How can businesses assess and mitigate the security threat of
networked devices such as printers that have operating systems
which can continually re-infect networks with malware?
Tomato Ketchup! Not something one is encouraged to request in a
fine dining establishment, says the voice of experience. Is this an
acceptable response from the supplier? Consider that a product has
been supplied, but any attempt to provide an improvement to suit
the customer is not only discouraged, but in one memorable case,
vociferously rejected, writes Raj Samani, vice-president of
communications atISSA UK
Chapter.
These same restrictions provide a back door into organisational
networks through [the lack of] security in embedded devices. The
array of additional functionality afforded to customers means that
devices are now shipping with operating systems with restrictions
(OSRs). The supplier occasionally provides an update that the
customer should use to 're-flash' the device, but updates are
reported as being rarely available, and rarely applied.
Devices are not restricted to printers. A researcher was forced
to cancel a presentation revealing "a way to hack into ATMs" that
ran a particular operating system. There are also reports that
cybercriminals have loaded malicious sniffers onto cash machines in
Eastern Europe to
capture the magnetic stripe information on the back of a card
as well as the Pin, allowing the criminals to clone the card.
Consider ATMs, printers, mobile phones, photocopiers, scanners,
even network-connected freezers, and suddenly the reported story of
the
Conficker
worm infecting medical equipment (more embedded devices) is
only the tip of the iceberg.
Some simple questions arise with the use of such devices. Do you
know what embedded devices exist on your network? Do they need to
be on the network? If so, can they be isolated? What policies exist
regarding updates? Are there any other controls available to reduce
these risks?
The information security landscape is evolving. We are moving
away from the "raising the drawbridge" security model. Threats are
now coming in hourly, from devices previously considered safe. The
feature-driven technology industry provides challenges to security
managers across all industries, placing new demands to keep up with
the relentless pace - anything less and expect to be on the front
page of newspapers and websites, and at the back of the job
queue.
Read more expert advice from the Computer Weekly Think Tank
>>