Reduce Data Security Risks by Understanding How OEMs Secure Devices You Sell and by Implementing Best Practices
The entry point was the company’s website. Behind the pretty pictures, alluring copy, and links to other pages was a little gap in the code, an open door that gave access to the entire organization. Some pathways led to human resources and the complete records of every employee. That was interesting!
But even better was unfettered access to the CRD and every one of the hallway, departmental, and personal MFPs in the enterprise. The machines’ unused network ports were as wide open as the entrance to New York’s Holland Tunnel on a Sunday morning and beyond that entry point was every document the company had copied, printed, or faxed in the past five years, all available for retrieval and examination. Another ten years of materials were carefully indexed and archived. As the intruders exfiltrated a myriad of information, they were looking forward to a fat payday from the company paying for their incursion into a competitor’s inner workings.
Across town, a separate group of bad guys came in through the printers in the hallways of an office building that contained three up-and-coming businesses. Each machine had its own IP address with passwords like “1 2 3 4″ or “admin.” These gave the bad actors access to a host of private information about the the companies and their products. The interlopers all vanished without a trace, with a few terabytes of private information in their clutches and malware installed on the computer systems.
Worried Yet?
If either of these scenarios””which are based on real events””don’t scare you or your customers, they should. Data security is one of the greatest threats businesses face with internet-connected copiers, printers, and MFPs being some of the most vulnerable access points for people with less than honorable intentions. And no, the “errors and omissions” part of your insurance policy will not necessarily cover the resultant losses of such intrusions at your customers.
“Hackers look to exploit any weakness,” said John Thiessen, senior product marketing manager at Ricoh USA, Inc. “These can be in networks, gaps in data security, or through printers and copiers.”
Breaches that make the 6 o’clock news, like the recent one at Starwood and Marriott, get coverage because of their size and the big-name victims, but smaller intrusions happen every day because executives at many (perhaps even most) companies don’t think their firms are likely candidates for unauthorized access. Moreover, the smaller the company, the less likely an unauthorized intrusion is to make the news. And no firm wants to go public with the fact they were hacked.
“It’s not limited to data being stolen,” noted Thiessen. “Hacking a system can simply be a money-generating ploy. A hacker can break into a system, lock out authorized users, and hold data hostage under threat of destruction until a ransom is paid.”
This can be through automated ransomware installed on a victim’s computer system, code that blocks access to files, or outright exfiltration (stealing) of data. Perhaps ironically, the ransom may not even be for a large amount of money. It can be for $10,000 or $20,000, amounts many firms view as acceptable and cheaper than trying to recreate or restore the data. Yet, a hacker doing this a couple times a month at several smaller companies can develop a nice income stream.
According to Canon, multifunctional devices and any other office equipment connected to the world outside a company office can be a compelling target for exploitation when breaching a company’s perimeter. Then, when the after-the-intrusion data forensics point to printers in a CRD or hallways as the access points, copier and printer dealers may find themselves in some uncomfortable conversations. You probably don’t want to be there.
A Digital Document is Forever
“Business owners need to be on top of the challenges of data security,” said John Slaney, chief technology officer at Content Critical Solutions, a transactional service bureau in Moonachie, New Jersey. “It’s a moving target and the difficulties are getting greater almost every day. A paper document is gone when it hits the shredder. But a digital document is forever.”
When a PDF, or Microsoft Office document is created and sent to a CRD or hallway printer, the pages leave a trail that can be easily followed by people who know what to look for. Very often, documents are stored in places where they can be retrieved, re-printed, and downloaded, even remotely, by anyone with access to the network on which the printer resides. To help combat this, some systems are designed to immediately encrypt or even destroy a file as soon as it is printed. This is not necessarily a default setting, though, so it is critical that every connected printer, copier, or multifunction device be properly protected against outside threats.
“One of the challenges is “˜latent data’ on machines,” explained Thiessen. “This is data that is on every printers’ hard drive after a job has printed.” He stated that Ricoh’s machines create image processing files””File Allocation Tables (FAT)””in volatile RAM so after the file has completed printing, the FAT is automatically deleted so there is no record of where on the hard drive the image was processed. Additionally, if the system’s overwrite capability is enabled, the sector of the hard drive used for image processing would be overwritten to destroy the image file before the FAT was deleted. This helps to make recovery of latent data extremely difficult, if not impossible.”
Vendors Take the Point Position
Ricoh is not alone in defending the data that lands on its customers’ printers. The company’s multifunctional devices include extensive security features intended to help organizations “harden” their print fleet. Canon also works to help customers close unused communication ports, encrypt hard-disk drives, and use data-flow protocols to help minimize the exposure of networked devices. Because this may be beyond the scope of a printer/copier dealer’s technical staff, vendors’ field engineers can be brought in to help end-customers take steps to protect document workflows without compromising workforce productivity and efficiency.
Similarly, Konica Minolta’s bizhub line of MFPs recently announced a battery of tests conducted by NTT Data Services that attempted to crack KM’s popular bizhub line of MFPs. According to Konica Minolta, the tests went after data stored on the hard drive, and attempted infiltration of the network via MFPs, fax ports, and USB drives. Data extraction failed and the stored information remained intact.
“Questions from our partners and customers regarding the security of our MFPs dropped from a few times per week to zero since the tests,” noted Dino Pagliarello, vice president for product management and planning at Konica Minolta.
Also taking security seriously is Xerox, long a mainstay of office and corporate printing. Xerox employs a variety of strategies to harden its printers and multifunction machines from unwanted intrusions. Its devices are equipped with multiple secure print features and software that protects customers’ sensitive data, whether it is shared locally or in the cloud.
Inside agents
No one wants to admit that some threats may come in the front door every day. But it happens, so to every extent possible, keep people off your network, unless they really need to be there.
It’s easy for employees””for whatever reason””to be bad actors and deliberately pirate data. Employees have access to your system, but it’s important to limit how much access any individual may have.
Complex passwords that are changed frequently and multiple-factor authentication are all relatively easy-to-implement measures to keep people from deliberately (or even inadvertently) accessing proprietary data on a network. But because all employees still have access to printers, copiers, and MFPs, those access points should be hardened against internal attacks. This includes the ubiquitous little USB ports on virtually every print engine. A cheap, throw-away USB stick can be used to load malware or capture data almost invisibly, opening the door to internal and external intrusions. Some companies go so far as to disable USB ports on all devices, including company-owned computers, to prevent unauthorized access via these seemingly innocent sockets that are present on nearly every device.
So What Do You Do?
Threats are everywhere, and equipment vendors are all working hard to make it difficult for people with less than honorable intentions to access your network or those of your customers. The internet makes it harder to develop and implement ironclad protection, which is why equipment vendors have people working full-time on ways of keeping the bad guys out.
It’s especially important to be diligent about service and maintenance. Be sure to always upgrade or update the firmware on every device. Most firmware is routinely updated to include new or improved security features and can be a first line of defense against intruders.
Moreover, take a proactive approach to security. Slaney of Content Critical Solutions encourages companies to work with a professional security-auditing firm to look at all systems and controls.
“Go to a security consultant,” he urged, “not your accountant. A security company can tell you exactly where you are exposed, why, and how to best handle it. Begin with internet access, then go progressively deeper inside your firm.”
As you do so, you may be very surprised by what you find and need to change. Especially, realize this is not a one-time deal. A security audit should be part of an annual look at your networks, as well as all the printers, copiers, and MFPs that connect to the internet or your internal network. The bad guys aren’t taking time off, so neither can you.
Access Related Content
Visit the www.thecannatareport.com. To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.
