Printer vulnerabilities

Printer vulnerabilities pose data security questions

The recent reports on HP printer vulnerabilities brought into focus the IT peripheral security on the main stream. It is reported one in every four HP LaserJet printers is still vulnerable to hacking, being infected with malware and then potentially bursting into flames because people do not bother to update the firmware. Earlier, at vulnerability was discovered in the hard-coded admin account of Samsung and some Dell printers that could be remotely exploited as a backdoor. Some time ago, Printer manufacturer Xerox has issued a security patch for several models of its WorkCentre multifunction devices in order to address a critical buffer overflow vulnerability.

Like any other devices, network printers could potentially be an IT nightmare. Printers can be a source of a company’s most timely information, says Gartner Group Research vice president Ken Weilerstein. And that proprietary information resides within the printer long after it’s been reproduced. Some of this data will fall under legal protections for personal data. Other data will merit protection because it is proprietary.

Security has not been taken seriously for printers and photocopiers despite the fact that they have been “vulnerable to hack” for years and increasingly becoming smarter and connected to the Internet. Multiple attacks are possible now including gaining access to sensitive data for corporate espionage or identity theft, transmission of fake and misleading print jobs & faxes, eavesdropping on network traffic, launching a denial of service (DoS) attack, remotely tampering printer’s settings & making unauthorized changes to the configuration and so on. Attacks against printers, although believed to be mostly theoretical, are not unheard of. Most of the current day printers are already full-blown computers with some flavor of OS (VxWorks, LynxOS, Nucleus, Linux), embedded Java VM, Web-server Ethernet WiFi, hard disk, fax board, mailboxes and interact with (potentially have access to) RFID badges of employees/users, smart/swipe cards, fingerprints, PINs, LDAP/domain passwords etc !!!

Controls?

Understand the vulnerabilities printers and photocopiers pose to your company’s information security. Have a security policy in place. Ensure proper patching and configuration of these devices. Ask few simple questions while reviewing the printer security:

  • Are all default settings are changed and all passwords turned on and unused protocols turned off?
  • Do unauthorized individuals have access to your sensitive data?
  • Do you have a printer access policy is in place and implemented properly?
  • Are sensitive documents and data remaining in your printer’s memory? If yes, who can access that?
  • Do all employees have unlimited access to all printing technology? Is there a need to know/access policy in place to control uncontrolled and unmonitored device usage?
  • Are sensitive documents frequently printed and then left unattended at devices? What is the time lag between printing and collecting?
  • Is there a job-level tracking policy to know what is being printed and a process to review the same?
  • Whether the security features of printers were considered before purchase?
  • Are hard drives were removed and retained when the printer is serviced or disposed?

In addition, the network security review also should keep the printers in consideration to ensure proper security features like encryption is in place.

Advertisements

Data breaches are more expensive now !!

Sony fined £250,000 after millions of UK gamers’ details compromised

The entertainment company Sony Computer Entertainment Europe Limited has received a monetary penalty of £250,000 (approx US$390,000) from the Information Commissioner’s Office (ICO) following a serious breach of the Data Protection Act.

icoThe penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.

An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.
“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.
“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Following the breach, Sony has rebuilt its Network Platform to ensure that the personal information it processes is kept secure.

Small data breach draws big fine, signals need for encryption

fines_higherJust two weeks ago, a non-profit healthcare provider was slapped with a $50,000 fine from the Department of Health & Human Services (HHS) for violating the HIPAA security rules, after losing an unencrypted laptop containing the sensitive personal information of 441 patients. This is the first HHS penalty for a data breach involving less than 500 victims. For small healthcare providers, this signals an escalation in the consequence of a data breach, as organizations will be held accountable regardless of size. A fine of $50,000 is a lot of money for a small practice, especially a non-profit provider.

Big Data Revolution

 Be  prepared for BIG Data revolution, says RSA

 RSA, The Security Division of EMC, has released a security brief asserting that Big Data will be a driver for major change across the security industry and will fuel intelligence-driven security models. Big Data is expected to dramatically alter almost every discipline within information security. The new brief predicts Big Data analytics will likely have market-changing impact on most product categories in the information security sector by 2015, including SIEM, network monitoring, user authentication and authorisation, identity management, fraud detection, and governance, risk and compliance systems.

Authors of the brief assert that changes driven by Big Data have already begun. This year, leading security organisations will deploy commercial, off-the-shelf Big Data solutions to support their security operations. Previously, the advanced data analytics tools deployed within SOCs were custom-built, but 2013 marks the beginning of the commercialisation of Big Data technologies in security, a trend that will reshape security approaches, solutions, and spending over the coming years.

Longer term, Big Data will also change the nature of conventional security controls such as anti-malware, data loss prevention and firewalls. Within three to five years, data analytics tools will further evolve to enable a range of advanced predictive capabilities and automated real-time controls.

Click here for full story