Here is a startling statistic and article written by Dark Reading: More Than One-Third Of Network Devices Show Vulnerabilities when vulnerability data was compiled from 235 different enterprises during vulnerability assessment scans in 2009.
Think about this for a minute. One third of their devices had potential security vulnerabilities that could comprise their networks and these are enterprise clients that are supposed to be ahead of the curve when it comes to securing their networks.
So what are the small to medium sized businesses that do not regularly perform vulnerability assessment and do not have a dedicated security team to do? Are their statistics much worse?
The intuitive answer is probably yes. They statistically have more devices at risk, but I would also argue that they may not have as much IP enabled specialty equipment. So the question of whether the numbers are higher or lower for the small to medium size business does not really matter for this blog; however what does matter is that in every environment, devices that have vulnerabilities may be overlooked.
A case in point: how many environments have printer/copiers installed that are networked based? I am willing to bet most small businesses do. Has anyone ever changed the SNMP community string passwords on those devices from their defaults? If you do not know the answer to this, they are probably set to the manufacturer’s defaults and a program or user could reprogram the device, add email addresses as valid destinations, or just reprogram something as simple as the LCD.
The team at IronGeek has posted a nice blog about the hacks you can do to the most common printers using manufacturer defaults. I am making this point because most users do not think their devices could be leveraged against them or that it would take a geek with nothing better to do but cause some mischief.
If you are unfamiliar with risks associated with printer vulnerabilities, ask yourself a few basic questions about the devices in your organization. Do they provide copy and scan functions via email? Do they have internal hard drives? Do they have the ability to send faxes? If they do, then they can probably be reprogrammed using default settings to copy someone on every email sent from the device or allow a user to pull printed data from the internal hard disk. Imagine HR using the device and everything scanned, faxed, or sent via email being duplicated to a rogue email address.
Given that one third of devices have faults like these printers, it is only a matter of time before malware leverages one of these ubiquitous devices. Consider the recent 2010 CVE rash of vulnerabilities for devices like the Cisco ASA 5500 Security Appliance. While exploits do exist for these vulnerabilities, I strongly believe it is only a matter of time until one of them finds its way into malware and will ultimately cripple a business much worse than any worm or bot infestation.
So what is a business to do?
• Perform regular vulnerability assessments; just like locking your car door and making sure all the windows are closed when you leave your home.
• Keep the devices secure and change default passwords just like major regulatory compliance initiatives dictate; PCI DSS for example.
• All critical vulnerabilities should be fixed, regardless of the device.
Finally, if you need help securing your environment, ask an expert. People hire alarm companies all the time to secure their offices and homes. Businesses should consider hiring security experts to protect their systems and data in just the same way.
Could your business operate without your computers? Probably not. Vulnerabilities that can be exploited can take down a business just as badly as a physical theft of equipment and we all already pay for alarm systems today. Vulnerability assessment, mitigation, and protection only make sense to secure our dependency on these electronic systems.