Tuesday, January 11, 2011

Printers and Copiers; data security time-bombs!

To many of us printers and copiers are benign pieces of equipment that are viewed as somewhat archaic but necessary. Rarely are they considered a threat to external data security and therefore tend to fall below the scan of the standard data security radar.
However an article I recently came across by Armen Keteyian of CBS News has changed my perception of these office tools from being benevolent workhorses to being potentially security time-bombs.
Keteyian describes how the investigative team purchased 4 copiers form a warehouse in New Jersey for about $300 each. The warehouse, one of 25 nationwide, had about 6000 printers in inventory. It took them about 30 minutes to pull the hard drives from the printers and with forensic software they then proceeded to download tens of thousands of documents. The downloads included police records, details from a sex crimes unit, medical records, insurance records; a treasure trove for the security theft industry.
So how did this security hole develop and why does it continue to be an issue?
  • General purpose copiers and printers tend to fall between the data center and the general office and rarely receive the oversight of qualified IT professionals. 
  • As stated by Ed McLaughlin, President of Sharp Imaging, “the industry has failed”. In failing he is referring to a lack of end user education regarding the potential risks involved with copiers/printers as highlighted in their end-user survey. Two significant findings were:
    • 60% of consumers do not know that printers store images on a hard drive. 
    • Consumers are unaware of security risks associated with the hard drive in the copier.
  • Considering that encryption is infrequently used the potential for confidential data sitting on an unprotected hard drive in a printer or copier is high.
  • Power cycling does not erase data on the hard drive.
  • Page images remain on the hard drive after output.
  • Decommisioning protocols are rarely followed.
  • As highlighted in the CBS report de-commissioning protocols are generally ignored making old printers a treasure trove for information/identity thieves.
Bottom Line: The apparent benign nature of printers and copiers has apparently excused them form disciplined security practices and oversight, a likely reason being the fact that their support and maintenance tends to fall outside the normal IT function. However, printers and copiers do present a real and significant security threat and should be managed accordingly. If this article does not act as a wake-up call to those responsible for enterprise data security then I am not sure what will.
If this small random sample of four printers can produce this magnitude of security breaches what is contained in the 6000 other printers in the warehouse never mind those in the other 25 similar locations

No comments: