From the perspective of a network administrator on computer forensics and cyber security…
Yes, it’s pretty easy to scavenge a computer hard drive and piece together a story. Well, with the right tools and the knowledge to use them it is. Depending on what we are looking for, heck – a lot of times we don’t even need the fancy tools to find the juicy stuff, right? A simple glance at browser history or aged cookies may implicate a suspect employee wasting time on the internet or, even more sinister, trying to use a proxy anonymizer to circumvent our corporate internet policy to pull off some cyber crime of the century! Maybe a little far-fetched but still possible, I guess?!
Like it or not, the days of a network admin sitting back eating doughnuts and drinking coffee are gone! Businesses have evolved – and likewise – threats from cyber criminals have never been more prevalent! Let’s face it, we have an important job and, though computer forensics aren’t necessarily written verbatim in our job descriptions, we are expected to have a “reasonable” knowledge of such things. We may use certain tools to figure out what happened after the fact (inadvertent or intentional Trojan/Worm or Man-In-The-Middle attacks) in order to solidify our cyber defenses and prevent future attacks. Do we get to use all the cool forensic tools while performing our jobs? Probably not but, we should have a certain leaning towards those things if we are worth our salt as a CIO (Chief Information Officer) or CCBW (Chief Cook and Bottle Washer – one of my favorites). Bottom line… we are responsible for protecting the data – period!
Okay, so getting to the point; as the summary of this article implies, there are other areas where sensitive corporate data may reside and we seldom think about it. Yes, this is another one of those potentially easy “targets” that, if known, could be a great place for a cyber thief to harvest some interesting corporate information or to carry out a sneaky botnet attack. Ready for it? It’s the lowly hard drive nestled comfortably inside the copier/MFP – out of sight and out of mind. It’s happened before (several years back) where some semi-skilled black-hat wannabe exploited the ftp functionality of a multifunction copier and turned it into a peer share for MP3 downloads. Though not necessarily a destructive act, this exploit caused a bit of uproar among network administrators and security professionals and required that a “policy” be in place addressing the vulnerability and specifically, how to deal with all the data that’s flushed through one of these devices.
Beyond hardening server security, strengthening/changing passwords of vendor supplied default passwords, addressing the ever-evolving threat to firewalls, and implementing every other security “best practice” methodology, we are now painfully aware of these additional areas of concern. In fact, MFP manufacturers have addressed this, too. By offering data protection methods like “security wipes” that overwrite areas of the MFP hard drive with up to three passes of “0’s” and clearing RAM modules, much of the concern is now mitigated (provided that the add-on kit has been installed and configured properly).
Now that we are aware of the fact these devices have the ability to store information, like files, emails, faxes, latent images, and everything else we use these devices for (yes – even file shares), what does the end of life procedure look like? What do we do with the non-aware models or models that didn’t get the up fit? There is a two-fold answer and briefly, this is how to address it:
1) Deal with hard drives like we would normally deal with an old drive – drill holes, degauss it, or drop it in an external drive and let a program do the work. The only draw back is that some manufacturers use a proprietary operating system that will have to be reinstalled in order for the machine to function. This isn’t a problem if the equipment is being discarded. If the equipment is at an end of lease and will have to be returned to a leasing company, a functioning drive will have to be reinstalled.
2) Contact the original vendor and have them work with you to certify the procedure has been followed and the data has been removed and any necessary firmware/software has been reinstalled to factory defaults.
In closing, the aforementioned concerns are real and affect every business in just about every industry. When addressing security, don’t overlook the copier!
