The IT Law Wiki
Register
Tag: sourceedit
(Adding categories)
Tag: categoryselect
 
(4 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
Additionally, many organizations may not have an accurate [[inventory]] of RDs or recognize what [[functionality]] each [[device]] possesses, especially with respect to [[information]] ([[data]]) [[storage]], [[information processing|processing]], and [[transmission]].
 
Additionally, many organizations may not have an accurate [[inventory]] of RDs or recognize what [[functionality]] each [[device]] possesses, especially with respect to [[information]] ([[data]]) [[storage]], [[information processing|processing]], and [[transmission]].
   
== Security concern ==
+
== Security concerns ==
   
 
Historically, the [[capabilities]] of RDs were limited to basic [[copying]], [[scanning]], and [[printing]]. [[Storage]] of [[scanned]] or [[print]]ed [[information]] within the RDs was not part of the [[device]] [[functionality]] and RDs were locally (directly) [[connect]]ed to [[computer]]s via a [[cable]] or were [[stand-alone]] [[device]]s so the [[security]] of [[information processed]] by RDs was generally not a consideration for most organizations.
 
Historically, the [[capabilities]] of RDs were limited to basic [[copying]], [[scanning]], and [[printing]]. [[Storage]] of [[scanned]] or [[print]]ed [[information]] within the RDs was not part of the [[device]] [[functionality]] and RDs were locally (directly) [[connect]]ed to [[computer]]s via a [[cable]] or were [[stand-alone]] [[device]]s so the [[security]] of [[information processed]] by RDs was generally not a consideration for most organizations.
   
 
Today, however, RDs are often [[connect]]ed to organizational [[network]]s, have [[central processing unit]]s that run common commercial [[operating system]]s, [[store]] [[information]] internally on [[nonvolatile]] [[storage media]], and may even have internal [[server]]s or [[router]]]s. As a result, RDs may be [[vulnerable]] to a number of [[exploit]]s if the [[risk]] is not [[mitigate]]d using appropriate [[security]] practices/[[Security controls|controls]].
 
Today, however, RDs are often [[connect]]ed to organizational [[network]]s, have [[central processing unit]]s that run common commercial [[operating system]]s, [[store]] [[information]] internally on [[nonvolatile]] [[storage media]], and may even have internal [[server]]s or [[router]]]s. As a result, RDs may be [[vulnerable]] to a number of [[exploit]]s if the [[risk]] is not [[mitigate]]d using appropriate [[security]] practices/[[Security controls|controls]].
  +
  +
The following are general [[threat]]s, [[vulnerabilities]], and related [[exploit]]s that may affect RDs:
  +
  +
* '''Default administration/configuration password:''' Many [[device]]s have [[default password]]s which can be easily obtained and used to [[access]] [[configuration]] panels, [[stored data]], or to [[control]] the [[device]] locally or [[remotely]] via a [[web interface]].
  +
* '''Data capture:''' When [[data]] is [[transmit]]ted or [[stored]] [[unencrypted]], it is subject to [[interception]]. This [[data]] may include [[device]] [[password]]s, [[configuration settings]], or processed jobs. Such [[data]] may appear to be unreadable but is an [[exploitable]] [[vulnerability]] if it is not [[encrypted]].
  +
* '''Disruption of service:''' RDs may be susceptible to a variety of [[threat]]s which [[disrupt]] the [[availability]] of services. [[User interface]]s, power consumption, and internal mechanical and [[software]] operations may be especially [[vulnerable]].
  +
* '''Spam:''' Most RDs, if not properly [[configure]]d, will process any submitted job, without regard to the originator, without confirmation that the job is [[authorized]], and without [[authentication]]. If [[exploit]]ed, this [[vulnerability]] may waste ink, paper, toner, or other materials while also resulting in a [[denial of service]] for legitimate [[user]]s.
  +
* '''Alteration/corruption of data:''' [[Exploit]]s of this nature may be very difficult to [[detect]], but could result in reduced quality, a [[denial of service]] (for example, if a [[password]] is altered), or a potentially hazardous situation (for example, if [[configuration settings]] are altered to allow the [[device]] to overheat).
  +
* '''Outdated and/or unpatched operating systems and firmware:''' Many RDs run an [[embedded]] commercial [[operating system]] which renders them subject to the same [[threat]]s and [[vulnerabilities]] as any other [[computing device]] [[running]] those same [[operating system]]s. To complicate matters, RD [[manufacturer]]s may [[embed]] versions of [[operating system]]s for which the [[operating system]] provider is no longer providing [[update]]s or the [[functionality]] to [[install]] [[patch]]es or [[update]]s is not available. [[Buffer overflow]]s, [[execution of arbitrary code]], and taking [[control]] of the [[device]] using [[remote administration]] [[capabilities]] via [[web server]]/[[site]] are but a few examples of [[exploit]]s to which RDs with [[unpatched]] [[operating system]]s and [[firmware]] are [[vulnerable]].
   
 
== References ==
 
== References ==
Line 25: Line 34:
   
 
* "Overview" section: [[Risk Management for Replication Devices]], at 1.
 
* "Overview" section: [[Risk Management for Replication Devices]], at 1.
* "Security concerns" section: ''Id.''
+
* "Security concerns" section: ''Id.'' at 1, 2.
  +
[[Category:Hardware]]
  +
[[Category:Definition]]
  +
[[Category:Security]]

Latest revision as of 01:23, 30 March 2015

Definition[]

A replication device is

any device that reproduces (e.g., copies, prints, scans) documents, images, or objects from an electronic or physical source.[1]

Overview[]

RDs include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, as well as multifunction machines when used as a copier, printer, or scannerx.

RDs in use within organizations run the gamut in terms of age and functionality. Older, single-function devices may have no internal, nonvolatile storage and cannot be networked. Other devices may provide a variety of functions, be network-connected, run commercially available operating systems, contain internal, nonvolatile storage, and contain embedded internal print servers and web server capability. In between the two extremes, there may be RDs with network and/or storage functionality but no discernable means to configure them securely.

Additionally, many organizations may not have an accurate inventory of RDs or recognize what functionality each device possesses, especially with respect to information (data) storage, processing, and transmission.

Security concerns[]

Historically, the capabilities of RDs were limited to basic copying, scanning, and printing. Storage of scanned or printed information within the RDs was not part of the device functionality and RDs were locally (directly) connected to computers via a cable or were stand-alone devices so the security of information processed by RDs was generally not a consideration for most organizations.

Today, however, RDs are often connected to organizational networks, have central processing units that run common commercial operating systems, store information internally on nonvolatile storage media, and may even have internal servers or router]s. As a result, RDs may be vulnerable to a number of exploits if the risk is not mitigated using appropriate security practices/controls.

The following are general threats, vulnerabilities, and related exploits that may affect RDs:

References[]

Source[]