Defending Your Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.myprintresource.com/article/12147950/defending-your-data

It seems like every time you turn on the news, there is a new report about
a security breach at a major corporation, putting employees and customers
alike at risk for a wide range of identity and information theft. It might
be tempting to believe that, as a print shop, you won’t be a target of
these attacks, but that is far from the truth. There is no company that is
safe from potential breaches, and pretending it can’t or won’t happen to
you will only serve to make things worse when and if it does happen.

“Protecting customer data for today’s printer environment is a must-have to
keep everyone safe,” said Garland Nichols, who is Xerox Corp.’s vice
president of Worldwide Information Security. “With the vast number of
breaches in the news media, data records today, can cost on average
$160/data record, according to Ponemon Institute’s 2014 cost of data breach
report. Small and large companies need to focus on implementing a security
plan to reduce risk and protect data.”

“Any time a printer handles any kind of Personal Identifiable Information
(PII), they are responsible to protect that information. Failure to do so
can result in severe civil penalties and fines,” agreed Chris Bilello,
director of business solutions and market development, Konica Minolta
Business Solutions U.S.A. Inc.

He went on to give a few examples of exactly how print shops could be
vulnerable — and what the consequences could be. “A printer who services a
healthcare payer or provider could be fined by the Department of Health and
Human Services (HHS) if it were to inadvertently disclose anyone's health
information. In 2010, a Multi-Function Printer was returned to a warehouse
after the lease expired. An investigative report discovered that the
device's hard drive contained patient records from a healthcare
organization. Subsequently, in 2013 the organization was fined $1.2 million
by the HHS for violating HIPAA.”

But that isn’t the only potential vulnerability. Any system with billing or
financial information is prime target for hackers seeking ways to steal
from you and your customers. And even systems with no financial data, but
with personally identifiable data such as names and addresses can be
targeted since this type of information can be used by unscrupulous
individuals who want to create attacks that appear to come from legitimate
sources.

“Financial data should be considered priority as it’s a top target for
attackers,” noted Nichols. “Beyond financial data, any data (e.g. name,
address, phone, etc.) that could be used to identify individuals is at
risk. Such data, while less valuable than financial information, can be
used to target individuals for spearphishing (targeted emails that appear
to be from legitimate sources) attacks.”

A Good Defense

There are a number of steps that every PSP should take today to start
ensuring all data is locked down. A few of the basics include:

Remove your company Intranet from the public Internet with firewalls.
Ensure only secure, encrypted connections are allowed to access your
servers.
Only store customer information for as long as it’s needed.
Create complex passwords for all devices that might come in contact with
customer information.
Make sure all devices — from PCs to printers to connected equipment —
always have the latest software updates and patches.
Change passwords regularly; every 90 days is a good standard to go by.
Lock filing cabinets and desk drawers where hard copies of customer
information is stored.

“The most important software solution for any network is to make sure every
client on the network has its software updated regularly,” stressed
Nichols. “This includes all servers, desktop systems, printers and print
controllers, and network appliances such as routers and switches. Where
appropriate, antivirus software should be installed and kept up to date.
Security features of systems, including printers, should be enabled
whenever possible. If your email system allows it enable any spam filtering
so that phishing emails and malware never make it to inboxes. And don’t
forget the most vulnerable part of your network: users. Make sure they’re
aware of the dangers of clicking on links in emails and opening attachments
especially when they’re unsure of the source. Even the best network
security can be undermined by a careless user.”

The need to get your people on board can’t be stressed enough. Users are
one of the top ways hackers breach even the most secure systems. All it
takes is one designer or press operator clicking on a suspicious link that
seems to come from their Great Aunt Mary and your entire system is
compromised. Everyone in the organization, not just the people who directly
handle customer data, need to be educated about information security and
how they play a role in maintaining the network integrity.

“Another common mistake is not securing hard drives on laptops, PCs on
print servers and on DFE (Digital Front Ends) or print controllers,” said
Bilello. “Organizations must extend their attention beyond central
resources and protect every distributed device that could give an attacker
access to the network. Make sure that all security patches are installed
and device configurations are also security aware. Digital Printers, MFPs
and DFE Servers need to be running the latest firmware and all security
patches need to be installed. Of course PC and laptops to have the latest
updates as well. Malicious attackers seek out systems that are not patched
and have open vulnerabilities. Remove and disable all device ports and
protocols that are not needed. For example, many printers and MFPs ship
with the File Transfer Protocol (FTP) Enabled. Turn this off and consider a
more secure method of file transfer such as WebDav or SMB.”

After the Breach

But even the most vigilant operation can still fall prey to hackers, and
shops need to have a plan in place on what to do when and if that happens.
Just like pretending it could never happen to your shop could leave you
vulnerable, believing your security is unbreakable can lead to more damage
if someone does manage to break through.

Bilello advises printers to put together an incident response plan that
addresses these key questions:

Is company actually under a bonafide cyber-attack? Or is it just someone
testing the edges and getting lucky?
Did a breach actually occur? What systems were compromised? Was it a
malware, email spoofing or brute force attack?
Who is the designated company point person for security?
What is the main priority after a breach is detected? Restoring service,
protecting data or is there another priority?
What systems and/or data should receive the highest response priority?
Make a list of third-party technology and Internet vendors — who are the
contacts (email, mobile numbers etc.) at those organizations?

And don’t forget to add client notification to the plan as well. While it
might be tempting to try and hide the breach, at the end of the day, your
customers understand that sometimes these things happen. They are going to
be far more likely to be forgiving if you are up-front with the breach, as
well as detailing what protections you already had in place, and what
changes you’ll be making in the wake of the issue.

“Honesty is the best policy and timeliness is crucial,” said Nichols. “If
you even suspect that you’ve been breached you should inform your customers
immediately. This gives them a head start on alerting their banks and
credit card companies to look for fraudulent activity and to change their
passwords. At the same time, you should be checking your internal network
defenses and making sure all of your network clients (printers and PCs) are
updated. If you don’t have a dedicated IT security person or team and
you’re not comfortable with doing this yourself consider working with an
external security company to evaluate your network security and make sure
it’s as secure as possible.”

It is also worth considering investing in a dedicated IT/Security person
for your shop. If your operations don’t currently support having someone on
the payroll in this role, considering contracting with a reputable firm to
handle it for you.

“It’s unfortunate, but security requires constant vigilance and effort,
it’s never going to be a ‘set it and forget it’ kind of thing,” Nichols
noted. “Having a dedicated IT security person or team is really the best
way to keep ahead, whether they’re internal or external. It may seem
expensive at first, but this expense must be compared to what a breach
might cost you in terms of business, reputation and legal expenses. If your
business is on the Internet, it’s a target and your defenses are constantly
being probed. It’s up to you to keep the bad guys out and protect your
customers.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.