How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?
Tomato Ketchup! Not something one is encouraged to request in a fine dining establishment, says the voice of experience. Is this an acceptable response from the supplier? Consider that a product has been supplied, but any attempt to provide an improvement to suit the customer is not only discouraged, but in one memorable case, vociferously rejected, writes Raj Samani, vice-president of communications at ISSA UK Chapter.
These same restrictions provide a back door into organisational networks through [the lack of] security in embedded devices. The array of additional functionality afforded to customers means that devices are now shipping with operating systems with restrictions (OSRs). The supplier occasionally provides an update that the customer should use to 're-flash' the device, but updates are reported as being rarely available, and rarely applied.
Devices are not restricted to printers. A researcher was forced to cancel a presentation revealing "a way to hack into ATMs" that ran a particular operating system. There are also reports that cybercriminals have loaded malicious sniffers onto cash machines in Eastern Europe to capture the magnetic stripe information on the back of a card as well as the Pin, allowing the criminals to clone the card.
Consider ATMs, printers, mobile phones, photocopiers, scanners, even network-connected freezers, and suddenly the reported story of the Conficker worm infecting medical equipment (more embedded devices) is only the tip of the iceberg.
Some simple questions arise with the use of such devices. Do you know what embedded devices exist on your network? Do they need to be on the network? If so, can they be isolated? What policies exist regarding updates? Are there any other controls available to reduce these risks?
The information security landscape is evolving. We are moving away from the "raising the drawbridge" security model. Threats are now coming in hourly, from devices previously considered safe. The feature-driven technology industry provides challenges to security managers across all industries, placing new demands to keep up with the relentless pace - anything less and expect to be on the front page of newspapers and websites, and at the back of the job queue.
If you're looking for a new photocopier, then get quotes for photocopiers from BuyerZone.
This was first published in October 2009