But how big is the risk? Risk acceptance varies from company, but my intuition says office equipment in normal business scenarios is low risk for a few reasons, primarily because almost no malicious hackers attack office equipment. There may be the opportunity and vulnerability, but the likelihood of the exploit being used is a big variable in determining risk. To paraphrase security great Bruce Schneier, "[If exploited copy machines] are your biggest worry, then you're doing better than the rest of us."
End-user workstations are by far a bigger risk. There's more of them, and malicious hackers are quite successful at exploiting them. Why turn to hacking the less numerous office equipment if other methods are working well?
Still, it only takes one determined hacker to mess up your risk estimation. Thus, it probably can't hurt to cover your butt. IT security needs to be aware of the risk and assess the dangers in your environment, create policy mitigations, and have senior management and internal auditors sign off on the solutions and remaining risk.
Policy considerations could include:
- Scan networked office equipment for software vulnerabilities
- Disconnect unneeded network interfaces
- Create a disposal policy that dictates what must be done to old "smart" office equipment before it leaves your company's premises (wiping the hard drive, clearing memory, clearing logon information, IP addresses, passwords, PINS, and so on)
- When new "smart" office equipment purchases are being considered, find out from the vendor what software the equipment runs and who's responsibility is to patch it
I can tell you from experience that the copier sales guy has absolutely no clue that a Web server software runs on the copier machine, much less how to secure it. Still, it can't hurt to ask and get the vendor thinking about security. Who knows? You may get lucky and find a vendor who's up on the subject and who'll make the appropriate disposal process a part of the lifecycle contract.
One company, ICSA Labs, has developed a new program to address related risks. Its Network Attached Peripheral Security (NAPS) program focuses on "devices such as printers, faxes, point-of-sale systems and postage machines." The goal is to verify that a network-attached peripheral device does not introduce any vulnerabilities into the network where it is installed and that the device itself is not vulnerable to exploitation.
Man, our job just gets tougher every day!
This story, "Unseen security risks lurk in the copy room," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.