Network Peripherals: A Weak Link in Security and an Open Gateway for Attackers
In a world where 300 million computers are connected by the Internet, the opportunity to tap new revenue streams for a slice of the global security pie has never been greater - but neither has the risk. The warp speed of IT has also brought with it a degree of instability that threatens a company's reputation, credibility, competitiveness and survivability.
From securing the network to safeguarding trade secrets, companies must protect themselves against both external and internal threats. For example, a major U.S. adhesives company is estimated to have lost millions of dollars over a 10-year period when a Taiwanese company bribed an employee to steal highly sensitive and proprietary research and manufacturing information. The theft went undetected for a decade because the adhesives company had not anticipated security threats from inside sources.
As companies continue to face risks such as corporate data loss, tackle compliance issues like Sarbanes-Oxley (SOX), and protect their customers against identity theft, there is a growing concern within corporate America that critical information isn't as secure as it should be.
An Open Gateway to the Network
One of the most common and overlooked threats to a company's assets and trade secrets is the networked peripheral. Multifunction and digital hardcopy devices are highly intelligent machines complete with their own operating systems, hard drives and supporting subsystems. Each time a document is copied, printed, scanned or faxed, an image is left behind on the system's hard drive. Users who scan documents and send them to file servers or other repositories from a multifunction device may also be unknowingly sending unprotected files across the network. This information is as much at risk of getting hacked as information stored on PCs.
Most businesses purchase advanced multifunction systems because they allow consolidation of multiple devices into a single unit. These sophisticated network citizens can also deliver significant cost savings in consumables, services and maintenance. Yet most fall under the radar screen of IT department security strategies.
Companies must realize that from a network perspective these devices look no different than other powerful computer nodes - and if not properly managed - they can be a weak link in security and an open gateway for attackers. Information loss from these devices can occur at a number of places including:
- One or more Central Processing Units (CPU)
- Operating System
- Network Interface
- Disk Drives
- Embedded Web Server
- PDL Interpreter(s) PostScript
- Local User Interface
- Local Hardware Ports
- Fax System
While most IT professionals agree that the hard copy device environment presents potential risk to the network - many suggest that the risk is minimal because these devices sit behind a firewall. Although it is true that the firewall will block sniffing attacks, it is unrealistic to think that there is control over all downloads from the Ethereal. Streaming quantities of sensitive information flowing to such devices makes it possible for criminals to intercept data off the wire if the transmission is not secured by encryption.
The eight elements identified in Figure 1 detail a number of vulnerabilities of the hard copy output device environment. These potential threats involve the functionality of the device as well as the resulting implications when connected to the network.
Figure 1. Closing down risk. The hard drive is just one of eight points of risk for hardcopy peripherals. While most vendors secure only the hard drive, Xerox has closed all eight entry points on more than 30 products.
Should a company leave any of these eight doors open through poor configuration and management of devices, they put themselves at risk for an attack that may result in the unintentional release, compromise or theft of protected and confidential information. And, as enterprise practices and procedures are the main focus of regulatory laws such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley (GLB), Sarbanes-Oxley and the Family Educational Rights and Privacy Act (FERPA), organizations should be paying particularly close attention to their data.
For example, having technical standards that require the placement of an authentication mechanism to mutually verify both sides of a transmission where Personally Identifiable Information (PII) is involved is a common requirement in all of these regulations. All transactions must be securely logged and maintained and if the transmissions are conducted over an insecure medium, and encryption is not deployed, a company could be at fault for putting PII information at risk. The loss of such personal data could end in civil or criminal penalties against the victimized company if compliance or regulatory laws have been broken. Incidents like this could also jeopardize reputation, credibility and a company's competitive advantage.
Securing the Environment
The threat of data loss and non-compliance penalties makes it essential that companies have a plan to secure their networked peripherals.
The best way to protect a network from these threats is to only connect certified devices where higher levels of security are required, and to properly monitor and update these machines as necessary. To help customers in the purchasing of secure devices, the National Information Assurance Partnership (NIAP) has created a Common Criteria Certification program. NIAP is a U.S. government initiative designed to meet the security testing needs of both information technology manufacturers and users, and the Common Criteria Certification program is an internationally recognized standard for security claims of IT products and systems.
According to NIAP, the certification process involves an impartial assessment, or security evaluation, including analysis of the IT product and testing for conformance to a set of security requirements. In fact, the U.S. Department of Defense requires all IT products used within the department, all military branches, and installations such as air bases or the Pentagon, to have Common Criteria Certification. Financial services organizations such as insurance, banking and mortgage companies also often require strict security measures and technology.
By adopting the standards that federal government agencies must meet for information security - arguably the toughest standards in existence today - organizations can be confident that they are meeting the security and privacy needs for the most sensitive information. Office devices that have received Common Criteria Certification for use in national security by the federal government can provide the highest level of security available.
NIAP identified eight entry points for hackers on multifunction devices. Still, technology vendors can comply by certifying just the hard drive - that leaving seven other vulnerabilities that still exist. Some vendors in the document management space offer NIAP-certified security kits only for their products. But these kits are the only components that are certified - not the device itself. By using security kits and patches, vendors only close off one of the access points. Organizations looking to best secure their network should look for a vendor, such as Xerox, who has certified its entire device, securing all eight entry points of the product.
Two additional steps companies should consider to ensure maximum data protection are to make sure that networked devices are not left in common, un-secure work areas such as a hallway - elevating the risk factor for a physical attack. The second is to require employees to enter user IDs and passwords before they access multifunction devices, just as they would need to before accessing a networked computer. By keeping tabs on the placement of devices within the organization, companies can better protect confidential and private data that is left, for example in the tray of a printer, from being viewed by unauthorized employees or visitors.
Trade Secrets in Danger
If security measures are not put in place, a company is also putting itself at risk of economic espionage attacks - through un-secure networked devices or other means. Recent viruses including Nimda, Code Red and Sobig.F have demonstrated that malicious attacks can have a global impact in a short period of time and cause billions of dollars in damage. With these threats showing no signs of slowing down, it is no surprise that in 2005 Gartner identified viruses, worms, and trojans as the number one security threat to the enterprise. As the variety and sophistication level of network attacks increases - so does the value of information in both the global and black markets. Still today this threat continues to grow, as demonstrated in a FBI study released this past March stating that U.S. businesses lose $67.2 billion a year dealing with viruses, spyware, PC theft and other cyber crime costs.
Organized "net" criminals, terrorists and espionage operatives thrive on finding vulnerabilities in people, processes, technologies and physical environments and then exploiting them. Technological advancements have armed these criminals with illicit software and other skill sets enabling them to navigate in and out of enterprises around the world. Such network intrusions are difficult to detect and law enforcement efforts to identify, apprehend and prosecute are daunting and often impossible to implement.
When these infiltrations are successful, they can become a "weapon of mass reduction" to a company's bottom line. With this realization, corporate leaders and board executives must awaken to the reality that private and confidential information is at risk in today's world, and implement aggressive measures to assure control and accountability across the enterprise.
The Economic Espionage Act, passed by Congress in 1996, protects companies by making it a federal crime to take, download, receive or possess trade secret information without the owner's authorization. Trade secrets are defined as all forms and types of financial, business, scientific, technical, economic or engineering information that has been reasonably protected by the owner and has economic value but is not generally known. While federal prosecutors continue to bring those accused of economic espionage crimes to trial under this law. less then 50 cases have been prosecuted to date, demonstrating the serious complexity of such cases.
The Economic Espionage Act requires the victimized company to prove where the information originated and who actually owned it. In addition, the company must prove that it made efforts to protect it, a process often referred to as "due care."
Organizations that have had proprietary information taken illegally have had difficulty knowing that a breach occurred in the first place. When they have known, they've faced great challenges bringing charges against the accused perpetrators. So, while laws have been established, it's up to companies to protect their data and have the resources ready to defend themselves should attacks occur.
Who Else is Watching Your Network?
Many organizations do not realize the threat posed by trusted employees who are setting aside the company's interests for their own gain. In September 2005, a design engineer at Volterra, a semiconductor company, admitted to downloading proprietary Volterra data sheets worth at least $100,000 to his personal laptop and then emailing them to competitor CMSC Inc., in Taiwan. Companies that fail to restrict access to important information or to enforce non-disclosure and non-compete agreements, are likely to face similar issues.
Another substantial breach occurred in a major U.S. corporation when a disgruntled employee decided to fax detailed engineering specifications on a market-making product to his employer's nearest competitors. Nobody knew he did it until one (and only one) of the competitors called to say that they had obtained something they should probably not have received. This act would have gone unnoticed in most organizations as document and content governance remain sub-standard.
Disloyalty, along with the accidental transfer of confidential documents by employees, demonstrates the need for companies to carefully consider information access and permission levels. An unauthorized employee who reads a confidential document in the tray of a printer, or an unethical worker who maliciously uses print, fax, scan or email options to send confidential documents to the competition, are all potential risks for corporations.
Security is Not a Trend - Protect Yourself
The bottom line is this: Security is not a trend. Until we accept that premise, corporations around the globe will continue to be stuck in a reactive mode. Consider the recent in-depth worldwide study conducted by CIO Magazine and PriceWaterhouseCooopers that drew responses from more than 8,200 IT and security executives in businesses from 63 countries. Among the facts unearthed, the survey showed that just 37 percent of respondents said they had an "information security strategy" in place.
In today's world, this is simply not good enough. Business enterprises can ill afford to sit back and wait for a security incident occur. It is imperative that they be strategic, proactively developing a holistic approach to security that preempts malicious attacks and mitigates risk.
Security has a lot to do with technology, but everything to do with people. Therefore, combining employee security training and awareness with the implementation of technology to better classify, track, and monitor the access and use of critical information assets are steps every organization should take to safeguard against the pitfalls of economic espionage.
Routine business activities can often expose the organization to both internal and external threats that companies must be aware of. Instead of looking at just the technological aspects of security measures, organizations should take a cultural approach to security - recognizing the integral role that people and processes play in the way business is conducted. Employees not only need to understand security policies, but they must also understand how their job description and responsibilities relates to the policy.
Steps to consider in protecting against internal and external threats include:
- Implement standards so if a valued employee takes a job with the competition, they are not able to leave with critical corporate information. Or, if a key employee is hired by a competitor set policies to prevent lawsuits that allege an inappropriate disclosure of intellectual assets from the new hire about their previous employer.
- Access rights and privileges must be immediately revoked once an employee is terminated. Yet, while they are there, the correct permissions and access to information must be in place.
- Install a Virtual Private Network if the Internet is used to maintain connectivity between multiple offices.
- Carefully manage and control foreign delegation visits to manufacturing facilities. This also applies to visits from vendors.
- Properly protect laptop computers, especially during travel, to ensure that data is not lost or stolen.
- Establish controls to safeguard proprietary information from being disclosed unintentionally during conferences, business meetings or international seminars.
A key step that many companies skip is the evaluation of work practices and analysis of how and where secure knowledge is transferred. Following a structured approach, organizations can identify the information that represents the greatest threat to the company if exposed. Knowing how and where secure knowledge is transferred before investing in technology will result in a more comprehensive defense plan, and save the corporation money by evaluating the whole picture before investing in individual security elements.
Appointing a corporate information executive or CSO to lead a security team will help make this plan a priority. The team will be accountable for capturing and protecting all of the company's competitive advantage intelligence. Once the critical information is identified, policies can be developed that address several key areas: the identification, classification and marking of sensitive information, guidelines for distribution of information, physical security and information technology security. Training programs to educate employees on the threats and their obligation to report any un-secure activities should also be implemented.
After the threats have been identified and the security team has achieved company-wide buy-in on the importance of trade secret management and security, organizations can then focus on achieving the objectives of the information security plan.
Just as documents have evolved and become much more than an 8.5" x 11" page, so too have the requirements for applying effective security to protecting the document and content. For example, technology can be embedded in paper documents to provide innovative security as documents 'roundtrip' between the digital and analog worlds. These technologies can be used to monitor and track who is accessing specific documents and content, and how frequently. Some machine-readable security labels can be applied in a manner that they are unrecognizable to the human eye.
To further elaborate on this capability, a process known as "event correlation" enables the submission of alerts to the IT security team when access to device features e.g., print, copy, scan, and fax, does not align with corporate authorizations. At that point, appropriate investigation may be initiated and an official record documented.
With economic espionage attacks costing U.S. businesses billions of dollars a year, corporations cannot afford to ignore this issue. Advancements in the digital age are not slowing down. While financial gain may be the same motivator for economic espionage attacks and infiltrations as it was hundreds of years ago when thieves schemed to steal the secret processes of the China Silk Industry, the technology behind these attacks is quite different. Organizations must have systems in place to stay ahead of development and criminals, to avoid breeches and the accidental loss of data. By looking at the whole picture when evaluating the effectiveness of document management and security systems, organizations can protect themselves from the theft of trade secrets and the loss of critical information.
Because information is the new currency of the Internet age, it is an essential mandate that these critical information assets and trade secrets be recognized in a robust security management system. Organizations must have strategic plans and systems in place to proactively forecast the next steps of potential attackers and adversaries. Traditional security was designed to protect against external threats such as organized crime, but the greater threat today resides within. Today's enemy is virtual and can be virtually anyone.
About the Author
David F. Drab, as a principal for Xerox Global Services, collaborates with business units worldwide to deliver reliable security services and solutions to public and private enterprises. Drab brings a 32-year career in law enforcement to his position, including 27 years with the Federal Bureau of Investigation. Drab previously served in the FBI's Cleveland Division, where he investigated foreign counterintelligence, terrorism and organized crime. He spearheaded the division's economic espionage program and led the investigation into the theft of Alzheimer's-disease research and related DNA materials that resulted in the first indictment under the Economic Espionage Act of 1996.
Article © Copyright 2006 Xerox Global Services. Used by permission.
Share This Article