Sunday, 6th May 2012
Security in the Office
We all know what "Security in the Office" means, don't we ?
From antivirus, firewall Internet routers, and strong passwords to network permissions, VPNs, documentation, system backups, web filtering, and hands-on management, we all know what it takes to create a secure environment @ the office.
Some of you will be implementing those security measures yourselves while others will have IT specialists implementing a secure office environment for them.
Recently one of our Lexmark X543 laser printers developed a particular colour depth problem and a Lexmark engineer came to have a look at it. After spending the best part of 4 hours trying everything, from changing the imaging kit, the system board, and various other things, the result was still the same, the deep red would print orange rather than red. He decided then that rather than spend any more time he would come back the next day with an exchange printer. He duly came back the next day and swapped our printer for a new one. Problem sorted !
At long last deep reds were printing deep reds.
It was relief all round as this had been irritant for two weeks or so. All we now had to do was simply restore the configuration of the printer from the configuration backup we had taken. That is when a major security hole dawned on us : prior to allowing the engineer to take our old printer we did not erase the configuration of that printer. One of the items in that configuration is an SMTP service we had configured that printer with so that its scan-to-email function would work. Basically, through the printer's web interface you can configure the printer with an SMTP server and, if required, an SMTP username and SMTP password for SMTP authentication. The web interface masks the password, so you cannot read it off the screen, you have to know it. However, if you take a backup of the printer's configuration, the password is written unencrypted to a file where it can be read with any text editor or word processor ! And our old printer was now with..... Lexmark's engineering repairs department !
In short, simply through needing to have our printer repaired we opened a major security hole in our defences....
So, given how easy it was for us to make this mistake, I thought I should remind our users of those
non-obvious potential security holes one can so easily overlook :
Network multifunction printers : reset their configuration to default before you sell the printer or give it away, or if an engineer wants to swap it out with a new one. Remember, it is not just SMTP passwords that are at stake, but, also, users' email addresses, and some internal IP addresses.
Digital photocopiers with hard disks : never ever ever allow a photocopier engineer to walk away with the hard disk of your photocopier as that hard disk will have copies of all the photocopies and print jobs made through that photocopier going back weeks, months, and sometimes years ! If the engineer says the hard disk needs changing, make sure someone oversees the job and insist on keeping the hard disk, even if it means having to pay for it. Ditto when you sell the photocopier, part-exchange it for a new one, or give it away.
Phone systems with remotely operated voice mailbox facilities : remember, all the phone hacking scandals which are engulfing News International in the UK and possibly Fox in the US, are nothing more than users and companies not having changed the default remote voice mailbox PIN and the journalists or private detectives doing the hacking having a list like
this one but for telephone systems and their PIN numbers.
Shred everything : Yes, everyone understands the need for shredding and I will not re-explain it here, but the reality is that employees are often not as security conscious as the owners of the business, yet the wrong piece of paper in the wrong hands could destroy your business, expose you to a lawsuit, etc... Make shredding mandatory and, above all, make sure that no employee is more than 5m away from a shredder, for two reasons : 1) to save your employees valuable time, and, 2) to get around the occasional employees not being "bothered". The ideal situation, of course, is for every employee to have a good and easy-to-use shredder next to them....
USB pens : the world suffers more sensitive data losses through the use of USB pens (flash drives) than through all the other means combined.
USB pen drives are so so easy to use and.... so so easy to lose ! Have a mandatory employee policy that USB pen drives should never ever be used for confidential data. For this to be possible you need to provide your key employees with remote access facilities that will obviate the need to use a USB pen drive. Some organizations go as far as disabling all USB ports on their PCs.
Mobile devices : if you have allowed some of your employees to access their emails through their cellphones and iPads, did you remember to tighten up your employee policies so that they appreciate that the confidentiality of information applies when they are out of the office, e.g. at home or elsewhere. Did you remember to ensure that all those users mandatorily password those mobile devices in case they get lost ? When an employee leaves, do you remember to disable their mobile device access ?
So, I hope the above has been of use, and, in these days of ever increasing Internet
Fraud and Identity Theft, remember to spread the word :
Ciao, and have a good day.
—— (TUT) SpaceMan