The Achilles’ Heel of an Otherwise Secure Network?
Feb. 13, 2012
It’s only natural that organizations tend to concentrate their security resources on critical applications, servers, databases, and employee laptops rather than on peripheral computer devices. However, many organizations need to re-evaluate the small amount of attention they pay to the risks presented by peripheral hardware that resides on their networks – including video and audio conferencing systems used to discuss their organizations’ most closely held secrets.
For example, uninvited participants secretly attended a recent discussion of FBI and Scotland Yard personnel about their investigation of the hacking group Anonymous. Members of Anonymous were listening in on the conference call and published a 16-minute MP3 file of the conversation for the world to hear.1
H.D. Moore, chief security officer at security company Rapid7, recently reported that his scan of only 3 percent of the Internet revealed 5,000 audio and video conferencing systems that were configured to accept any incoming calls automatically – that is, systems anyone could dial in to without authorization or detection. The organizations found with devices exposed in this manner included legal firms, colleges and universities, medical centers, pharmaceutical companies, and even prisons.2
Digital cameras, printers, scanners, and copy machines that reside on corporate networks are also often vulnerable to penetration and pose the risk of private information or boardroom secrets falling into the wrong hands.
Following are some steps organizations should take to confirm that peripheral devices are not undermining the security of their networks.
- Secure a device before it is implemented. Turn off any unused device features and change any default passwords on the device. Place the device behind the firewall and, if possible, in a separate area from the rest of the corporate network, such as a demilitarized zone (DMZ), through which incoming requests would have to pass before reaching the firewall.
- Verify that any patches and updates for the device are installed before implementation. To protect the device from new threats, make sure it is incorporated into the organization’s patch management program.
- Think like an attacker. On a regular basis, conduct internal and external penetration testing to verify that all devices are necessary, accounted for, and properly secured. Compare the results to those of previous tests.
Even organizations that consider their security programs very strong should evaluate the peripherals residing on their networks.
For more information, please contact Raj Chaudhary at 312.899.7008 or firstname.lastname@example.org.
1 Raphael Satter, “Hackers Intercept FBI, Scotland Yard Call,” Louisville Courier-Journal, Feb. 7, 2012, http://www.courier-journal.com/usatoday/article/38512263?odyssey=mod|newswell|text|Business|s
2 Nicole Perlroth, “Cameras May Open Up the Board Room to Hackers,” The New York Times, Jan. 22, 2012, http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=1&pagewanted=all