440 likes | 551 Views
Auditing Security Controls of Printers, Scanners, and Multifunction Devices. Brian Rue. Chris Gohlke. 2010 NSAA IT Workshop and Conference. Presentation Agenda. 1 st Half MFD Functions/Services & Security Weaknesses 2 nd Half Preparing a MFD Audit Program. 30’s. In the Beginning….
E N D
Auditing Security Controls of Printers, Scanners,and Multifunction Devices Brian Rue Chris Gohlke 2010 NSAA IT Workshop and Conference
Presentation Agenda • 1st Half • MFD Functions/Services & Security Weaknesses • 2nd Half • Preparing a MFD Audit Program
30’s In the Beginning… Not much to audit Chester Carlson with the first xerographic apparatus
The 50’s Manual process – Thermal Paper Transfer Still not much to audit…..
Xerox 914 was the first plain paper photocopier using the process of Electro-photography The 60’s No USB/No Tape Drive/No Hard drive/It did come with a fire extinguisher due to heat & ignition issues
Printer/Copier/Scanner/FAX • Wired Network Connectivity • Wireless Networking Wi-Fi/Bluetooth • Removable Memory • Hard Drives • Operating System • Web Server • User Accounts • Remote Access • Landline Connection • Scan to Network Share or PC • E-mail Integration • Web Submission of Print Jobs • Web Browser The 2000’s
MFD>A Server with a Glass Top MFD Hardware Components 1. Central Processing Unit (CPU) 2. Memory (ROM/RAM/FLASH) 3. Hard Drive 4. Network Card 5. ABGN Wireless Radio 6. Bluetooth Radio 7. USB Connection 8. Analog Modem 9.Multicard Memory Reader 10. LCD/LED Screen
MFD Software • Operating System -GNU/Linux, VxWorksS, Windows NT 4.0 Embedded, Windows XP Embedded, Mac OS X, Sun Solaris, or Vendor Proprietary OS • Print Engine/Controllers – May be supported by secondary OS • Database(PostGreSQL+) • Drive File System (NTFS/FAT) • Additional Applications (Document Management -Optical Character Recognition or PDF conversion, Software Development Kits – Sharp OSA, Xerox EIP, HP Open Extensibility Platform, Web Server)
MFD Software Security Issues • Security patches not applied to operating system and services with discovered vulnerabilities • No vendor supportfor security patches for proprietary OS and application software • No change management procedures • Software or Operating system vulnerabilities may be used to elevate privileges • Memory storage (hard drive, ROM/RAM, flash drive) unencrypted by default • Hard drive stores spooled and processed jobs in clear text • MFD memory stores documents in clear text during and after processing by default
MFD Services • Apache Web Server • Remote Access (Telnet,FTP,HTTP,SNMP) • Bytecode interpreters or virtual machines for internally hosted third party applications • Network service clients for sending of documents to different destinations • Network service servers for receiving documents for print or storage • Image processing services
MFD Services Security Issues • Unneeded services left on increasing the number of potential attack points into the MFD • Services with security vulnerabilities not patched • No/limited logging of service activity
MFD Network Communications • Common Open Ports/Protocols • HTTP 80/TCP • SNMP 161/UDP • LPD Printing 515/TCP • PDL Printing 9100/TCP • Protocols • AppleTalk • Internet Printing Protocol • PCL • HPPCL Printing Protocol • Telnet • IPX/SPF • FTP • TCP/IP
MFD Network Communication Security Issues • No firewall rule set for ingress (traffic into the MFD) or egress (traffic out of the MFD) filtering • MFD does not support entity PKI strategy (no support for CA certificates) • Print/fax/scan jobs transmitted over network/Internet in clear text • Unneeded protocols and ports left open which increase the number of attack vectors
MFD Wireless Access • Wi-Fi • WEP • WPA • WPA-PSK • WPA-Enterprise • WPA2 • WPA2-PKS • WPA2-Enterprise • No Encryption • Bluetooth • Prior to Bluetooth v2.1, encryption is not required and can be turned off at any time.
MFD Wireless Security Issues • Unencrypted wireless connections transmitting documents in clear text (potential for intercepting documents in the air) • Potential remote attack access point into the MFD
Fax Services • Fax to memory (disk/disk share) • Hardcopy fax printouts • PSTN – analog phone modem
MFD Fax Services Security Issues • Faxes auto print in an unsecured area • No authorization required to verify recipient before releasing fax • Faxes held in unencrypted memory after print • Lack of logical separation of analog modem from LAN (Ability to enter LAN from modem connection)
Drive Shares • Network Drive Share • PC/MAC Share • Printer Hard Drive Share
MFD Shares Security Issues • No auditee procedures for configuring drive shares • Undocumented drive shares • Shares setup without encryption
MFD Management • Device Console • Web Interface • Network client/server enterprise management application
MFD Management Security Issues • Physical Consoles on MFDs Setup Without Pass Codes • Default Web Interface may not require password • Most devices not configured with user or group accounts to authenticate and authorize • Limited to no logging of user activity (console logons, patching, administrative functions)
Surplus Device Procedures1. Clean Printer Configuration Files2. Wipe Drives/Memory3. Ensure no Sensitive Paper Copies on Glass or in Machine (legacy paper jams)
MFD Certifications/Acts/Contractual Obligations • National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11 • DOD Directive 8500.1 • Common Criteria (EAL1 to EAL4) • Gramm–Leach–Bliley Act (GLB) • Health Insurance Portability and Accountability (HIPAA) • Payment Card Industry – Data Security Standard
Potential Components of an MFD Audit Program • Network/Server • Shares • Wireless • Access Controls • Physical Security • Encryption • Surplus • Contracts/Leasing • Policies and Procedures
Since you probably won’t get a ton of audit hours for MFD’s……
Obtain an Understanding and Assess the Risk • Get an inventory listing • Inquire • Observe • Get manuals • Search online for common vulnerabilities
Physical Security • Does the unit have a locking compartment for the hard drive, etc? • Is there a physical reset button that will restore the unit to factory default? Is it secured? • Is the entire unit secured in place, or could it be wheeled out of the building? • Is output secured?
Device Controls • Strong password controls at the console? • Settings/administration locked down to authorized individuals? • Is the web interface turned on? Does it need to be? • Are unneeded network services turned on? • Is wireless on? Does it need to be? Is it secure? • Logs kept/reviewed of administration functions? • Are the logs secured? • Are there security patches for the device and if so are they checking for them and applying them in a timely manner?
Data Controls • Does the device have an option for encrypting/automatically wiping copies after a job prints? • Did they pay for it? • Is it turned on? • If not, why? Do they have a compensating control?
Surplus • Did they lease or purchase? • If leased, what rights do they have to wipe the drive? Is it user accessible? Are you going to be able to audit it? • If purchased, do MFDs fall under their normal PC surplus policies for having devices wiped? • What about when the device is serviced or parts replaced?
Policies and Procedures • As always, the above should be covered by a policy and procedure.
http://h20338.www2.hp.com/enterprise/downloads/NIST%20SUBMITTED%20Configuring%20Security%20for%20Multiple%20LaserJet,%20Color%20LaserJet,%20and%20Edgeline%20MFPs.pdfhttp://h20338.www2.hp.com/enterprise/downloads/NIST%20SUBMITTED%20Configuring%20Security%20for%20Multiple%20LaserJet,%20Color%20LaserJet,%20and%20Edgeline%20MFPs.pdf
http://www1.lexmark.com/documents/en_us/1_SecurityBrochure.pdfhttp://www1.lexmark.com/documents/en_us/1_SecurityBrochure.pdf
http://www.aot-xerox.com/files/content/MFPsecurity.pdf http://www.office.xerox.com/latest/SECBR-03UA.PDF