Federal Civilian Agencies’ Next Security Vulnerability

by Tara Condon 24. August 2015 09:19

By Tara Condon & Henry Gold

Recent data breaches at the Internal Revenue Service (IRS) and the Office of Personnel Management re-focused the technology community on security challenges facing U.S. government and federal civilian agencies. Many of these groups provide critical services that impact the everyday lives of Americans, including the Social Security Administration, Food Safety and Inspection Service, and the U.S. Postal Service. As such, a security incident’s impact would be pervasive.

One of the reasons why the security landscape is cumbersome to manage is the increasing number of network-connected devices. Today’s peripherals are now smart devices. All of these access points offer new avenues to access sensitive information. Specifically, printers and copiers offer a new point of vulnerability.

Security Risks of MFDs: 

Standalone printers and, later, combination printer/copiers, were largely output devices. A command was entered; the function was executed. The main security risk - leaving sensitive items on the printer tray – was mitigated by physical security. Many users were issued individual printers that were kept in locked offices. 

Document scanning changed the game. Multi-Function Devices (MFDs) were born.  What was once a peripheral was now an intelligent system with document memory and consistent access to the network. Also, with this additional functionality came a (justifiably) higher price tag. This meant that printer / copier / scanners became shared resources, typically kept in public areas, where personnel and visitors have unfettered access. 

Enabling PIV Card Authentication:

In recognition of the vulnerability of these access points, government regulations now require PIV card authentication (sometimes referred to as CAC – Common Access Card – access) on all network connected devices. Today, federal civilian agencies are struggling with how to meet this requirement. 

A number of major printer manufacturers now offer built-in PIV authentication on new devices. There is also a printer agnostic solution offered by API Technologies, called the Netgard®, that may be used on both new and existing MFDs and printers, including wide format printers.

Photo of Netgard® MFD courtesy of API Technologies

 

Regardless of which solution you choose for PIV authentication, here are two key features you should be aware of that enable you to comply with government security best practices:

  • Scan to Home: What this means is that the person doing the scanning may only place the document in a designated folder on the network. The person may then retrieve that document from the designated network location and use it for his/her intended purpose.  This feature ensures no confidential or sensitive materials can be sent in an uncontrolled fashion – for example: sending a scanned document to a personal email address via the printer.

  • Secure Print Release: MFDs are often stationed in easily accessible parts of the office. This means that sensitive printed material may sit out in the open for some time before an employee has the opportunity to retrieve it. When the Secure Print Release feature is enabled, the employee would walk to the printer and scan her PIV card. Then documents would be printed (“released”) when she is standing there to retrieve them. This security measure also has the added benefit of saving paper and toner, which saves operating cost. 

Protecting the information assets of federal civilian agencies is of vital importance. Securing access to network entry points is key to thwarting security threats. When reviewing their security best practices, federal civilian agencies are encouraged to remember that peripherals – such as MFDs – present vulnerability. PIV and/or CAC card enablement is necessary to secure these network entry points. The good news is that there are a number of government compliant, commercially available solutions to meet the need. 

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is a security expert and frequent panelist on security-related issues. He is General Manager of SSIA North America for API Technologies Corp.

Tags: , ,

Secure Systems & Information Assurance

12 Days of Products: ION™ SA5610-SAL - Avaya® SAL Edition Secure Appliance

by Jaymie Murray 18. December 2014 09:55

Gifts aren't the only things that need to delivered. The ION™ SA5610-SAL: Avaya® SAL Edition is a plug-and-play Avaya® Secure Access Link (SAL) appliance that provides remote service delivery. The appliance comes with a full standalone SAL Gateway preinstalled, which provides IP and secure dial-up connectivity to Avaya and heritage Nortel systems. The easy-to-install appliance allows technicians, service providers, and Avaya Support Services to conduct remote troubleshooting and maintenance for up to 400 managed devices, eliminating the need for a dedicated SAL server. This enables SAL users to quickly and cost effectively realize the benefits of the SAL platform with no implementation costs and reduced set-up times.

To learn more about the ION™ SA5610-SAL - Avaya® SAL Edition Secure Appliance, read the datasheet, contact us, or request a quote.

 

Tags: , ,

Secure Systems & Information Assurance

Can Certain Third Party Data Hacks be Prevented?

by Tara Condon 14. October 2014 13:03

By: Tara Condon & Henry Gold

 

Last fall, John Gainor, President and Chief Executive Officer of DQ, posted a memo for Dairy Queen and Orange Julius customers regarding a recent data hack. At its centerpiece, was the revelation that a third party vendor compromised account credentials and gained access to customer data.  DQ should be applauded for its thorough investigation following the attack and its forthright communication to customers regarding the same. However, the question remains for CISOs everywhere: Can this type of hack be prevented?

 

Third parties regularly access networks for legitimate reasons.

Companies regularly allow third party access to internal systems. Common reasons for enabling this access include systems administration and programming. Increasingly more common is the granting access of to information technology and communication service providers who troubleshoot, fix, and maintain computers, web sites, networking resources, and voice systems. Often, these third parties require administrator-level access to complete their work. Many times, access to these systems are not secured or well implemented using simple password authentication which is easily breached.

 


But, companies often have little control over third party activity on the network.

Companies typically control the front-end of vendor access with passwords or more robust security measures, such as software tokens or PKI based authentication (two-factor). However, once the third party is on the network, they typically have unmonitored, and often unfettered access, to a variety of systems. Here is where the risk of data theft or system breach is significantly increased. Even if the company ends its relationship with a third party, this risk is often undiminished as backdoors can be opened to a variety of network resources.

 

Companies spend a good deal of time and money to vet and hire employees. One hopes their third party vendors do the same, but that is not always the case. Companies may never meet or even see the wide network of third party employees who regularly work on their system. As such, gauging risk becomes nearly impossible.

 

A system that offers control and visibility is good for companies and third parties.

The ideal system provides controlled third party access along with visibility and monitoring. The good news is that these systems are available today. A company should be able to define and control who is on the network, what they may access, and what they are permitted to do. The system would then provide visibility into activities on the network and alert company representatives in the case of suspicious activity.

 

One would think that third parties bristle about added controls. However, many third parties have wholeheartedly embraced the concept. Having a third party access system in place makes their jobs easier: These third parties can focus on service delivery instead of concerning themselves with network access. Furthermore, the added visibility lets third parties demonstrate – in real time – the value they provide.

 

For more information on this and other security-related topics, follow our Secure Systems & Information Assurance (SSIA) team on LinkedIn.

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is an expert and frequent speaker on security topics and General Manager of SSIA North America for API Technologies Corp. 

Tags: , ,

Secure Systems & Information Assurance

[INFOGRAPHIC]:Meet the ION™SA5600-SAL: Avaya® SAL Edition

by Andrew DiCecco 27. June 2013 10:24

Tags: ,

Infographics | Secure Systems & Information Assurance

Month List

Tag cloud