is this a copier? is this a printer? is this a facsimile? is this a computer? is this a threat? a...

Is this a copier?

Is this a printer?

Is this a facsimile?

Is this a computer?

Is this a threat?

A Security Tour of the Typical Multi-Function Printer/Copier/Fax

(MFD)

Presented by: Patrick McGuire State Board of Equalization

Familiar and friendly

Out in the open work area with no restrictions

Plugs into the wall just like my reading lamp at home

The jovial copier guy is always good for a joke or a story

I push a button, it hums, then it does something – makes a copy

Scary and cold

Behind a cage, in a locked room, that few people are allowed to enter

Special power, temperature, humidity, and fire suppression

The geek has few social skills and never makes eye contact

Let me see what happens when I push and hold down that button

From the typical user’s perspective, the MFD is:

From the typical user’s perspective, the server is:

So, where’s the RISK?It’s all about the data.

Asset Value – do your documents contain Confidential, Sensitive, or Personal (C/S/P) information?

Threat – the loss of custody and control of the information

Vulnerability – open peripheral ports, persistent storage, e-mail client, File Transfer Protocol (FTP) client, wireless protocols

Probability – absent security controls, a breach is likely

Impact – reputation loss, hard dollar costs associated with Civil Code 1798.29 notifications

Contingencies – rapid incident response, support contract, classify as an IT asset

Residual Risk – absent security controls, the risk is unacceptable

Mitigation – What steps can we take to reduce the risks

Do you see any vulnerabilities below?

http://images.google.com/imgres?imgurl=http://runrightpc.com/images/hard%2520drive.JPG&imgrefurl=http://runrightpc.com/products/products.htm&usg=__6rJKS-aMBOqrFcX92X-luj1MAM8=&h=400&w=400&sz=25&hl=en&start=1&tbnid=HpXBRgWixF8fLM:&tbnh=124&tbnw=124&prev=/images%3Fq%3Dhard%2Bdrive%26gbv%3D2%26hl%3Den%26safe%3Dactive

http://images.google.com/imgres?imgurl=http://www.product-reviews.net/wp-content/uploads/2008/08/kingston-8gb-usb-20-data-traveler-100.jpg&imgrefurl=http://www.product-reviews.net/tag/usb-flash-drive/&usg=__mv94cprHNtUrW7RL-6WDxeRuuxw=&h=293&w=300&sz=7&hl=en&start=72&tbnid=KtqGCaeO3pPUzM:&tbnh=113&tbnw=116&prev=/images%3Fq%3Dusb%26start%3D54%26gbv%3D2%26ndsp%3D18%26hl%3Den%26safe%3Dactive%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.machinetoolhelp.com/_Images/rs232-DB25-DB9.jpg&imgrefurl=http://www.machinetoolhelp.com/Applications/RS232Communications.html&usg=__87zUWg9yod8QZKNR0O17RNopyhc=&h=423&w=586&sz=24&hl=en&start=6&tbnid=qfmZOhcMH-w5IM:&tbnh=97&tbnw=135&prev=/images%3Fq%3Drs232%26gbv%3D2%26hl%3Den%26safe%3Dactive

http://images.google.com/imgres?imgurl=http://www.made-in-china.com/image/2f0j00NMSavngLEtzOM/Ethernet-Cable-UTP-Mold-Type-KB-AA06-.jpg&imgrefurl=http://www.made-in-china.com/showroom/alicexu59/product-detailNbBnqCrLnEUs/China-Ethernet-Cable-UTP-Mold-Type-KB-AA06-.html&usg=__xYJep0XgtIH8csft2_YPStq4bCc=&h=500&w=500&sz=33&hl=en&start=2&tbnid=GTsYtWtEmw_wxM:&tbnh=130&tbnw=130&prev=/images%3Fq%3Dethernet%26gbv%3D2%26hl%3Den%26safe%3Dactive

http://images.google.com/imgres?imgurl=http://www.ladyada.net/images/parts/eeprom.jpg&imgrefurl=http://www.ladyada.net/make/x0xb0x/fab/seq/index.html&usg=__pT7C_k6DOamxqNdHuwJfe8IB5_A=&h=312&w=410&sz=64&hl=en&start=11&tbnid=AdAJTlU-CMFUYM:&tbnh=95&tbnw=125&prev=/images%3Fq%3Deeprom%26gbv%3D2%26hl%3Den%26safe%3Dactive

http://images.google.com/imgres?imgurl=http://explore.toshiba.com/images/showcase/access-memory-hero.jpg&imgrefurl=http://explore.toshiba.com/accessories/memory&usg=__Hh2Mv-kbr1_9R3A9iMQKdyU-Xg0=&h=321&w=451&sz=27&hl=en&start=4&tbnid=Guqg7V69mIx9NM:&tbnh=90&tbnw=127&prev=/images%3Fq%3Dmemory%26gbv%3D2%26hl%3Den%26safe%3Dactive

http://images.google.com/imgres?imgurl=http://forums.macworld.com/servlet/JiveServlet/downloadImage/2-628490-1138/firewire-6pin-end.jpg&imgrefurl=http://forums.macworld.com/message/368636&usg=__s2PjwVE6lgxThH066kkqb_1QBf0=&h=800&w=640&sz=18&hl=en&start=9&tbnid=IBz5nd8ocwt0oM:&tbnh=143&tbnw=114&prev=/images%3Fq%3Dfirewire%26gbv%3D2%26hl%3Den%26safe%3Dactive

So

ftw

are

Vu

lner

abili

ties

Data Storage

-- Hard Drive

-- Flash memory

-- Removable storage – floppy, CD-ROM

Data transmission

-- Email

-- SMB (file sharing)

-- FTP

Numerous connection points

-- USB, Firewire

-- Ethernet, POTS (telephone modem)

-- Wireless – WiFi, Bluetooth, InfraRed

-- Human Computer Interface (HCI)

Threat Vectors

• Add to your security awareness program• Train your procurement staff• Make the vendor accountable• Regulate the vendor’s behavior through solid contract language• Include in your internal audit program (FISMA)• Add to your risk management program (SAM 5305)• Stay aware of new features and capabilities• Assume C/S/P information will be exposed• Although today it’s not networked, tomorrow that will change• Add to your end of life program for proper disposal• Make part of your IT program, most suited to manage technical risk• Add to your penetration testing methodology• Stay on top of upgrades and security patches• Request, then support, State of California standards (DGS-PD)

Risk ManagementSuggested Mitigation Strategies

• Disable all peripheral ports• Each feature must have a clear business need, or turn it off• Enable ports and features only after a risk assessment• Have management accept any residual risk• Enable hard drive encryption• Enable memory wipe after each job• Limit emails to internal addresses only• Change all default accounts/password

Risk ManagementSuggested Mitigation Tactics

Whether the MFD is Owned or Leased

It’s Still Your Information

http://images.google.com/imgres?imgurl=http://www.copy-land.com/colorcopy.ir/color_copier.jpg&imgrefurl=http://www.copy-land.com/html_pages/color_copy.html&usg=__iDYaxqG40kog7i78L-VZKlVDrt0=&h=279&w=272&sz=11&hl=en&start=33&tbnid=tv4mPq7ClaqqqM:&tbnh=114&tbnw=111&prev=/images%3Fq%3Dcopier%26start%3D18%26gbv%3D2%26ndsp%3D18%26hl%3Den%26safe%3Dactive%26sa%3DN

Tell them what you’re going to tell them, tell them, then …

… tell them what you just told them

Today’s multi-function printer/device (MFD) it an enterprise-class computer, treat it as such.

Awareness and training is your first layer of defense. Right now, your users (including procurement) do not see the threat.

The MFD of tomorrow will have more features, not less.

Stay with the basics – defense in depth, least privileges, access control, and separations of duties.

Think enterprise (agency and statewide) – Acquire the necessary controls when first purchased. Should DGS-PD only offer MFDs with the necessary security controls built-in?

Follow the Feds:

http://www.irs.gov/irm/part10/ch03s03.html

http://csrc.nist.gov/publications/PubsSPs.html

http://iase.disa.mil/stigs/checklist/index.html

Follow the Leader:

http://www.oispp.ca.gov/government/default.asp

http://www.pd.dgs.ca.gov/masters/MultifunctionalColorCopier.htm

Where do I go for more information?

http://www.irs.gov/irm/part10/ch03s03.html

http://csrc.nist.gov/publications/PubsSPs.html

http://iase.disa.mil/stigs/checklist/index.html

Cloud ComputingAre the security risks real or just FUD?

Web 2.0 - 2010 and BeyondState agencies publish directly to Web 2.0, so it must be okay for our users to go there?

Future RisksCyber Prophecies

Questions

is this a copier? is this a printer? is this a facsimile? is this a computer? is this a threat? a...

Documents

technical risk

risk assessment

risk management program

security awareness program

security tour

security patches request

end of life program

typical users perspective