Is Your Printer Out to Get You? Wisconsin

Your company has invested heavily in IT security. All the protections IT has recommended have been purchased and put in place. You feel confident that the company's electronic data is secure. But is it? What about all those non-PC networked devices lying around? Are they safe?

Printers, scanners, video cameras, anti-spam and anti-spyware appliances, VoIP devices, and other network-aware devices represent a growing threat. Many newer models of these devices are equipped with large hard drives (60GB or more), powerful Pentium processors, and versions of popular operating systems like Linux or Windows.

Some of them contain few or no hardware controls, but are configured and controlled via Web servers on the hard drive, with access and control via a Web-based GUI. Since these devices are connected to the network, hackers can use them to gain access to confidential information. For example, a printer or scanner's hard drive stores copies of its output—output that may include copies of medical records, bank account information or social security numbers.

The Non-PC Threat

Many organizations have purchased powerful firewalls, in-line intrusion prevention systems, SSL (Secure Socket Layer) VPNs and anti-spam appliances over the past several years. Many older non-PC devices might have been running VXWorks or another embedded operating system with no hard drive and limited processor power. However, while they still look like dedicated devices on the outside, many newer devices are more like PCs on the inside.

Run a quick search on hacker and security Web sites, blogging sites, or underground IRC chat boards, and you'll find a treasure trove of information about how to access confidential information through non-PC devices. My observation of IT buzz shows that these attack attempts are becoming more frequent as the security screws have tightened around PCs and as non-PC devices have changed.

Unfortunately, most security policies and systems do not deal with the vulnerabilities of these devices. According to Amol Sarwate, director of vulnerability research labs at vulnerability scanner maker Qualys, "These devices are not really monitored. They are widely considered 'stupid devices,' so they are not in the security policy, and they remain under the security radar."

The result? Most organizations have poor defenses against attacks that use non-PC devices to gather information that might have originated on PCs or servers. "It's very important to identify these devices and [their security] issues," said Max Caceres, product manager for penetration testing software vendor Core Security.

How might this information be accessed? Many printers have hard drives that store confidential documents in the printing queue. The Web filter appliance could be running Linux and Apache for device access and control. Video surveillance camera output may inadvertently become accessible from the public Internet, exposing images that should not be public. Your new anti-spam appliance may be a mail server that stores and forwards e-mail before being sent along to the organization's existing e-mail server.

Protect Through Best Practices

Now is the time to look at the potential security vulnerabilities of non-PC devices. Where should you start? Since there are many different types of non-PC devices, how do you begin to create management systems that are appropriate for them all?

The best approach is to apply security standards to these issues. For example, the best practice of "complete mediation" is appropriate here. Complete mediation means that all potential entry points are to be identified and controlled. Mediation points are the systems and procedures that control access to entry points. You must eliminate all back doors and similar access points to achieve complete mediation.

Another important principle is that a security system must not rely upon the "obscurity of the mechanism." In other words, you can't assume that data is secure because it resides in a device or system that's rare or hard to access. Obscure systems are still considered susceptible to attack.

Steps to Secure Non-PC Devices

Applying the standard of complete mediation to non-PC/non-server devices requires some planning.

1. Retain a mandate from highest level of management, ideally the CEO or the CFO, to secure these devices. Although it may seem obvious, without a high-level mandate, it will be more difficult to achieve complete mediation. A plan without the proper mandate will inevitably be bypassed by a staffer somewhere along the line, and you could end up the scapegoat in a serious security incident.
2. Perform a complete physical inventory audit of all authorized network-connected devices. Have a policy about how to deal with authorized and unauthorized devices. Your organization's security policy must require all staff members to seek written permission before any new devices can be connected to the network, and that includes IT! The policy must also state that all unapproved devices that are discovered on the network will be disconnected and confiscated.
3. Conduct a network scan to discover all devices and identify known vulnerabilities. You can use open-source network scanning tools or commercial tools. Be sure to deploy a scanning tool that can fingerprint operating systems by observing the response to queries. This is important because some device makers will alter the OS banner to display the vendor's name rather than the true OS. Some scanners do not probe deeper than the OS banner, thereby missing critical vulnerabilities in the underlying operating system. Make sure you get written permission prior to testing, and provide a second written alert to decision makers just prior to running your scan. After you identify unauthorized devices, locate them, disconnected them, and confiscate them.
4. Review the documentation from the manufacturers on how to access these devices. Document all factory-default user names and passwords. Many Web sites, including www.cyberpunkcafe.com, provide this information. Conduct Web searches for back doors on the devices you have on your network. Again, with proper written permission prior to testing and a second alert to decision makers, test the default passwords and back doors against the devices on your network to see if you can penetrate them.
5. Determine how to patch and update your non-PC devices. You'll probably need to discuss this with your device vendors and do research online. Patching non-PC devices is not as simple as updating Windows patches. Some require special cables that need to be hard connected to the device. Some devices will have a vulnerability in the underlying operating system, but the vendor will not have provided a "branded" patch. The time to research and test your own patching of, say, Apache on a printer is before a critical vulnerability is discovered, not the day that the vendor tells you "we don't have a patch yet for that."

6. Make sure your logging infrastructure is capturing the logs from these devices. Many non-PC devices have logging capabilities, but due to limited memory, they do not store the logs for long periods of time. Many can send logs to a logging server. Add procedures to your security policies that require, whenever possible, the forwarding of all non-PC device logs to a logging host that is well-hardened.

   Yet just having logs is not enough. Your policy must also have provisions for reviewing the logs on a daily or weekly basis. There are software tools that assist in managing logs of all types, and these tools are an important element in protecting confidential information. Your policy should also include off-site backup of these logs, as they are part of your critical backups in the event of an incident.

7. Create a process for the introduction and auditing of all new non-PC devices that are added to the enterprise. That process needs to also include periodic scanning of the existing devices and checking for unapproved new non-PC devices added to the network. Vendors like Qualys and Core Security offer free and easy-to-use tools that are bundled with their scanning solutions that will let you make unlimited mapping scans of all network segments, so you can identify all network aware devices on your network.
8. Maintain logging and audit trails of network usage of these devices. Your documentation should say what you are going to do to protect these devices. You should follow through on your plans, and then have the complete logging and audit trail to prove that you did so.

As networkable non-PC devices become more plentiful and powerful, and more vulnerable to attack, the threats they pose to confidential data will grow. Now is the time to inventory and prepare. In order to protect that data, organizations need to update their policies and procedures to reflect the changing nature of these non-PC devices. Organizations need to control access to these devices and put in place the proper defenses against attacks that attempt to use them as penetration points.

Ira Victor, GIAC/G17799/GPCI/GSEC, is a security auditor and compliance specialist with Data Clone Labs in Reno, NV. He holds security and audit certifications from The SANS Institute. Mr. Victor makes frequent media and conference appearances on privacy and security. He is a founding board member of Sierra Nevada InfraGard, an FBI-sponsored security organization, and is co-founder of the SDForum Security Special Interest Group.