The problem we have is that there are lots of things on networks that aren’t computers in the traditional sense but have access or provide access to data either physically or logically. I was listening to a Pauldotcom security podcast (audio, video iTunes links, some occasional rough language), and two presenters on the Episode 237 podcast bring the point home.
Organizations are vulnerable to Advanced Persistant Threats where the bad guys are always finding new ways to exploit vulnerabilities, and the good guys have to defend against every possibility. Attack vectors arise often from the things that are considered the most innocuous in our everyday environments. Two examples, Access Cards and Multifunction Printers, and newly their discovered weaknesses were the focus of the podcast.
What two Texas researchers, Michael Gough and Ian Robertson, have discovered — the YouTube videos are scary — is that most access card systems now use web servers to provide remote access and are installed with lots of vulnerable services left running and with the default passwords (which are easy to find). A simple Android app called Caribou is able to open doors with a simple push of a button once the IP address of the server is identified. When you think of the number of access card systems installed in HOA’s and businesses across the nation, the enormity of the risk becomes easily apparent. The lesson here is to only hire qualified installers who emphasize the technical and physical aspects of security.
Deral Heiland “PercX” and Pete Arzamendi “Bokojan” were also on the podcast, and they discussed multifunction printers. Using a tool they developed called Praeda they discovered that printers had accounts with rights to Active Directory, file shares and SharePoint servers. When you think about the fact that printers can now send email messages, the possibilities of data breaches and denial of service attacks should be a cause for concern — especially given the fact that patching printers is not usually high on the checklists of most system administrators. While monitoring user access and account management can somewhat mitigate the risk, a more comprehensive risk management methodology to deal with new technologies is called for.
Security that only deals with Computer Systems is, as we have just discussed, overlooking huge holes in the overall IT environment that truly compromises the confidentiality, integrity, and availability of the data you are the custodian of.
Originally published on Ted’s blog, A Chatham Techie