How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?
Businesses affected by the economic downturn, suffering a reduction in resources and an increase in threats, need to risk assess their vulnerabilities and think carefully about how and where to focus their attention, writes Kate Danbury head of Information Security Service at The Corporate IT Forum. Members of the Corporate IT Forum understand that there is a broad spectrum of serious risks and vulnerabilities to be addressed, in which networked devices re-infecting networks is only one challenge.
Valuable data on a machine in a hostile environment is high risk and a high priority; low-value data on a machine more susceptible to vulnerabilities is less so and therefore slips down the priority list. Adopting a risk-based approach allows you to look at the business as a whole and identify real vulnerabilities, making it more meaningful to the business and allowing for better prioritisation of remediation resource.
Members do not disagree that the risk of infection through networked devices exists, but there are often more significant risks elsewhere. Security professionals working against increased threats with reduced resource and budget must continually assess which risks merit the most time and effort.
Most organisations have strict policies preventing unauthorised equipment from accessing the network. All devices such as printers have to go through an approval process. The difficult question then is, once a device has been installed, do we check what is running on it?
At a recent vulnerability and patch management workshop, organisations were asked if they had experienced an issue as described by Conficker Working Group director Rodney Joffe. Fewer than one in ten had suffered this kind of infection, and even when a printer was implicated the case was not proven. Members consider Conficker one of many issues related to multifunctional devices, as these present a host of challenges, including storing scanned images and allowing access to the network once attached to a phone system. Which brings us back to priorities.
Understanding the business' risk appetite and translating this into effective controls will pave the way to a well-maintained vulnerability management programme, leaving security professionals the space to react and plan defences.
Read more expert advice from the Computer Weekly Think Tank >>
This was first published in October 2009