Departments often become so accustomed to their business as usual practices that they may not even realize something simple they do every day can be a huge liability for their organization. Most multifunction printers, copiers, and scanners have a default setting that will store a copy of all documents and images processed. These devices have hard drives full of unencrypted information that may be of interest to criminals. If sensitive information is being inadvertently stored on the machine, criminals may easily be able to access and download this critical data from the machine without your knowledge. How often does your organization call a repairman to come look at the copy machine? Would your employees remember to verify the identity of a repairman who claims he is there to perform maintenance on your machines? Do they know who to call to confirm that the request was even made?
While there is a large focus on securing computers and systems from cyber risks, these machines are often discounted as hardware and may be left vulnerable with default settings and outdated or unpatched operating systems. A simple strategy commonly used by hackers is to attack a printer / copier using the manufacturer’s default password which allows them direct access to the system. PCI DSS Requirement 2.1 dictates that all vendor-supplied defaults, including passwords, are removed or disable prior to the system being put into production. Making this one simple change is an easy way to stop the above attack.
These devices are also often connected to internal or wireless networks, integrated with business systems, tied to e-mail systems, and given Local Area Network (LAN) authentication. Through open ports or protocols, these overlooked systems may become the open door for criminals to gain access to other more sensitive assets within the network.
Another common risk occurs when the machines are no longer needed and they are sold or disposed of without properly destroying all data. Failure to follow proper protocol and removing all sensitive information before disposal of the equipment can easily lead to a breach. Given that this device is no longer in your possession, the time it takes for you to discover the breach, and the potential damage, may be extended.
Organizations must document the risks associated with all information assets that create, receive, maintain, or transmit cardholder data, as well as other sensitive information, like Personal Health Information (PHI). Below are some of the questions you may want to ask to verify if the use of multifunction printers, scanners, fax machines, and copiers is putting your organization at risk:
- Who has access to the device and where is it located? Is the location secure?
- Is access to stored media protected?
- Will the device be connected to the network?
- What other devices/information is available on that same network?
- Is sensitive information (e.g. CHD, PHI, etc.) processed, stored, or transmitted by the device?
- Is the information encrypted at any point, i.e. when stored or transmitted?
- What functions are necessary (i.e. is the network connection a business need)? Can unwanted applications or features be removed?
- Is the device owned by your organization or leased? If leased, what are the procedures for data destruction prior to the device being returned?
- How is the operating system updated?
- Who is responsible for configuring and maintaining the machine?
- Is activity on the machine monitored/logged?
- Are proper procedures/policies in place for disposing of the machine when it is no longer in use?
Don’t overlook these common devices during your annual risk assessment! If cardholder data is being stored or transmitted on a machine, it is in scope (as well as the network and connected devices) and will need to have all of the appropriate security controls implemented (i.e. scanning, logging, penetration testing, etc.). Most likely, a simple change in business process, like removing cardholder data before scanning a document will be less expensive and utilize less resources than trying to secure all that may be brought into PCI scope if the practice continues.
Please contact us if you have any questions or would like to discuss your organization’s use of multi-function devices and for the potential impact on your overall compliance status.
Some additional guidance from our Security Advisor team below:
[Wallace]: On a past engagement, I encountered an unsecured copier with a “scan to network” configuration. Although the stored password met complexity requirements, the copier did not encrypt the credentials, which would have given an attacker very easy initial access to the rest of the network.
Every network connected device should be considered when reviewing the security of your environment, even if they seem insignificant.