Is Your Printer Out to Get You?

Non-PC network devices pose a growing threat to your data security


Your company has invested heavily in IT security. All the protections IT has recommended have been purchased and put in place. You feel confident that the company's electronic data is secure. But is it? What about all those non-PC networked devices lying around? Are they safe?

Printers, scanners, video cameras, anti-spam and anti-spyware appliances, VoIP devices, and other network-aware devices represent a growing threat. Many newer models of these devices are equipped with large hard drives (60GB or more), powerful Pentium processors, and versions of popular operating systems like Linux or Windows.

Some of them contain few or no hardware controls, but are configured and controlled via Web servers on the hard drive, with access and control via a Web-based GUI. Since these devices are connected to the network, hackers can use them to gain access to confidential information. For example, a printer or scanner's hard drive stores copies of its output—output that may include copies of medical records, bank account information or social security numbers.

The Non-PC Threat

Many organizations have purchased powerful firewalls, in-line intrusion prevention systems, SSL (Secure Socket Layer) VPNs and anti-spam appliances over the past several years. Many older non-PC devices might have been running VXWorks or another embedded operating system with no hard drive and limited processor power. However, while they still look like dedicated devices on the outside, many newer devices are more like PCs on the inside.

Run a quick search on hacker and security Web sites, blogging sites, or underground IRC chat boards, and you'll find a treasure trove of information about how to access confidential information through non-PC devices. My observation of IT buzz shows that these attack attempts are becoming more frequent as the security screws have tightened around PCs and as non-PC devices have changed.

Unfortunately, most security policies and systems do not deal with the vulnerabilities of these devices. According to Amol Sarwate, director of vulnerability research labs at vulnerability scanner maker Qualys, “These devices are not really monitored. They are widely considered ‘stupid devices,' so they are not in the security policy, and they remain under the security radar.”

The result? Most organizations have poor defenses against attacks that use non-PC devices to gather information that might have originated on PCs or servers. “It's very important to identify these devices and [their security] issues,” said Max Caceres, product manager for penetration testing software vendor Core Security.

How might this information be accessed? Many printers have hard drives that store confidential documents in the printing queue. The Web filter appliance could be running Linux and Apache for device access and control. Video surveillance camera output may inadvertently become accessible from the public Internet, exposing images that should not be public. Your new anti-spam appliance may be a mail server that stores and forwards e-mail before being sent along to the organization's existing e-mail server.

Protect Through Best Practices

Now is the time to look at the potential security vulnerabilities of non-PC devices. Where should you start? Since there are many different types of non-PC devices, how do you begin to create management systems that are appropriate for them all?

The best approach is to apply security standards to these issues. For example, the best practice of “complete mediation” is appropriate here. Complete mediation means that all potential entry points are to be identified and controlled. Mediation points are the systems and procedures that control access to entry points. You must eliminate all back doors and similar access points to achieve complete mediation.

Another important principle is that a security system must not rely upon the “obscurity of the mechanism.” In other words, you can't assume that data is secure because it resides in a device or system that's rare or hard to access. Obscure systems are still considered susceptible to attack.

This content continues onto the next page...