/Scanner/FAX Wired Network Connectivity Wireless Networking Wi-
Fi/Bluetooth Removable Memory Hard Drives Operating System Web Server User Accounts Remote Access Landline Connection Scan to Network Share or PC E-mail Integration Web Submission of Print
Jobs Web Browser
![Page 8: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/8.jpg)
8
The CBS News Story On YouTube
http://www.youtube.com/watch?v=iC38D5am7go&feature=fvw
![Page 9: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/9.jpg)
9
Understanding the MFD
![Page 10: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/10.jpg)
10
MFD>A Server with a Glass TopMFD Hardware Components1. Central Processing Unit (CPU)
2. Memory (ROM/RAM/FLASH)
3. Hard Drive
4. Network Card
5. ABGN Wireless Radio
6. Bluetooth Radio
7. USB Connection
8. Analog Modem
9.Multicard Memory Reader
10. LCD/LED Screen
![Page 11: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/11.jpg)
11
MFD Breakdown
![Page 12: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/12.jpg)
12
MFD Software• Operating System -GNU/Linux, VxWorksS, Windows NT
4.0 Embedded, Windows XP Embedded, Mac OS X, Sun Solaris, or Vendor Proprietary OS
• Print Engine/Controllers – May be supported by secondary OS
• Database (PostGreSQL+)
• Drive File System (NTFS/FAT)
• Additional Applications (Document Management -Optical Character Recognition or PDF conversion, Software Development Kits – Sharp OSA, Xerox EIP, HP Open Extensibility Platform, Web Server)
![Page 13: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/13.jpg)
13
MFD Software Security Issues• Security patches not applied to operating system
and services with discovered vulnerabilities– Lack of vendor support for security patches
– Software or Operating system vulnerabilities may be used to elevate privileges
• Lack of change management procedures
• Memory storage (hard drive, ROM/RAM, flash drive) unencrypted by default– Hard drive stores spooled and processed jobs in clear text– MFD RAM memory stores documents in clear text during and after processing by
default– Flash drives usually contain unencrypted jobs
![Page 14: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/14.jpg)
14
MFD Services
• Apache Web Server
• Remote Access (Telnet,FTP,HTTP,SNMP)
• Bytecode interpreters or virtual machines for internally hosted third party applications
• Network service clients for sending of documents to different destinations
• Network service servers for receiving documents for print or storage
• Image processing services
![Page 15: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/15.jpg)
15
MFD Services Security Issues• Unneeded services left on increasing the
number of potential attack points into the MFD
• Services with security vulnerabilities not patched
• No/limited logging of service activity
![Page 16: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/16.jpg)
16
MFD Network Communications
• Common Open Ports/Protocols– HTTP 80/TCP– SNMP 161/UDP– LPD Printing 515/TCP– PDL Printing 9100/TCP
• Protocols– AppleTalk– Internet Printing Protocol– PCL– HPPCL Printing Protocol– Telnet– IPX/SPF– FTP– TCP/IP
![Page 17: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/17.jpg)
17
MFD Network Communication Security Issues
• No firewall rule set for ingress (traffic into the MFD) or egress (traffic out of the MFD) filtering
• MFD does not support entity PKI strategy (no support for CA certificates)
• Print/fax/scan jobs transmitted over network/Internet in clear text
• Unneeded protocols and ports left open
![Page 18: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/18.jpg)
18
MFD Wireless Access
• Wi-Fi– WEP– WPA
• WPA-PSK• WPA-Enterprise
– WPA2• WPA2-PKS• WPA2-Enterprise
– No Encryption
• Bluetooth– Prior to Bluetooth v2.1, encryption is not required and can be
turned off at any time.
![Page 19: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/19.jpg)
19
MFD Wireless Security Issues• Unencrypted wireless connections transmitting
documents in clear text (intercepting documents in the air)
• Potential remote attack access point into the MFD
![Page 20: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/20.jpg)
20
Fax Services
• Fax to memory (disk/disk share)• Hardcopy fax printouts• PSTN – analog phone modem
connection
![Page 21: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/21.jpg)
21
MFD Fax Services Security Issues• Faxes auto print in an unsecured area
– No authorization required to verify recipient before releasing fax
• Faxes held in unencrypted memory after print
• Lack of logical separation of analog modem from LAN (Ability to enter LAN from modem connection)
![Page 22: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/22.jpg)
22
Drive Shares
• Network Drive Shares• Printer Drive Shares
• PC/MAC Shares
• Printer Hard Drive Shares
![Page 23: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/23.jpg)
23
MFD Shares Security Issues
• No auditee procedures for configuring drive shares
• Undocumented drive shares
• Shares setup without encryption
![Page 24: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/24.jpg)
24
MFD Management
1. Device Console2. Web Interface3. Network
client/server enterprise management application
![Page 25: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/25.jpg)
25
MFD Management Security Issues
• Physical Consoles on MFDs Setup Without Pass Codes
• Default Web Interface may not require password
• Most devices not configured with user or group accounts to authenticate and authorize
• Limited to no logging of user activity (console logons, patching, administrative functions)
![Page 26: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/26.jpg)
26
MFD Repair Procedures
![Page 27: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/27.jpg)
27
Physical Security
1.Conduct Risk Assessment to determine if use of MFD and physical location of device provides adequate physical security controls.
2. Processing confidential or sensitive data on a device in a common area creates multiple security issues.
![Page 28: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/28.jpg)
28
Surplus Device Procedures
1. Clean Printer Configuration Files
2. Wipe Drives/Memory
3. Ensure no Sensitive Paper Copies on Glass or in Machine (legacy paper jams)
![Page 29: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/29.jpg)
29
MFD Certifications/Acts/Contractual
Obligations• National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11
• DOD Directive 8500.1• Common Criteria (EAL1 to EAL4)• Gramm–Leach–Bliley Act (GLB)• Health Insurance Portability and Accountability
(HIPAA)• Payment Card Industry – Data Security Standard
![Page 30: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/30.jpg)
Potential Components of an MFD Audit Program
• Network/Server• Shares• Wireless• Access Controls• Physical Security• Encryption• Surplus• Contracts/Leasing• Policies and Procedures
30
![Page 31: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/31.jpg)
A Majority of Which Fall Into Your Normal IT Audit Program
MFD Audit
Program
IT Audit Program
31
![Page 32: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/32.jpg)
Since you probably won’t get a ton of audit hours for MFD’s……
32
![Page 33: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/33.jpg)
Obtain an Understanding and Assess the Risk
• Get an inventory listing• Inquire• Observe
• Get manuals• Search online for common vulnerabilities
33
![Page 34: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/34.jpg)
Physical Security
• Does the unit have a locking compartment for the hard drive, etc?
• Is there a physical reset button that will restore the unit to factory default? Is it secured?
• Is the entire unit secured in place, or could it be wheeled out of the building?
• Is output secured?
34
![Page 35: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/35.jpg)
Device Controls
• Strong password controls at the console?• Settings/administration locked down to authorized
individuals?• Is the web interface turned on? Does it need to be?• Are unneeded network services turned on?• Is wireless on? Does it need to be? Is it secure?• Logs kept/reviewed of administration functions?• Are the logs secured? • Are there security patches for the device and if so are they
checking for them and applying them in a timely manner?
35
![Page 36: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/36.jpg)
Data Controls
• Does the device have an option for encrypting/automatically wiping copies after a job prints?
• Did they pay for it?• Is it turned on?• If not, why? Do they have a compensating
control?
36
![Page 37: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/37.jpg)
Surplus
• Did they lease or purchase?• If leased, what rights do they have to wipe the
drive? Is it user accessible? Are you going to be able to audit it?
• If purchased, do MFDs fall under their normal PC surplus policies for having devices wiped?
• What about when the device is serviced or parts replaced?
37
![Page 38: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/38.jpg)
Policies and Procedures
• As always, the above should be covered by a policy and procedure.
38
![Page 39: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/39.jpg)
39
Multifunction Device Resources
![Page 40: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/40.jpg)
40
http://h20338.www2.hp.com/enterprise/downloads/NIST%20SUBMITTED%20Configuring%20Security%20for%20Multiple%20LaserJet,%20Color%20LaserJet,% 20and%20Edgeline%20MFPs.pdf
![Page 41: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/41.jpg)
41
http://www1.lexmark.com/documents/en_us/1_SecurityBrochure.pdf
![Page 42: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/42.jpg)
42
http://www.office.xerox.com/latest/SECBR-03UA.PDF
http://www.aot-xerox.com/files/content/MFPsecurity.pdf
![Page 43: Auditing Security Controls of Printers, Scanners, and Multifunction Devices 2010 NSAA IT Workshop and Conference Brian Rue Chris Gohlke Go Noles! Go Gators!](https://reader034.vdocuments.us/reader034/viewer/2022042814/5518be7655034638098b481c/html5/thumbnails/43.jpg)
43
Questions?