Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/18/2010
04:41 PM
50%
50%

Looking For Vulns In All The Right Places? Experts Say You Might Be Missing A Few

Network-attached devices, paper documents, and your physical plant should be included in vulnerability scans, researchers warn

The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren't computers. Paper documents. Passwords posted in plain view. Portable storage devices.

Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.

"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."

Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker, Brown observes. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits.

"An automated vulnerability scan may not reveal which printers and other hard copy devices have hard drives," Brown observes. "As a result, the business isn't aware that digital copies of sensitive information may remain in the printer."

A thorough vulnerability assessment should include examining all hard copy devices for internal storage capability -- this could require contacting the manufacturer or even opening the machine, Brown says. Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer.

Other network-attached devices could also be vulnerable, Brown observes. "Any device connected to the network needs to have its security validated," he says.

He offers security cameras as an example. "For cost-saving and other reasons, companies have shifted security cameras from dedicated coaxial cable connections to TCP/IP connections, which run the risk of being vulnerable to cross-site scripting attacks and remote control takeover."

Even backup power devices might be at risk, Brown warns. "UPS devices connected to the network could enable an attacker to take control," he says.

Brown offers three bits of advice for all network-attached devices. "The biggest risk is leaving the default password in place," he says. No matter the device and its purpose, he advises, users should change its password before connecting it to the network.

"Second," Brown continues, "review all of the features that the device offers. Web printing capability may not be useful as a business function at your company, but it could be very useful to an attacker."

Finally, he points out that maintaining security readiness on peripheral devices is an ongoing process. "Incorporate all devices into your patch cycle," he says. "We're all familiar with Microsoft and Cisco patches -- but when was the last time you upgraded the firmware on your printer? Seek out patch information on every device connected to your network, and incorporate them into your patching cycle."

Many of these office devices produce a lot of paper -- paper which, as security consultant Steve Stasiukonis of Secure Network Technologies points out, can be a vulnerability itself.

"Take a look at your copier station," Stasiukonis says, noting that many companies overlook sensitive material that might be found in unsecured places. Recycling bins or preshredder collection stations holding unshredded materials can be rich sites for information-miners, he notes.

Documents that aren't shredded could be the cause of a data breach, as a recent New Jersey incident revealed when papers containing Social Security numbers and other personal information were found in a public dumpster.

"And don't forget the amount of paper and other sensitive information on employees' desks," Stasiukonis advises.

A workplace walk-through -- even in a "clean desk" environment -- can often reveal security badges and swipe-cards laying in plain sight, ripe for the taking, Stasiukonis explains. In his physical penetration tests, Stasiukonis frequently also finds passwords and log-ins on sticky notes and keyrings hanging from thumbtacks in cubicles.

Even if you don't see anything at first glance, Stasiukonis suggests, look a little closer. "Have your employees turn over their keyboards for inspection," he suggests, noting that many users stick their passwords there for easy recall.

Stasiukonis also recommends checking devices, such as copiers, for default service tech passwords, which might remain in place even if the business has changed its own access and log-in codes.

"Check to be sure that security cameras haven't been repositioned," he adds. "Scan for infrared devices. Examine the security not only of IT administration notebooks, but also physical plant management and control notebooks. Beyond that, an examination of the contents of employees' desks can reveal treasure chests of vulnerabilities.

"But," he cautions, "before going into employees' desks, you should review your plans with your human resources department." Whatever your company's legal rights, many employees resent having their desks checked, so be sure to educate them before conducting a search, he explains.

Another vulnerability vector -- and in many ways the most common one -- is human nature.

Security professional Scott Wright's Honey Stick Project put human nature to the test by leaving specially prepared USB drives in plain sight. When one of the drives was inserted in a business device, the information was logged, revealing what the user had done.

Such behavior is typical, according to Wright. As he notes on his Streetwise Security Zone site: "Out of 54 devices dropped with specially configured -- but safe -- files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened."

Vulnerability-scanning tools are a good place to start, but they can't see the whole enterprise, the experts warn. To find all of your vulnerabilities, you'll need to look at the things your users see every day -- in a new way.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.