Title: Is this a copier
1A Security Tour of the Typical Multi-Function
Printer/Copier/Fax (MFD)
Presented by Patrick McGuire State Board of
Equalization
Is this a copier? Is this a printer? Is this a
facsimile? Is this a computer? Is this a threat?
YES
2From the typical users perspective, the MFD is
From the typical users perspective, the server
is
Familiar and friendly
Scary and cold
Out in the open work area with no restrictions
Behind a cage, in a locked room, that few people
are allowed to enter
Plugs into the wall just like my reading lamp at
home
Special power, temperature, humidity, and fire
suppression
The jovial copier guy is always good for a joke
or a story
The geek has few social skills and never makes
eye contact
I push a button, it hums, then it does something
makes a copy
Let me see what happens when I push and hold down
that button
3So, wheres the RISK? Its all about the data.
Asset Value do your documents contain
Confidential, Sensitive, or Personal (C/S/P)
information? Threat the loss of custody and
control of the information Vulnerability open
peripheral ports, persistent storage, e-mail
client, File Transfer Protocol (FTP) client,
wireless protocols Probability absent
security controls, a breach is likely Impact
reputation loss, hard dollar costs associated
with Civil Code 1798.29 notifications Contingencie
s rapid incident response, support contract,
classify as an IT asset Residual Risk absent
security controls, the risk is unacceptable Mitiga
tion What steps can we take to reduce the risks
4Do you see any vulnerabilities below?
5Software Vulnerabilities
6Software Vulnerabilities
7Threat Vectors
Data Storage -- Hard Drive -- Flash
memory -- Removable storage floppy,
CD-ROM Data transmission -- Email -- SMB
(file sharing) -- FTP Numerous connection
points -- USB, Firewire -- Ethernet, POTS
(telephone modem) -- Wireless WiFi,
Bluetooth, InfraRed -- Human Computer Interface
(HCI)
8Risk Management Suggested Mitigation Strategies
- Add to your security awareness program
- Train your procurement staff
- Make the vendor accountable
- Regulate the vendors behavior through solid
contract language - Include in your internal audit program (FISMA)
- Add to your risk management program (SAM 5305)
- Stay aware of new features and capabilities
- Assume C/S/P information will be exposed
- Although today its not networked, tomorrow that
will change - Add to your end of life program for proper
disposal - Make part of your IT program, most suited to
manage technical risk - Add to your penetration testing methodology
- Stay on top of upgrades and security patches
- Request, then support, State of California
standards (DGS-PD)
9Risk Management Suggested Mitigation Tactics
- Disable all peripheral ports
- Each feature must have a clear business need, or
turn it off - Enable ports and features only after a risk
assessment - Have management accept any residual risk
- Enable hard drive encryption
- Enable memory wipe after each job
- Limit emails to internal addresses only
- Change all default accounts/password
10Whether the MFD is Owned or Leased
Its Still Your Information
11Tell them what youre going to tell them, tell
them, then tell them what you just told them
Todays multi-function printer/device (MFD) it an
enterprise-class computer, treat it as
such. Awareness and training is your first layer
of defense. Right now, your users (including
procurement) do not see the threat. The MFD of
tomorrow will have more features, not less. Stay
with the basics defense in depth, least
privileges, access control, and separations of
duties. Think enterprise (agency and statewide)
Acquire the necessary controls when first
purchased. Should DGS-PD only offer MFDs with
the necessary security controls built-in?
12Where do I go for more information?
Follow the Feds http//www.irs.gov/irm/part10/
ch03s03.html http//csrc.nist.gov/publications/
PubsSPs.html http//iase.disa.mil/stigs/checklis
t/index.html Follow the Leader http//www.
oispp.ca.gov/government/default.asp http//www.p
d.dgs.ca.gov/masters/MultifunctionalColorCopier.ht
m
13Future Risks Cyber Prophecies
Cloud Computing Are the security risks real or
just FUD? Web 2.0 - 2010 and Beyond State
agencies publish directly to Web 2.0, so it must
be okay for our users to go there?
14Questions