Auditing Security Controls of Printers,

Scanners,and Multifunction

Devices

2010 NSAA IT Workshop and Conference

Brian Rue Chris Gohlke

Go Noles! Go Gators!

2

Presentation Agenda• 1st Half

– MFD Functions/Services & Security Weaknesses

• 2nd Half– Preparing a MFD Audit Program

3

In the Beginning…

Chester Carlson with the first xerographic apparatus

30’sNot much to audit

4

Manual process – Thermal Paper Transfer

Still not much to audit…..

5

Xerox 914 was the first plain paper photocopier using the process of Electro-photography

No USB/No Tape Drive/No Hard drive/It did come with a fire extinguisher due to heat & ignition issues

6

The image above shows the channel-attached version of the 9700, as the tape tower isn't present. Under the LS100 terminal, Xerox had placed a modified DEC PDP-11/34. An extra cage contained a few proprietary cards to facilitate the page ripping. There was a Control Data 14" hard drive (the removable platter type) on sliders.

CPU/ Memory – Tape Drive added..

7

Printer/Copier/Scanner/FAX Wired Network Connectivity Wireless Networking Wi-

Fi/Bluetooth Removable Memory Hard Drives Operating System Web Server User Accounts Remote Access Landline Connection Scan to Network Share or PC E-mail Integration Web Submission of Print

Jobs Web Browser

8

The CBS News Story On YouTube

http://www.youtube.com/watch?v=iC38D5am7go&feature=fvw

9

Understanding the MFD

10

MFD>A Server with a Glass TopMFD Hardware Components1. Central Processing Unit (CPU)

2. Memory (ROM/RAM/FLASH)

3. Hard Drive

4. Network Card

5. ABGN Wireless Radio

6. Bluetooth Radio

7. USB Connection

8. Analog Modem

9.Multicard Memory Reader

10. LCD/LED Screen

11

MFD Breakdown

12

MFD Software• Operating System -GNU/Linux, VxWorksS, Windows NT

4.0 Embedded, Windows XP Embedded, Mac OS X, Sun Solaris, or Vendor Proprietary OS

• Print Engine/Controllers – May be supported by secondary OS

• Database (PostGreSQL+)

• Drive File System (NTFS/FAT)

• Additional Applications (Document Management -Optical Character Recognition or PDF conversion, Software Development Kits – Sharp OSA, Xerox EIP, HP Open Extensibility Platform, Web Server)

13

MFD Software Security Issues• Security patches not applied to operating system

and services with discovered vulnerabilities– Lack of vendor support for security patches

– Software or Operating system vulnerabilities may be used to elevate privileges

• Lack of change management procedures

• Memory storage (hard drive, ROM/RAM, flash drive) unencrypted by default– Hard drive stores spooled and processed jobs in clear text– MFD RAM memory stores documents in clear text during and after processing by

default– Flash drives usually contain unencrypted jobs

14

MFD Services

• Apache Web Server

• Remote Access (Telnet,FTP,HTTP,SNMP)

• Bytecode interpreters or virtual machines for internally hosted third party applications

• Network service clients for sending of documents to different destinations

• Network service servers for receiving documents for print or storage

• Image processing services

15

MFD Services Security Issues• Unneeded services left on increasing the

number of potential attack points into the MFD

• Services with security vulnerabilities not patched

• No/limited logging of service activity

16

MFD Network Communications

• Common Open Ports/Protocols– HTTP 80/TCP– SNMP 161/UDP– LPD Printing 515/TCP– PDL Printing 9100/TCP

• Protocols– AppleTalk– Internet Printing Protocol– PCL– HPPCL Printing Protocol– Telnet– IPX/SPF– FTP– TCP/IP

17

MFD Network Communication Security Issues

• No firewall rule set for ingress (traffic into the MFD) or egress (traffic out of the MFD) filtering

• MFD does not support entity PKI strategy (no support for CA certificates)

• Print/fax/scan jobs transmitted over network/Internet in clear text

• Unneeded protocols and ports left open

18

MFD Wireless Access

• Wi-Fi– WEP– WPA

• WPA-PSK• WPA-Enterprise

– WPA2• WPA2-PKS• WPA2-Enterprise

– No Encryption

• Bluetooth– Prior to Bluetooth v2.1, encryption is not required and can be

turned off at any time.

19

MFD Wireless Security Issues• Unencrypted wireless connections transmitting

documents in clear text (intercepting documents in the air)

• Potential remote attack access point into the MFD

20

Fax Services

• Fax to memory (disk/disk share)• Hardcopy fax printouts• PSTN – analog phone modem

connection

21

MFD Fax Services Security Issues• Faxes auto print in an unsecured area

– No authorization required to verify recipient before releasing fax

• Faxes held in unencrypted memory after print

• Lack of logical separation of analog modem from LAN (Ability to enter LAN from modem connection)

22

Drive Shares

• Network Drive Shares• Printer Drive Shares

• PC/MAC Shares

• Printer Hard Drive Shares

23

MFD Shares Security Issues

• No auditee procedures for configuring drive shares

• Undocumented drive shares

• Shares setup without encryption

24

MFD Management

1. Device Console2. Web Interface3. Network

client/server enterprise management application

25

MFD Management Security Issues

• Physical Consoles on MFDs Setup Without Pass Codes

• Default Web Interface may not require password

• Most devices not configured with user or group accounts to authenticate and authorize

• Limited to no logging of user activity (console logons, patching, administrative functions)

26

MFD Repair Procedures

27

Physical Security

1.Conduct Risk Assessment to determine if use of MFD and physical location of device provides adequate physical security controls.

2. Processing confidential or sensitive data on a device in a common area creates multiple security issues.

28

Surplus Device Procedures

1. Clean Printer Configuration Files

2. Wipe Drives/Memory

3. Ensure no Sensitive Paper Copies on Glass or in Machine (legacy paper jams)

29

MFD Certifications/Acts/Contractual

Obligations• National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11

• DOD Directive 8500.1• Common Criteria (EAL1 to EAL4)• Gramm–Leach–Bliley Act (GLB)• Health Insurance Portability and Accountability

(HIPAA)• Payment Card Industry – Data Security Standard

Potential Components of an MFD Audit Program

• Network/Server• Shares• Wireless• Access Controls• Physical Security• Encryption• Surplus• Contracts/Leasing• Policies and Procedures

30

A Majority of Which Fall Into Your Normal IT Audit Program

MFD Audit

Program

IT Audit Program

31

Since you probably won’t get a ton of audit hours for MFD’s……

32

Obtain an Understanding and Assess the Risk

• Get an inventory listing• Inquire• Observe

• Get manuals• Search online for common vulnerabilities

33

Physical Security

• Does the unit have a locking compartment for the hard drive, etc?

• Is there a physical reset button that will restore the unit to factory default? Is it secured?

• Is the entire unit secured in place, or could it be wheeled out of the building?

• Is output secured?

34

Device Controls

• Strong password controls at the console?• Settings/administration locked down to authorized

individuals?• Is the web interface turned on? Does it need to be?• Are unneeded network services turned on?• Is wireless on? Does it need to be? Is it secure?• Logs kept/reviewed of administration functions?• Are the logs secured? • Are there security patches for the device and if so are they

checking for them and applying them in a timely manner?

35

Data Controls

• Does the device have an option for encrypting/automatically wiping copies after a job prints?

• Did they pay for it?• Is it turned on?• If not, why? Do they have a compensating

control?

36

Surplus

• Did they lease or purchase?• If leased, what rights do they have to wipe the

drive? Is it user accessible? Are you going to be able to audit it?

• If purchased, do MFDs fall under their normal PC surplus policies for having devices wiped?

• What about when the device is serviced or parts replaced?

37

Policies and Procedures

• As always, the above should be covered by a policy and procedure.

38

39

Multifunction Device Resources

40

http://h20338.www2.hp.com/enterprise/downloads/NIST%20SUBMITTED%20Configuring%20Security%20for%20Multiple%20LaserJet,%20Color%20LaserJet,% 20and%20Edgeline%20MFPs.pdf

41

http://www1.lexmark.com/documents/en_us/1_SecurityBrochure.pdf

42

http://www.office.xerox.com/latest/SECBR-03UA.PDF

http://www.aot-xerox.com/files/content/MFPsecurity.pdf

43

Questions?