By Christiaan Beek
It is late at night in an office in an almost deserted town; dim lights are still burning. On a table, we see boxes from a quick dinner and a stack of empty soda cans. While staring at multiple screens, a young and eager recruit is testing his new code a few more times before using it. For more than a few months, the recruit and his peers have had access to a few high-profile companies in the West. After carefully setting up the attack infrastructure, the group has had access to the companies.
Their attack remains undetected, although they have had some close calls. The attackers found a clever tactic to stay hidden and persistent: using a multifunction printer as a beachhead to store their tools and write the gathered data. With the default passwords still in place, a direct connection to the internet, and multiple interfaces to the networks, the device can reach every machine at the company and bypass all segmentation rules on the firewall. Because the device is connected to the internet, the attackers needed only the initial Trojan to open a backdoor into the victim’s network.
Sounds like a scene from another new cyber thriller, right? No at all. During the many “red team” attacks I have been part of in the last ten years, this was one of our favorite scenarios to infiltrate companies during red-blue team exercises. Who has created alerts for their printers in the SIEM dashboard? I strongly believe that multifunction printers are one of the most underestimated risks by organizations.
At the McAfee MPOWER Cybersecurity Summit in Las Vegas on Oct. 18, Alissa Johnson, Xerox chief information security officer (CISO), and Christiaan Beek, McAfee lead scientist and principal engineer, discuss how those responsible for cybersecurity must consider threats to the IoT landscape as mission-critical components to their security strategy.
IOT security: problems and possibilities
The evolution of printers has been massive. In the recent past, a laser printer was the state of the art. Today printers have tons of functions, including an embedded webserver, multiple network cards, smartphone app, printing in the cloud, etc. When we look at the core of most of these systems, we unfortunately must conclude that the security basics have been missing during this evolution. For example, default passwords are not required to be changed or are embedded with weak encryption and can be cracked easily, there is no encryption of the internal hard disk, etc. When we use attack vectors based on the Internet of Things (IOT) as described by Open Web Application Security Project (OWASP), many devices and accompanied services fail.
During the preparations for McAfee’s MPOWER conference in Las Vegas last month, I was asked by our embedded team to join a session with Xerox on the topic of IOT. Dr. Alissa Johnson (CISO of Xerox) and I had a few conversations on the IOT security challenge, as well as how Xerox both internally and as a manufacturer approached the challenges in securing IOT devices. I learned how Xerox approaches the issues, for example, by using signed firmware, encryption, and authentication, plus some other features that demonstrated leadership. What mostly intrigued me were our discussions around how securing IOT is not mission impossible.
Learn more: IoT and security
Join us at the McAfee MPOWER Cybersecurity Summit in Amsterdam on November 28 through 29. Learn more about our industry-leading, comprehensive approach IoT security solutions for devices and networks.
State-of-the-art printer and data security: Every Xerox ConnectKey technology-enabled device is armed with our holistic four-point approach to security. This ensures comprehensive, all-encompassing protection for all system components and points of vulnerability.
Read “Partners in Data Protection,” which discusses different ways Xerox works with our customers to prevent data from getting into the wrong hands, inside and outside the work environment.
With the exponential growth of devices we connect to the internet, how can we protect our businesses and our homes if manufacturers do not provide the basics? Plenty of initiatives assist manufacturers to look at this from a product development standpoint, but what about policy and risk assessment for information security officers? One way to tackle the challenge is to isolate IOT devices based on risk. A proper risk assessment examines what the chain reaction of events could be when a device is connected to the internet. How would attackers look at this device and how could they leverage it as part of their attack scenario?
By understanding these risks and applying the appropriate technical and procedural measures, we can effectively secure IOT devices.
Christiaan Beek, lead scientist & principal engineer, is part of Mcafee’s Office of the CTO. He leads strategic threat intelligence research within Mcafee. He coordinates and leads passionately the research in advanced attacks, plays a key-role in cyberattack take-down operations and participates in the NoMoreRansom project. Christiaan develops threat intelligence strategy, designs threat intelligence systems, performs malware and forensic analysis, pentesting and coaches security teams around the globe. He is a passionate cybercrime specialist who has developed training courses, workshops, and presentations. He speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides conferences, he also teaches frequently at universities, police academies and public schools to recruit, mentor and train the next generation of cyber-security specialists. Christiaan contributed to the best-selling security book “Hacking Exposed,” and has two patents pending. Follow him on Twitter: @ChristiaanBeek. Read more articles from Christiaan on McAfee’s Securing Tomorrow blog.