The CBS Evening News recently broadcast a story called
"Copy Machines a Security Risk?"
The information presented in the story was alarming, to say the least,
but CBS only scratched the surface of the topic. For companies who rely on securing
confidential and proprietary information from competitors or hackers, there's
much more you need to know about the inconspicuous digital copier. In this article, we'll look at five areas
where confidential information may be compromised.
If you haven't seen the CBS story please click on this link
at the bottom of this page and view the five-minute broadcast before you
continue with this article.
In addition to the risks presented by the CBS story here are
5 additional areas where copiers can compromise your security.
1. Many digital
copiers are also network printers that store network information such as IP
addresses, subnet masks and gateway IP's.
These settings are not stored on the hard drive and are not cleared by
the digital copier "Purge" feature.
Network settings must be manually cleared. Security experts will tell you to keep your
network configuration private. You don't
want competitors or hackers to know your internal network configuration. The more information about your network
infrastructure that's accessible to hackers the less they have to figure out on
their own and the sooner they can compromise your network.
2. Many digital copiers store the IP addresses of your DNS
servers and/or Domain controllers.
Depending on the type and model of your copier, this information may not
be cleared by your copier "purge" function. You definitely don't want competitors or
hackers knowing the IP addresses of your Name Servers or Domain Controllers.
3. Many digital copiers store email addresses and some even
download your entire Email Global Address List to the copier. Again, you don't want this to be accessible
to those outside your company.
4. The "purge" function used by older digital copy
machines doesn't delete any data from the copier hard drive. It only renders the data inaccessible to the
copier software. It either deletes a
file we techies would call a "file allocation table" or it will use
other tactics to render the data unreadable to the copier software. The "Purge" button merely gives an
allusion the disk has been cleaned.
However, the data is still there and can be removed as shown on the CBS
story. Most copier security policies
rely on this built-in Purge function and think their data is cleared. It is not cleared. It can still be accessed with free scanning
tools available on the internet.
5. If your copier has a fax capability, the copier also
stores all the phone numbers it dialed and numbers that dialed it along with any
information you provided in your Fax phone book. Again, the "Purge" function will
not clear this information.
One of the biggest obstacles surrounding this whole issue of
Copier Security is the apathy and ignorance of the Manufacturers. Most copier technicians today still believe
the built-in Purge function deletes all information on the copier. To make matters worse, most copier
technicians don't know where the different type of information is stored. Some data is stored on the hard drive, some
data in flash memory, and some data is stored in firmware. Sensitive information is stored in different
places depending on the manufacturer and model of copier. Just when you think it can't get worse. Let me drop the final shoe. There are no utilities that will scan a
copier and certify that it has been completely purged from older digital copy
machines.
As I mentioned earlier, this CBS news story only scratched
the surface of the real risks associated with digital Copier Security. The Copier Security pioneers who were
interviewed in the CBS story, Digital Copier Security inc., have done extensive
research on these security risks and are working to provide services and
resources to help companies thoroughly purge their older copy machines. I applaud Digital Copier Security for
bringing this issue to the attention of Corporate America and for working
diligently to address this significant security hole.
I encourage the Copier
industry to take responsibility for ensuring new copiers have the
capability to purge themselves of all sensitive information and to provide a
certification report indicating what has been purged. This should be a standard feature on all
Digital Copiers and not an add-on feature that comes at an additional
cost. Additionally copier technicians
should be trained to thoroughly purge all Digital Copiers.
Until such a time, Corporate America must take necessary
steps to ensure their own safety. They
must ensure they are not exposing themselves to unnecessary security risks or
even breaking Privacy Laws. Digital copiers must have processes defined (and
documented) that ensure appropriate actions are taken before copiers are
released to third parties.
No comments:
Post a Comment