Is this a copier - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Is this a copier

Description:

A Security Tour of the Typical Multi-Function Printer/Copier/Fax (MFD) ... The jovial copier guy is always good for a joke or a story ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 15
Provided by: boardequa
Category:
Tags: copier

less

Transcript and Presenter's Notes

Title: Is this a copier


1
A Security Tour of the Typical Multi-Function
Printer/Copier/Fax (MFD)
Presented by Patrick McGuire State Board of
Equalization
Is this a copier? Is this a printer? Is this a
facsimile? Is this a computer? Is this a threat?
YES
2
From the typical users perspective, the MFD is
From the typical users perspective, the server
is
Familiar and friendly
Scary and cold
Out in the open work area with no restrictions
Behind a cage, in a locked room, that few people
are allowed to enter
Plugs into the wall just like my reading lamp at
home
Special power, temperature, humidity, and fire
suppression
The jovial copier guy is always good for a joke
or a story
The geek has few social skills and never makes
eye contact
I push a button, it hums, then it does something
makes a copy
Let me see what happens when I push and hold down
that button
3
So, wheres the RISK? Its all about the data.
Asset Value do your documents contain
Confidential, Sensitive, or Personal (C/S/P)
information? Threat the loss of custody and
control of the information Vulnerability open
peripheral ports, persistent storage, e-mail
client, File Transfer Protocol (FTP) client,
wireless protocols Probability absent
security controls, a breach is likely Impact
reputation loss, hard dollar costs associated
with Civil Code 1798.29 notifications Contingencie
s rapid incident response, support contract,
classify as an IT asset Residual Risk absent
security controls, the risk is unacceptable Mitiga
tion What steps can we take to reduce the risks
4
Do you see any vulnerabilities below?
5
Software Vulnerabilities
6
Software Vulnerabilities
7
Threat Vectors
Data Storage -- Hard Drive -- Flash
memory -- Removable storage floppy,
CD-ROM Data transmission -- Email -- SMB
(file sharing) -- FTP Numerous connection
points -- USB, Firewire -- Ethernet, POTS
(telephone modem) -- Wireless WiFi,
Bluetooth, InfraRed -- Human Computer Interface
(HCI)
8
Risk Management Suggested Mitigation Strategies
  • Add to your security awareness program
  • Train your procurement staff
  • Make the vendor accountable
  • Regulate the vendors behavior through solid
    contract language
  • Include in your internal audit program (FISMA)
  • Add to your risk management program (SAM 5305)
  • Stay aware of new features and capabilities
  • Assume C/S/P information will be exposed
  • Although today its not networked, tomorrow that
    will change
  • Add to your end of life program for proper
    disposal
  • Make part of your IT program, most suited to
    manage technical risk
  • Add to your penetration testing methodology
  • Stay on top of upgrades and security patches
  • Request, then support, State of California
    standards (DGS-PD)

9
Risk Management Suggested Mitigation Tactics
  • Disable all peripheral ports
  • Each feature must have a clear business need, or
    turn it off
  • Enable ports and features only after a risk
    assessment
  • Have management accept any residual risk
  • Enable hard drive encryption
  • Enable memory wipe after each job
  • Limit emails to internal addresses only
  • Change all default accounts/password

10
Whether the MFD is Owned or Leased
Its Still Your Information
11
Tell them what youre going to tell them, tell
them, then tell them what you just told them
Todays multi-function printer/device (MFD) it an
enterprise-class computer, treat it as
such. Awareness and training is your first layer
of defense. Right now, your users (including
procurement) do not see the threat. The MFD of
tomorrow will have more features, not less. Stay
with the basics defense in depth, least
privileges, access control, and separations of
duties. Think enterprise (agency and statewide)
Acquire the necessary controls when first
purchased. Should DGS-PD only offer MFDs with
the necessary security controls built-in?
12
Where do I go for more information?
Follow the Feds http//www.irs.gov/irm/part10/
ch03s03.html http//csrc.nist.gov/publications/
PubsSPs.html http//iase.disa.mil/stigs/checklis
t/index.html Follow the Leader http//www.
oispp.ca.gov/government/default.asp http//www.p
d.dgs.ca.gov/masters/MultifunctionalColorCopier.ht
m
13
Future Risks Cyber Prophecies
Cloud Computing Are the security risks real or
just FUD? Web 2.0 - 2010 and Beyond State
agencies publish directly to Web 2.0, so it must
be okay for our users to go there?
14
Questions
Write a Comment
User Comments (0)
About PowerShow.com