More IP-enabled devices and bridges have hit the market in recent years, allowing just about any device, even if it only sports a lowly serial port, to gain access to an enterprise network. Such devices are becoming inviting new destinations for attackers who may have an interest in simply disrupting business within an organization, or perhaps pilfering sensitive data before it ever reaches the network.
The reality is, these devices exist on the network in large numbers today, and not only are there precious few safeguards for many of them, there's even less security awareness surrounding them. In this tip, we'll review some of the most notable non-traditional network endpoints, examine why they pose a risk, and discuss how to mitigate that risk.
Starting with the most (for now) ubiquitous of "hidden" devices on your network, we'll look at the humble IP printer. Many printers have multiple onboard interfaces, including HTTP and telnet. Default passwords are rarely changed since printers usually get expedited through the IT department on their way to the hungry group of users waiting to deplete the printer's toner.
Physical access devices
It's common today for physical access controls to be run over the enterprise network. One such vendor's marketing blurb highlights how the physical access gateway (PAG) can use power over Ethernet (PoE) to power badge readers and locks. The PAG also supports network discovery and boasts "ease of controllability" through a built-in Web server. These PAGs also have the ability to store up to 250,000 credentials in an "encrypted cache." Making matters worse, proximity card reader vendors are now using the network to upgrade and configure these devices. One vendor says that its product's operating parameters, such as "door open" time, are downloaded to the reader from a host computer. That means an attacker may be able to hack the doors from the safety of the lobby.
Web-based security cameras
Another interesting device is IP-based security cameras. These little darlings have been with us for a while and allow for cheap video surveillance. Unfortunately, some of these gems have built-in Web servers so that anyone can access the video from anywhere on the network. While vendors seem to think that it's a nice feature to enable anyone to access a security device, security pros probably disagree. It seems to me that if I could get on their network, I could see when the place was empty and safe to rob.
Here's your Twinkie…and a virus
And what is the newest threat to your network? Vending machines! There are companies that offer conversion kits that allow cash-only machines to accept credit cards, debit cards and new contactless cards!
For those that have to worry about retail networks, there are also point-of-sale machines to worry about, not to mention specialty devices such as pin vending machines, which sell pre-paid cell phones, cable TV subscriptions, concert tickets and debit cards, which all have GPRS, Wi-Fi and Ethernet connections to servers!
Security strategies for non-traditional network devices
So, what do you do to safeguard all of these devices? There are five key steps:
- Modify the network security policy to address the problem. Many policies don't cover non-traditional devices. An enterprise security policy should address the use of the network as a carrier for these non-IT controlled devices, clearly delineating usage that is and isn't permitted.
- Monitor the organization's purchasing requests. Of course, it's impossible to monitor all purchases, even under the best circumstances, but security teams can suggest a policy that passes all network-enabled and soon-to-be-purchased devices through a security review.
- Conduct regular scans of the network and compare them to past history. New devices should be investigated and validated.
- Properly configure any network connected device. Most devices are configured for easy installation, not security. Make sure that unused services are turned off and that access is limited to those that require it.
- Interrogate non-traditional device vendors about their security testing process. If vendors can't or won't say how they test their devices, go to a trusted third party that specializes in providing such information.
Finally, please change the default passwords on all network-enabled devices! Also, make sure that unused protocols are disabled so that there aren't multiple ways to reconfigure the devices.
About the author:
Mark S. Kadrich is president and CEO of The Security Consortium, an independent product-testing and comparison group that offers in-depth reviews and evaluations of security products and vendors. A 20-year veteran of the information technology industry and a recognized expert on endpoint security, he authored the Addison-Wesley book Endpoint Security and is a noted industry speaker.
This was first published in July 2008