Let’s face it, fax machines may have been granted immortality. Since Xerox first invented the technology in 1964, fax machines were used extensively by businesses as a primary means to securely move information in the days before email. The reasons were because of vendor-independent standards, perceived security, and workflow simplicity: call – answer – handshake – scan – transmit – print. Information in the form of light and dark patterns was transmitted along any telephone connection to another device which would print the image on paper. The process was relatively secure, providing the communications path remained protected.
Once installed, these devices were often forgotten by management except for the consumables – just add paper and occasionally toner. From a security manager’s perspective, telecommunications systems and the cabling were kept behind locked doors to protect the obvious threats and therefore the technology was thought to be secure. Compliance officers intuitively assumed that that the biggest risk was sending faxes to the wrong location, or losing faxes when they either failed to print, or were picked up by someone else. Other than the inconvenience factor, there were little consequences of failure. Organizations generally didn’t worry about unauthorized physical access to these devices since they were kept in back-office areas.
Fast forward several decades later and we see that businesses still use fax machines because they have advanced technologically while retaining many of the basic steps (call– answer – handshake – transmit). A feature pin in the form of pre-programed phone numbers was added to reduce misdirected faxes; however, this does not address the new security and privacy risks. Computer-based fax applications also mean that the end users can enter the recipients’ phone number from a directory, so detecting a changed or misdirected fax became harder. The multi-function devices (MFDs), e.g., printer-fax-scanners, we see in today’s business environments have eliminated the need to print information before transmission but introduce new risks because these same devices can store massive amounts of data locally. This change to the security threat model highlighted the importance to control both physical and logical access, just like other computers. Unfortunately, this is where many organizations fail to protect these devices because the management model is still based on assumptions formulated in the telecommunications era rather than the information technology era.
Exploring Difference in the Threat Model Over Time
Security executives and compliance officers should consider adapting their security management model to address the new risks with fax machines and the multi-function devices with scan, copy, fax, and print features that have replaced the fax over time. To start this process, it will be necessary to identify all the threat sources to any sensitive information being created, stored, transmitted, or printed. One framework to help with this process is to follow the National Institute of Standards and Technology (NIST) Cyber Security Framework, or CSF. The five objectives in this CSF; Identify, Protect, Detect, Respond, and Recover, offer insight into what is needed.
The first step in protecting fax and MFD devices is to identify all assets. Not only is it important to know what equipment is installed, but also to document the location installed. It is also important to track the software versions and user accounts to determine who has access to the administrative features. Don’t overlook the third-party maintenance technicians’ access.
With that inventory, it will be necessary to understand how threats can either compromise the device or the information stored on the device. The first layer of defense should be the physical access which can be controlled by placing the devices in relatively secure areas that are not accessible to visitors and unescorted guests. Physical security controls should also extend to the network and telecommunications paths, especially when sensitive data is present. Don’t forget that hard drives within these MFDs can contain tens of thousands of pages of information, so consider encryption options when replacing your current fleet.
From a technical side, many organizations have overlooked the fact that MFDs also require software updates, like the monthly patches issued by Microsoft for the laptops and servers. Unless you have incorporated software updates into the standard patching procedures, there is a good possibility that MFDs in your organization has unaddressed security vulnerabilities. Don’t forget that the default user accounts need to be changed. Security executives would not tolerate having laptops and servers used on the corporate network with the default “SA + SA,” but may be unaware that the MFDs have the same vulnerabilities.
One question every security executive should ask is, “How will I know if a vulnerability is present in our MFDs?” Another question is, “Are we looking to see who is accessing our devices and from where?” One solution is to collect network traffic between the MFD and external sources. Setup alerts so that access from unknown sources, and especially IP addresses outside your firewall, are reported and investigated. It may be a sign that your MFD has been hacked and is being used to exfiltrate data. It also may mean that the device is performing automatic updates. Unless your organization is watching this data flow, you are at risk.
Misdirected faxes should also trigger an investigation as these too have the potential to violate either Federal or State laws. Detecting misdirected faxes can be time consuming or worse, ignored, especially when there is no number for the unintended recipient to call when they discover that they received information by accident. Consider including the phone number of the security response team on all fax cover pages, as there is a higher likelihood that 100% of these errors will be logged and followed up with.
The first step of an effective incident response process it to provide a communications path for anyone to report a suspected security or privacy incident. Since MFDs are generally assigned to an office rather than individuals, ensure everyone been trained to question when a device is moved or serviced without advance notice, especially by external vendors. There is the probability of a breach of sensitive information if a vendor removes and replaces a device and the IT department does not first remove the unencrypted hard drive. Unless staff are trained to report these activities to security, sensitive information may escape the organization. Security executives should ensure that their disposal processes include all devices that can store sensitive data, not just those managed within the typical IT scope.
MFDs can also be infected with malware and serve as hosts for hackers to explore your network. Include documented procedures for how to remove or replace devices suspected of being hacked in your organization’s incident response plan. Finally, recovery from the impact of lost, stolen, or hacked devices, as well as misdirected faxes, is not totally a technical process.
The security and compliance team need to perform an analysis of the potentially compromised data to evaluate if there are any Federal or State reporting requirements. All 50 states now have mandatory reporting requirements for the loss of confidential personal information, and some have issued heavy penalties for delayed reporting. Now is the time to ensure that your organization is not going to be the next “poster child” for failing to act appropriately.
About the Author:
Clyde Hewitt is an Executive Advisor for CynergisTek and Faculty Affiliate at McCombs School of Business, The University of Texas at Austin.