SlideShare ist ein Scribd-Unternehmen logo

Bizhub v care security white paper version 2

B
Barry A. Johnson, Six Sigma Green Belt, CDIA+
Technologie
1 von 19
Downloaden Sie, um offline zu lesen
Security White Paper Konica Minolta bizhub vCare with Secure HTTP/HTTPs Device Relationship Management System August 2010 Miercom www.miercom.com
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 2 Contents 1.0 Executive Summary............................................................................................................3 2.0 Terminology Used in this Document ...................................................................................4 3.0 Testing Methodology...........................................................................................................5 3.1 Test Bed ......................................................................................................................5 4.0 Overview of vCare ..............................................................................................................6 5.0 Overview of vCare Email Communication Methods............................................................7 5.1 vCare One-Way Email Communication.......................................................................7 5.2 vCare Two-Way Email Communication.......................................................................8 5.3 vCare One-Way HTTP/HTTPs Communication ..........................................................9 5.4 vCare Two-Way HTTP/HTTPs Communication ........................................................10 6.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing POP3/SMTP email and HTTP/HTTPs................11 6.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network?.........................................................................................................12 6.2 Steps for the CUSTOMER to mitigate risk to POP3 implementation.........................12 7.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing SMTP email ........................................................14 7.1 Can opening the customer's firewall to SMTP be a conduit for attacks on the network?.........................................................................................................14 7.2. Steps for the CUSTOMER to mitigate risk when implementing SMTP email systems.................................................................................................14 8.0 Security Assessment of the vCare-enabled MFP's vulnerability from INSIDE the customer's firewall - MFPs utilizing POP3 or SMTP email. ........................................16 8.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network?.........................................................................................................16 8.2 Protocol Mutation test against vCare server..............................................................16 8.3 Steps for the CUSTOMER to mitigate risk inside the network...................................17 9.0 Conclusion ........................................................................................................................18 About Miercom.........................................................................................................................19
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 3 1.0 Executive Summary Multifunctional printers (MFPs) from Konica Minolta Business Solutions U.S.A., Inc. (Konica Minolta) with uptime management provided by vCare Device Relationship Management System proved in thorough lab testing and onsite assessment to provide superior resiliency and resistance to network compromise and achieved Miercom Certified Secure for the third consecutive year. Miercom tested the overall security of Konica Minolta’s device relationship management system bizhub vCare (vCare), complete with bizhub C652DS series, C360 series, bizhub 423 series, bizhub 500 and 350 series. Also included are the bizhub PRO 1050, bizhub PRO 1200, bizhub PRO C6501, and bizhub PRESS C8000 digital presses, as part of an ongoing security assessment of the product solution under the Miercom Certified Secure Program. The vCare component was tested as a complete solution while Miercom engineers assessed the dialog between the vCare Service Center and the MFPs for potential vulnerability. We evaluated the overall capability of vCare to provide uptime management of networked MFPs. We reviewed the security of the MFPs themselves for vulnerability to DOS and other attacks with specific attacks relating to the vCare port and protocol ingress and egress connectivity to the MFPs on the network. Certain specifics of the vulnerability testing conducted were omitted from this document as we did not want to provide someone the information needed to abuse SMTP or POP3 services. We did wish to provide for the purpose of education and awareness sufficient detail to assist administrators in hardening their network environments. For most secure deployments, vCare supports one way communications (push only) using SMTP and secure HTTP/HTTPs. These configurations are advisable for the most security conscious enterprise customers. However no vulnerabilities were discovered in the two-way communications methods supported by vCare while conducting this security assessment. During a hands-on testing analysis explained in this white paper, Miercom found vCare to be a secure device relationship management system that enables uptime management of network multifunction printers and copiers. Based on an extensive security vulnerability analysis of the complete vCare system, Miercom believes vCare can be installed without compromising the security of a customer’s network. The uptime management benefits of utilizing vCare are tremendous. The system maximizes MFP uptime through real-time service alerts. Real-time email alerts were observed for critical events such as a cooling fan failure in the device. For example, the bizhub C253 has 130 specific trouble codes that it can report. The number of trouble codes and corresponding trouble counters reported by vCare is specific to each model. Miercom recommends customers to employ a layered active security defense to any network. The deployment of vCare on a customer’s network is a recommended option to aid with device uptime management. The requirements to use the system should not concern even the most security conscious customers.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 4 2.0 Terminology Used in this Document Attack Vector — a vulnerability test type targeting a specific area of protocol, port or other focused area to attack. Certified Secure — Miercom’s Certified Secure testing certification is a program started in 2001 that established the industry’s first product and technology agnostic approach to security testing. Certified Secure Testing involves the complete system or solution for a product or service being tested using an arsenal of vulnerability security targets. Denial of Service (DoS) — a malicious or inadvertent disruption of a network which renders it unusable or diminished in functionality during the period of the attack. Multifunction Printer (MFP) — a network device that offers many functions, including but not limited to, network copying, fax, scanning and other functions consolidated in one device. Mutations — a variation of an attack vector in which the data is manipulated (payload information is mutated) in order to bypass security countermeasures that employ pattern recognition technology. Post Office Protocol (POP3) —protocol used to retrieve email from a server. Most email applications use the POP3 protocol. POP3 email is commonly critiqued for lack of security if not implemented correctly. POP3 is used to retrieve or “pull mail” whereas SMTP is used to “push” mail to external mail servers when POP3/SMTP are used in conjunction to one another. Security Target (ST) — a set of security requirements and specifications used for testing products. Simple Mail Transfer Protocol (SMTP) — is the foundation of Internet email. SMTP used in conjunction with a mail client application is used to send and retrieve mail. System Under Test (SUT) — Alternatively referred to as a Target of Evaluation (TOE) in other publications. An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 5 3.0 Testing Methodology Miercom used a combination of custom, proprietary, commercial, and open source tools when conducting this security assessment. The test bed consisted of Konica Minolta multiple multifunction printers (MFPs) connected to a network with no security countermeasures employed. We would never expect or recommend such an unsecure environment for customer deployment, however it provides the ideal “worst case” scenario for assessing security vulnerabilities. Test systems included ClearSight Analyzers, open source test scripts, and a Mu Security 4000 Analyzer. The ClearSight Analyzer was used to monitor and capture POP3 and SMTP traffic between the bizhub MFPs and the vCare server. Sequences of normal status and maintenance traffic as well as manually induced fan failures and recovery alert conversations between the bizhub MFP and vCare server -- in both encrypted and unencrypted mode -- were captured and analyzed to determine what sensitive information might be revealed by eavesdropping. 3.1 Test Bed Security Appliance Netgear hub vCare Server 3Com hub bizhub 500 bizhub 350 bizhub Pro 1050 bizhub C253 bizhub 600 Clearsight Analyzer Security Interface
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 6 4.0 Overview of vCare bizhub vCare is Konica Minolta’s Device Relationship Management (DRM) System which consists of embedded technology within the Konica Minolta MFP and an off- site vCare Server. Through brief email messages, the vCare-enabled MFP communicates diagnostic and counter information as requested by the vCare Server. bizhub vCare works in the background and never interferes with the operation of the MFP. bizhub vCare enhances the customer experience in four ways: 1. Automatically reads the meters and frees the customer from the meter collection process. 2. Improves availability of the bizhub product by providing intelligent supply notifications to the customer to alert them when a specific toner is almost empty, is empty; when the waste toner bottle is almost full, is full, etc. 3. Improve machine uptime through real-time service alerts. 4. Utilizes the machine performance information collected by vCare to deliver proactive service. vCare provides maximum uptime of network equipment by enabling preemptive order replacement of wearing components and supplies before they run out. Konica Minolta vCare is an environmentally friendly solution that reduces the need for service visits and unnecessary travel to equipment in the field.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 7 5.0 Overview of vCare Email Communication Methods Konica Minolta multifunction printers support four methods to communicate embedded technology within the Konica Minolta MFP and an off-site vCare Server: 1) POP3 retrieval and SMTP push email; 2) SMTP push email only; 3) Secure HTTP/HTTPs push, and 4) Secure HTTP/HTTPs. These methods are illustrated in the following diagrams: 5.1 vCare One-Way Email Communication One-Way Email Communication is initiated from the bizhub MFP to send information, such as counter status, once a day to the vCare server. SMTP push is also used to send all alert notifications to predesignated email accounts via the vCare server. MFP Email Server vCare Web View (Service and Administration) Customer Notifications INTERNET vCare Server
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 8 5.2 vCare Two-Way Email Communication Two-Way Email Communication allows the bizhub MFP to poll the vCare server for requests for counter status. SMTP push is also used to send these status messages, as well as alert notifications, to predesignated email accounts via the vCare server. Email Server Customer Notifications INTERNET MFP vCare Web View (Service and Administration) vCare Server
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 9 5.3 vCare One-Way HTTP/HTTPs Communication One-Way HTTP/HTTPs Communication is initiated from the bizhub MFP to send information, such as counter status, once a day to the vCare server. HTTP/HTTPs push is also used to send all alert notifications to the predesignated vCare server. Although HTTPs tested favorably by Miercom, the ability for Konica Minolta to support it through their infrastructure service is under development. MFP Customer Notifications INTERNET vCare Server vCare Web View (Service and Administration)
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 10 5.4 vCare Two-Way HTTP/HTTPs Communication Two-Way HTTP/HTTPs Communication allows the vCare server to initiate communications to the bizhub MFP to request information, such as counter status, and report back to the vCare server. HTTP/HTTPs push is also used to send all alert notifications to the pre-designated vCare server. Although HTTPs tested favorably by Miercom, the ability for Konica Minolta to support it through their infrastructure service is under development. MFP Customer Notifications INTERNET vCare Server vCare Web View (Service and Administration)
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 11 6.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing POP3/SMTP email and HTTP/HTTPs Miercom conducted a series of vulnerability analyses and attacks in the same way a hacker would attempt to gain unauthorized access or deny use of network resources. We found the POP3, SMTP, and HTTP/HTTPs implementation of the vCare service particularly robust and resistant to hacking from outside the network, based on hands- on testing for the following reasons: 1. The vCare system utilizes an external mail server and does not rely on or reveal any information regarding the customer premise mail server. 2. It is very unlikely that open ports for SMTP, POP3 or HTTP/HTTPs could be used as access points to a customer’s private network if a properly configured firewall is implemented. Following standard practices for firewall configuration and suggestions included in this document will alleviate this threat. 3. The information contained within the payload component of the email messages can be encrypted by the MFPs’ communications to and from the vCare servers. We confirmed by traffic capture that no useful intelligible data could be utilized from the encrypted data. 4. The pre-encrypted information content transmitted by the MFPs to and from the vCare servers is of no use to a hacker to gain insight to the interior network. Basic statistics, counter information and non-sensitive details on the copier’s health is the only information contained within these messages. 5. Three levels of protection are provided on messages between the vCare server and the MFP, including proprietary header, proprietary attachment file and predefined source and destination addresses. 6. The basic information for copier health mentioned above can only be determined through decodes using Konica Minolta’s proprietary procedure of the DAT file types. 7. Email messages to and from vCare servers are handled in a proprietary way that can reside transparently on a customer’s network with no interaction whatsoever of the customer’s premise mail server. 8. “Spoofing” for other malicious use of this mail component of vCare to do harm to customer premise equipment of the underlying network was found ineffective in our real world testing.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 12 6.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network? POP3 email hacking, in its most common form, is used to either access mail accounts or to spoof legitimate user accounts (unauthorized send on behalf of) and send messages that may flood a network or overwhelm a mail server. A properly- configured, firewalled network with mail filtering systems installed alleviates this threat. It is extremely unlikely for a hacker to utilize POP3 as a network ingress point, with the exception of installing or packaging malicious code (to provide this entry point) in the payload or attachment component of the mail message. We tested specifically for this vulnerability and found the implementation of the vCare service using email to be extremely resilient to “piggy-back” or “Trojan” access vulnerability to a network. The following explains why we feel Konica Minolta’s implantation of POP3 is secure: 1. Tests were conducted in which we attempted to send malicious content using the POP3 mail handling component of vCare. These attacks were thwarted by the vCare server and content was not delivered to the server message blocks (SMBs) or anywhere onto the customer’s protected network. 2. We were unable to compromise the POP3 mail handling system of vCare in any way that would allow a malicious attack directly through a firewalled environment. 3. Konica Minolta uses a very defined, finite, and securable email dialog for the POP3 service it utilizes. This allows a network administrator to very easily provide a limited POP3 service to traverse the customer firewall without need to open POP3 globally. 6.2 Steps for the CUSTOMER to mitigate risk to POP3 implementation 1. Using different (non standard) port numbers for a customer's own POP3 mail is recommended if POP3 is utilized on their own servers. vCare will not employ any of the customer premise mail servers. However, if port access is opened to SMTP or POP3 through the customer's firewall, measures can be taken to ensure the customer’s mail servers (unrelated to vCare) are hardened. 2. Follow the vendor’s instructions for hardening firewalls by opening only ports that are necessary. 3. If the only POP3 access to the network is for vCare, additional filters for source and destination address, specific content filtering and other techniques may be applied to restrict other POP3 unauthorized traffic.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 13 4. Encrypt communications using SSL to protect network traffic. 5. Utilize Konica Minolta’s bizhub products that support SMTP push-only technology, if the customer is decidedly against using POP3 access through their firewall. 6. From inside the LAN, use an internal firewall to protect against accidental breaches or malicious attacks. Front-end servers can be secured by placing them inside a perimeter network (called a demilitarized zone [DMZ]), with the back-end server inside the inner firewall. 7. Again, although vCare will not utilize the customer premise mail server, the customer may still wish to harden their own mail server from attack. A common attack by flooding the mail server with mail to cause a Denial of Service can be prevented by using a number of restrictions and limiting techniques including:  CONNECTION RATE THROTTLING — The number of connections the server can receive per second. Setting a limit on this number can delay further connections.  MAX DAEMON CHILDREN — The maximum number of child processes that can be spawned by the server.  MIN FREE BLOCKS — The minimum number of free blocks which must be available for the server to accept mail.  MAX HEADERS LENGTH — The maximum acceptable size (in bytes) for a message header.  MAX MESSAGE SIZE — The maximum acceptable size (in bytes) for any one message. 8. Follow procedures outlined later in the document for mitigating risk for SMTP regarding firewalls and other network hardening measures.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 14 7.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing SMTP email Like many other tools, SMTP can have a dark side. This is mainly due to the fact that, as you'd expect from something with the word "simple" in its name, SMTP is simple to install and use. Because of that, SMTP email, like POP3 email hacking in its most common form, is often improperly used to access mail accounts or spoof (unauthorized send on behalf of) messages that may flood a network or overwhelm a mail server. The key is creating good policies for SMTP’s use on networks. A properly configured firewalled network with mail filtering systems installed alleviates this threat. 7.1 Can opening the customer's firewall to SMTP be a conduit for attacks on the network? It is highly unlikely a hacker would choose to use SMTP as a network ingress point except for installing malicious code in the payload or attachment part of a mail message. During our tests, we found the vCare service to be highly resilient to Trojans or other ingress points for network attack. Even with the low risk to attack by opening ports to SMTP, the following are steps that a customer could take to further harden the network environment. 7.2. Steps for the CUSTOMER to mitigate risk when implementing SMTP email systems 1. Reduce the number of gateways that are allowed to communicate via SMTP on the Internet to only those required. All processes that must send email should be allowed to forward it only through an authorized gateway. 2. Administrators should establish firewall rules that allow only authorized gateways to communicate with outside servers on TCP ports 25 or 465. 3. Again, although vCare will not utilize the customer premise mail server, the customer may still wish to harden their own mail server from attack if ports are opened for SMTP access through the customer premise firewall. To help stop attackers from speaking SMTP directly to a full-featured server, experts recommend using a substitute server. Only a handful of commands are needed by an SMTP server to accept mail. A few ways to mitigate this risk are outlined below: a. Use a substitute SMTP server - consider using smap, if you have a Linux/Unix based server, as a "wrapper" for your SMTP server. Wrapper or mail proxy programs accept incoming messages from the Internet via SMTP, using the very minimum necessary set of SMTP
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 15 commands. It then stores each message it receives in a separate file that is then accessed by the primary mail server. The result of using this substitute SMTP server is that a hacker never has a direct SMTP connection to the primary mail server. b. Test your firewall - you can test your firewall rules to ensure they are working properly. We recommend scanning tools for this purpose. Some recommended all-in-one tools that allow for broad testing capabilities that make the network scanning process less painful and time consuming: Nessus, QualysGuard, NetCat, Traffic IQ Pro by Karalon, and GFI LANguard Network Security Scanner. These tools identify open ports on the test networks and present information on SNMP, operating system, and special alerts. 4. Countermeasures against firewall attacks - the following countermeasures can prevent a hacker from testing the firewall a. Limit traffic - set rules on the firewall or router to allow authorized traffic. Have permission/rules in place for external access that allows only specified inbound and outbound traffic. This is the best defense to prevent an attack on the firewall. b. Block ICMP to help prevent abuse from automated tools, such as Firewalk. c. Stateful packet inspection on the firewall can block unsolicited requests.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 16 8.0 Security Assessment of the vCare-enabled MFP's vulnerability from INSIDE the customer's firewall - MFPs utilizing POP3 or SMTP email. In the event of a hacker successfully infiltrating the firewall and other network defenses and having gained access to the network, a second level of security countermeasures are needed to protect resources inside the network. A layered defense, rather then an all-in-one solution, with a strong external firewall is required. Once inside the firewall, it is easy to see the passwords for POP3 email accounts in the clear. This allows for logging into the POP server to get mail, since unencrypted usernames and passwords appear on the network. The use of Web forms that contain usernames and passwords can also expose usernames and passwords. The primary vulnerability seen from within the network regarding POP3 is the potential access to the email accounts themselves. SMTP service is always a “push” sending email out from the MFPs off the customer network. There is little to no risk from inside the network from an SMTP standpoint. 8.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network? Using techniques described previously in this document for network and email server hardening will mitigate this risk. Hands-on vulnerability testing that Miercom conducted with “privileged” local access could only disrupt the vCare management system. We could not conduct further attacks on the network using POP3. The mail server for POP3 is located off the customer premise. We were unsuccessful as previously discussed using POP3 as a means to provide a greater DOS attack. 8.2 Protocol Mutation test against vCare server Protocol mutation attacks created by the Mu-4000 Service Analyzer were directed at the Konica Minolta vCare server to test for vulnerabilities in protocol implementation. The mutation engine maps the attack surface (vCare server) looking for fault conditions. These include highly specific, stateful test cases that are built based on the state, structure and semantics of protocols as well their interdependencies on other protocols. Test The HTTP/HTTPs mutation attack was run with 11,135 different variants. Each variant/attack vector carried a single protocol mutation directed to the vCare server. We sent mutated HTTP/HTTPS requests to the vCare server once we achieved a TCP connection.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 17 Observations All directed attacks to the vCare server were handled successfully and no faults were found. The vCare server was available for the duration of the test. There were no vulnerabilities detected with HTTP/HTTPs protocol implementation on the vCare server. 8.3 Steps for the CUSTOMER to mitigate risk inside the network Although vCare poses no additional risk to customer networks, Miercom recommends implementing intrusion detection technologies and switching equipment that employs rate limiting and other DoS thwarting measures on any network.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 18 9.0 Conclusion “Konica Minolta offers the market the most resilient and secure MFP solutions with exceptional uptime management. Konica Minolta is the only vendor to date to have achieved Miercom Certified Secure for a third consecutive year for the multifunction printer products with uptime management provide by vCare Device Relationship Management System.” --- Rob Smithers, CEO Miercom vCare is a secure device relationship management system that enables uptime management of network multifunction printers and copiers. Based in extensive security vulnerability analysis of the complete vCare system, Miercom believes vCare can be installed without compromising the security of a customer’s network. The reasons that the vCare solution does not pose a security risk to a customer’s network: 1. Information that is transferred using vCare is of no significant use to a hacker. 2. Three layers of security are employed on all email messages used for vCare. 3. An SMTP push only for sending information off net requires no inbound network security access reconfiguration 4. Management option available through secure HTTP/HTTPs; also through “push only” default option for maximum security. Miercom conducted a battery of assaults to disrupt the multifunction printers using vCare. We were unsuccessful in hacking into the bizhub solutions through the network ports and unable to affect the ability of the multifunction printers to print, be managed, or actively participate in vCare reporting by any attacks through the vCare functionality. HTTPs tested favorably although the ability for Konica Minolta to support it through their infrastructure is under development. The uptime management benefits of utilizing vCare are tremendous. The system maximizes MFP uptime through real-time service alerts. Real-time email alerts were observed for critical events, such as a cooling fan failure in the device, and, depending on the model, there are over 100 trouble counters supported. Miercom recommends customers to employ a layered active security defense to any network. The deployment of vCare on a customer’s network is strongly encouraged as an aid with MFP device uptime management. We see no risk and only many benefits of implementing vCare in customer environments. The requirements to use the system should not concern even the most security conscious customers.
    Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 19 About Miercom Miercom has hundreds of product-comparison analyses published over the years in leading network trade periodicals including Network World, Business Communications Review - NoJitter, Communications News, xchange, Internet Telephony and other leading publications. Miercom’s reputation as the leading, independent product test center is unquestioned. Miercom’s private test services include competitive product analyses, as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Certified Interoperable, Certified Reliable, Certified Secure and Certified Green. Products may also be evaluated under the NetWORKS As Advertised program, the industry’s most thorough and trusted assessment for product usability and performance. This report is available for download at http://www.miercom.com/konicaminolta Konica Minolta is a trademark of Konica Minolta Holdings, Inc. bizhub is a registered trademark of Konica Minolta Business Technologies, Inc. All other trademarks mentioned in this document are the property of their respective owners.

Empfohlen

Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-ensandeep1721
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327vimal Kumar Gupta
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and RemediationKavlieBorge
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution OverviewCisco Service Provider
 

Empfohlen

Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-ensandeep1721
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 
Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Security Engineering 2 (CS 5032 2012)
Security Engineering 2 (CS 5032 2012)Ian Sommerville
 
CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013CS5032 L9 security engineering 1 2013
CS5032 L9 security engineering 1 2013Ian Sommerville
 
CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013CS5032 L10 security engineering 2 2013
CS5032 L10 security engineering 2 2013Ian Sommerville
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327vimal Kumar Gupta
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and RemediationKavlieBorge
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution OverviewCisco Service Provider
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineeringsoftware-engineering-book
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Servicechristoboshoff
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Trusted computing: an overview
Trusted computing: an overviewTrusted computing: an overview
Trusted computing: an overviewTJR Global
 
PCI DSS & Virtualization
PCI DSS & Virtualization PCI DSS & Virtualization
PCI DSS & VirtualizationTobyRobinson13
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsIn Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsDETER-Project
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...ESS BILBAO
 
Security engineering
Security engineeringSecurity engineering
Security engineeringOWASP Indonesia Chapter
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerationsOptima Control Solutions
 
Sight Sound and Motion Group 4
Sight Sound and Motion Group 4Sight Sound and Motion Group 4
Sight Sound and Motion Group 4Mathysse Gómez-Bera
 
Km la major accounts brochure pdf
Km la major accounts brochure pdfKm la major accounts brochure pdf
Km la major accounts brochure pdfBarry A. Johnson, Six Sigma Green Belt, CDIA+
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013Ian Sommerville
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Trusted computing: an overview
Trusted computing: an overviewTrusted computing: an overview
Trusted computing: an overviewTJR Global
 
PCI DSS & Virtualization
PCI DSS & Virtualization PCI DSS & Virtualization
PCI DSS & VirtualizationTobyRobinson13
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsIn Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsDETER-Project
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...ESS BILBAO
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerationsOptima Control Solutions
 

Was ist angesagt? (20)

Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design Guide
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineering
 
CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013CS 5032 L12 security testing and dependability cases 2013
CS 5032 L12 security testing and dependability cases 2013
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
 
C90 Security Service
C90 Security ServiceC90 Security Service
C90 Security Service
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Trusted computing: an overview
Trusted computing: an overviewTrusted computing: an overview
Trusted computing: an overview
 
PCI DSS & Virtualization
PCI DSS & Virtualization PCI DSS & Virtualization
PCI DSS & Virtualization
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for Telecommunications
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systems
 
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical SystemsIn Quest of Benchmarking Security Risks to Cyber-Physical Systems
In Quest of Benchmarking Security Risks to Cyber-Physical Systems
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptx
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Custom
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerations
 

Andere mochten auch

MingJunYou Design Works Selection
MingJunYou Design Works Selection MingJunYou Design Works Selection
MingJunYou Design Works Selection +MingJun You/Design
 
PRESENTACION PERSONAL ANDREA
PRESENTACION PERSONAL ANDREAPRESENTACION PERSONAL ANDREA
PRESENTACION PERSONAL ANDREAAndrea Ruiz
 
Mint Wireless AGM presentation November 2013 Mobile Payments
Mint Wireless AGM presentation November 2013 Mobile PaymentsMint Wireless AGM presentation November 2013 Mobile Payments
Mint Wireless AGM presentation November 2013 Mobile PaymentsMint Wireless Limited
 

Andere mochten auch (6)

Sight Sound and Motion Group 4
Sight Sound and Motion Group 4Sight Sound and Motion Group 4
Sight Sound and Motion Group 4
 
Km la major accounts brochure pdf
Km la major accounts brochure pdfKm la major accounts brochure pdf
Km la major accounts brochure pdf
 
Bizhub press c8000_brochure
Bizhub press c8000_brochureBizhub press c8000_brochure
Bizhub press c8000_brochure
 
MingJunYou Design Works Selection
MingJunYou Design Works Selection MingJunYou Design Works Selection
MingJunYou Design Works Selection
 
PRESENTACION PERSONAL ANDREA
PRESENTACION PERSONAL ANDREAPRESENTACION PERSONAL ANDREA
PRESENTACION PERSONAL ANDREA
 
Mint Wireless AGM presentation November 2013 Mobile Payments
Mint Wireless AGM presentation November 2013 Mobile PaymentsMint Wireless AGM presentation November 2013 Mobile Payments
Mint Wireless AGM presentation November 2013 Mobile Payments
 

Ähnlich wie Bizhub v care security white paper version 2

BreakingPoint Storm CTM Cost-Effective Testing Solution
BreakingPoint Storm CTM Cost-Effective Testing SolutionBreakingPoint Storm CTM Cost-Effective Testing Solution
BreakingPoint Storm CTM Cost-Effective Testing SolutionIxia
 
Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270BAKOTECH
 
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity Solutions
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity SolutionsSecuring the Digital Frontier: SecurityGen's Telecom Cybersecurity Solutions
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity SolutionsSecurityGen1
 
Guardians of Connection: Signalling Protection in the Digital Age
Guardians of Connection: Signalling Protection in the Digital AgeGuardians of Connection: Signalling Protection in the Digital Age
Guardians of Connection: Signalling Protection in the Digital AgeSecurityGen1
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesKrishna Chennareddy
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcKristen Wilson
 
ACE: ARTIFICIAL CYBERSECURITY EXPERT
ACE: ARTIFICIAL CYBERSECURITY EXPERTACE: ARTIFICIAL CYBERSECURITY EXPERT
ACE: ARTIFICIAL CYBERSECURITY EXPERTSecurity Gen
 
Unleashing the Power of Breach and Attack Simulation with SecurityGen
Unleashing the Power of Breach and Attack Simulation with SecurityGenUnleashing the Power of Breach and Attack Simulation with SecurityGen
Unleashing the Power of Breach and Attack Simulation with SecurityGenSecurityGen1
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised ComputingIOSR Journals
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
 
Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Schneider Electric
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureBaqar kazmi
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureMaliha Ali
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureBaqar Kazmi
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochurebakar kazmi
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
 

Ähnlich wie Bizhub v care security white paper version 2 (20)

BreakingPoint Storm CTM Cost-Effective Testing Solution
BreakingPoint Storm CTM Cost-Effective Testing SolutionBreakingPoint Storm CTM Cost-Effective Testing Solution
BreakingPoint Storm CTM Cost-Effective Testing Solution
 
Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270Miercom Unified Threat Management Report - WatchGuard M270
Miercom Unified Threat Management Report - WatchGuard M270
 
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity Solutions
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity SolutionsSecuring the Digital Frontier: SecurityGen's Telecom Cybersecurity Solutions
Securing the Digital Frontier: SecurityGen's Telecom Cybersecurity Solutions
 
Guardians of Connection: Signalling Protection in the Digital Age
Guardians of Connection: Signalling Protection in the Digital AgeGuardians of Connection: Signalling Protection in the Digital Age
Guardians of Connection: Signalling Protection in the Digital Age
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
 
ACE: ARTIFICIAL CYBERSECURITY EXPERT
ACE: ARTIFICIAL CYBERSECURITY EXPERTACE: ARTIFICIAL CYBERSECURITY EXPERT
ACE: ARTIFICIAL CYBERSECURITY EXPERT
 
Unleashing the Power of Breach and Attack Simulation with SecurityGen
Unleashing the Power of Breach and Attack Simulation with SecurityGenUnleashing the Power of Breach and Attack Simulation with SecurityGen
Unleashing the Power of Breach and Attack Simulation with SecurityGen
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised Computing
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls Are your industrial networks protected...Ethernet Security Firewalls
Are your industrial networks protected...Ethernet Security Firewalls
 
MBM Security Products Matrix
MBM Security Products MatrixMBM Security Products Matrix
MBM Security Products Matrix
 
Cloud security
Cloud securityCloud security
Cloud security
 
publishable paper
publishable paperpublishable paper
publishable paper
 
W04404135146
W04404135146W04404135146
W04404135146
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochure
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochure
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochure
 
CyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochureCyberoamVirtualSecurityBrochure
CyberoamVirtualSecurityBrochure
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
 

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Kürzlich hochgeladen (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Bizhub v care security white paper version 2

  • 1. Security White Paper Konica Minolta bizhub vCare with Secure HTTP/HTTPs Device Relationship Management System August 2010 Miercom www.miercom.com
  • 2.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 2 Contents 1.0 Executive Summary............................................................................................................3 2.0 Terminology Used in this Document ...................................................................................4 3.0 Testing Methodology...........................................................................................................5 3.1 Test Bed ......................................................................................................................5 4.0 Overview of vCare ..............................................................................................................6 5.0 Overview of vCare Email Communication Methods............................................................7 5.1 vCare One-Way Email Communication.......................................................................7 5.2 vCare Two-Way Email Communication.......................................................................8 5.3 vCare One-Way HTTP/HTTPs Communication ..........................................................9 5.4 vCare Two-Way HTTP/HTTPs Communication ........................................................10 6.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing POP3/SMTP email and HTTP/HTTPs................11 6.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network?.........................................................................................................12 6.2 Steps for the CUSTOMER to mitigate risk to POP3 implementation.........................12 7.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing SMTP email ........................................................14 7.1 Can opening the customer's firewall to SMTP be a conduit for attacks on the network?.........................................................................................................14 7.2. Steps for the CUSTOMER to mitigate risk when implementing SMTP email systems.................................................................................................14 8.0 Security Assessment of the vCare-enabled MFP's vulnerability from INSIDE the customer's firewall - MFPs utilizing POP3 or SMTP email. ........................................16 8.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network?.........................................................................................................16 8.2 Protocol Mutation test against vCare server..............................................................16 8.3 Steps for the CUSTOMER to mitigate risk inside the network...................................17 9.0 Conclusion ........................................................................................................................18 About Miercom.........................................................................................................................19
  • 3.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 3 1.0 Executive Summary Multifunctional printers (MFPs) from Konica Minolta Business Solutions U.S.A., Inc. (Konica Minolta) with uptime management provided by vCare Device Relationship Management System proved in thorough lab testing and onsite assessment to provide superior resiliency and resistance to network compromise and achieved Miercom Certified Secure for the third consecutive year. Miercom tested the overall security of Konica Minolta’s device relationship management system bizhub vCare (vCare), complete with bizhub C652DS series, C360 series, bizhub 423 series, bizhub 500 and 350 series. Also included are the bizhub PRO 1050, bizhub PRO 1200, bizhub PRO C6501, and bizhub PRESS C8000 digital presses, as part of an ongoing security assessment of the product solution under the Miercom Certified Secure Program. The vCare component was tested as a complete solution while Miercom engineers assessed the dialog between the vCare Service Center and the MFPs for potential vulnerability. We evaluated the overall capability of vCare to provide uptime management of networked MFPs. We reviewed the security of the MFPs themselves for vulnerability to DOS and other attacks with specific attacks relating to the vCare port and protocol ingress and egress connectivity to the MFPs on the network. Certain specifics of the vulnerability testing conducted were omitted from this document as we did not want to provide someone the information needed to abuse SMTP or POP3 services. We did wish to provide for the purpose of education and awareness sufficient detail to assist administrators in hardening their network environments. For most secure deployments, vCare supports one way communications (push only) using SMTP and secure HTTP/HTTPs. These configurations are advisable for the most security conscious enterprise customers. However no vulnerabilities were discovered in the two-way communications methods supported by vCare while conducting this security assessment. During a hands-on testing analysis explained in this white paper, Miercom found vCare to be a secure device relationship management system that enables uptime management of network multifunction printers and copiers. Based on an extensive security vulnerability analysis of the complete vCare system, Miercom believes vCare can be installed without compromising the security of a customer’s network. The uptime management benefits of utilizing vCare are tremendous. The system maximizes MFP uptime through real-time service alerts. Real-time email alerts were observed for critical events such as a cooling fan failure in the device. For example, the bizhub C253 has 130 specific trouble codes that it can report. The number of trouble codes and corresponding trouble counters reported by vCare is specific to each model. Miercom recommends customers to employ a layered active security defense to any network. The deployment of vCare on a customer’s network is a recommended option to aid with device uptime management. The requirements to use the system should not concern even the most security conscious customers.
  • 4.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 4 2.0 Terminology Used in this Document Attack Vector — a vulnerability test type targeting a specific area of protocol, port or other focused area to attack. Certified Secure — Miercom’s Certified Secure testing certification is a program started in 2001 that established the industry’s first product and technology agnostic approach to security testing. Certified Secure Testing involves the complete system or solution for a product or service being tested using an arsenal of vulnerability security targets. Denial of Service (DoS) — a malicious or inadvertent disruption of a network which renders it unusable or diminished in functionality during the period of the attack. Multifunction Printer (MFP) — a network device that offers many functions, including but not limited to, network copying, fax, scanning and other functions consolidated in one device. Mutations — a variation of an attack vector in which the data is manipulated (payload information is mutated) in order to bypass security countermeasures that employ pattern recognition technology. Post Office Protocol (POP3) —protocol used to retrieve email from a server. Most email applications use the POP3 protocol. POP3 email is commonly critiqued for lack of security if not implemented correctly. POP3 is used to retrieve or “pull mail” whereas SMTP is used to “push” mail to external mail servers when POP3/SMTP are used in conjunction to one another. Security Target (ST) — a set of security requirements and specifications used for testing products. Simple Mail Transfer Protocol (SMTP) — is the foundation of Internet email. SMTP used in conjunction with a mail client application is used to send and retrieve mail. System Under Test (SUT) — Alternatively referred to as a Target of Evaluation (TOE) in other publications. An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation.
  • 5.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 5 3.0 Testing Methodology Miercom used a combination of custom, proprietary, commercial, and open source tools when conducting this security assessment. The test bed consisted of Konica Minolta multiple multifunction printers (MFPs) connected to a network with no security countermeasures employed. We would never expect or recommend such an unsecure environment for customer deployment, however it provides the ideal “worst case” scenario for assessing security vulnerabilities. Test systems included ClearSight Analyzers, open source test scripts, and a Mu Security 4000 Analyzer. The ClearSight Analyzer was used to monitor and capture POP3 and SMTP traffic between the bizhub MFPs and the vCare server. Sequences of normal status and maintenance traffic as well as manually induced fan failures and recovery alert conversations between the bizhub MFP and vCare server -- in both encrypted and unencrypted mode -- were captured and analyzed to determine what sensitive information might be revealed by eavesdropping. 3.1 Test Bed Security Appliance Netgear hub vCare Server 3Com hub bizhub 500 bizhub 350 bizhub Pro 1050 bizhub C253 bizhub 600 Clearsight Analyzer Security Interface
  • 6.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 6 4.0 Overview of vCare bizhub vCare is Konica Minolta’s Device Relationship Management (DRM) System which consists of embedded technology within the Konica Minolta MFP and an off- site vCare Server. Through brief email messages, the vCare-enabled MFP communicates diagnostic and counter information as requested by the vCare Server. bizhub vCare works in the background and never interferes with the operation of the MFP. bizhub vCare enhances the customer experience in four ways: 1. Automatically reads the meters and frees the customer from the meter collection process. 2. Improves availability of the bizhub product by providing intelligent supply notifications to the customer to alert them when a specific toner is almost empty, is empty; when the waste toner bottle is almost full, is full, etc. 3. Improve machine uptime through real-time service alerts. 4. Utilizes the machine performance information collected by vCare to deliver proactive service. vCare provides maximum uptime of network equipment by enabling preemptive order replacement of wearing components and supplies before they run out. Konica Minolta vCare is an environmentally friendly solution that reduces the need for service visits and unnecessary travel to equipment in the field.
  • 7.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 7 5.0 Overview of vCare Email Communication Methods Konica Minolta multifunction printers support four methods to communicate embedded technology within the Konica Minolta MFP and an off-site vCare Server: 1) POP3 retrieval and SMTP push email; 2) SMTP push email only; 3) Secure HTTP/HTTPs push, and 4) Secure HTTP/HTTPs. These methods are illustrated in the following diagrams: 5.1 vCare One-Way Email Communication One-Way Email Communication is initiated from the bizhub MFP to send information, such as counter status, once a day to the vCare server. SMTP push is also used to send all alert notifications to predesignated email accounts via the vCare server. MFP Email Server vCare Web View (Service and Administration) Customer Notifications INTERNET vCare Server
  • 8.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 8 5.2 vCare Two-Way Email Communication Two-Way Email Communication allows the bizhub MFP to poll the vCare server for requests for counter status. SMTP push is also used to send these status messages, as well as alert notifications, to predesignated email accounts via the vCare server. Email Server Customer Notifications INTERNET MFP vCare Web View (Service and Administration) vCare Server
  • 9.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 9 5.3 vCare One-Way HTTP/HTTPs Communication One-Way HTTP/HTTPs Communication is initiated from the bizhub MFP to send information, such as counter status, once a day to the vCare server. HTTP/HTTPs push is also used to send all alert notifications to the predesignated vCare server. Although HTTPs tested favorably by Miercom, the ability for Konica Minolta to support it through their infrastructure service is under development. MFP Customer Notifications INTERNET vCare Server vCare Web View (Service and Administration)
  • 10.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 10 5.4 vCare Two-Way HTTP/HTTPs Communication Two-Way HTTP/HTTPs Communication allows the vCare server to initiate communications to the bizhub MFP to request information, such as counter status, and report back to the vCare server. HTTP/HTTPs push is also used to send all alert notifications to the pre-designated vCare server. Although HTTPs tested favorably by Miercom, the ability for Konica Minolta to support it through their infrastructure service is under development. MFP Customer Notifications INTERNET vCare Server vCare Web View (Service and Administration)
  • 11.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 11 6.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing POP3/SMTP email and HTTP/HTTPs Miercom conducted a series of vulnerability analyses and attacks in the same way a hacker would attempt to gain unauthorized access or deny use of network resources. We found the POP3, SMTP, and HTTP/HTTPs implementation of the vCare service particularly robust and resistant to hacking from outside the network, based on hands- on testing for the following reasons: 1. The vCare system utilizes an external mail server and does not rely on or reveal any information regarding the customer premise mail server. 2. It is very unlikely that open ports for SMTP, POP3 or HTTP/HTTPs could be used as access points to a customer’s private network if a properly configured firewall is implemented. Following standard practices for firewall configuration and suggestions included in this document will alleviate this threat. 3. The information contained within the payload component of the email messages can be encrypted by the MFPs’ communications to and from the vCare servers. We confirmed by traffic capture that no useful intelligible data could be utilized from the encrypted data. 4. The pre-encrypted information content transmitted by the MFPs to and from the vCare servers is of no use to a hacker to gain insight to the interior network. Basic statistics, counter information and non-sensitive details on the copier’s health is the only information contained within these messages. 5. Three levels of protection are provided on messages between the vCare server and the MFP, including proprietary header, proprietary attachment file and predefined source and destination addresses. 6. The basic information for copier health mentioned above can only be determined through decodes using Konica Minolta’s proprietary procedure of the DAT file types. 7. Email messages to and from vCare servers are handled in a proprietary way that can reside transparently on a customer’s network with no interaction whatsoever of the customer’s premise mail server. 8. “Spoofing” for other malicious use of this mail component of vCare to do harm to customer premise equipment of the underlying network was found ineffective in our real world testing.
  • 12.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 12 6.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network? POP3 email hacking, in its most common form, is used to either access mail accounts or to spoof legitimate user accounts (unauthorized send on behalf of) and send messages that may flood a network or overwhelm a mail server. A properly- configured, firewalled network with mail filtering systems installed alleviates this threat. It is extremely unlikely for a hacker to utilize POP3 as a network ingress point, with the exception of installing or packaging malicious code (to provide this entry point) in the payload or attachment component of the mail message. We tested specifically for this vulnerability and found the implementation of the vCare service using email to be extremely resilient to “piggy-back” or “Trojan” access vulnerability to a network. The following explains why we feel Konica Minolta’s implantation of POP3 is secure: 1. Tests were conducted in which we attempted to send malicious content using the POP3 mail handling component of vCare. These attacks were thwarted by the vCare server and content was not delivered to the server message blocks (SMBs) or anywhere onto the customer’s protected network. 2. We were unable to compromise the POP3 mail handling system of vCare in any way that would allow a malicious attack directly through a firewalled environment. 3. Konica Minolta uses a very defined, finite, and securable email dialog for the POP3 service it utilizes. This allows a network administrator to very easily provide a limited POP3 service to traverse the customer firewall without need to open POP3 globally. 6.2 Steps for the CUSTOMER to mitigate risk to POP3 implementation 1. Using different (non standard) port numbers for a customer's own POP3 mail is recommended if POP3 is utilized on their own servers. vCare will not employ any of the customer premise mail servers. However, if port access is opened to SMTP or POP3 through the customer's firewall, measures can be taken to ensure the customer’s mail servers (unrelated to vCare) are hardened. 2. Follow the vendor’s instructions for hardening firewalls by opening only ports that are necessary. 3. If the only POP3 access to the network is for vCare, additional filters for source and destination address, specific content filtering and other techniques may be applied to restrict other POP3 unauthorized traffic.
  • 13.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 13 4. Encrypt communications using SSL to protect network traffic. 5. Utilize Konica Minolta’s bizhub products that support SMTP push-only technology, if the customer is decidedly against using POP3 access through their firewall. 6. From inside the LAN, use an internal firewall to protect against accidental breaches or malicious attacks. Front-end servers can be secured by placing them inside a perimeter network (called a demilitarized zone [DMZ]), with the back-end server inside the inner firewall. 7. Again, although vCare will not utilize the customer premise mail server, the customer may still wish to harden their own mail server from attack. A common attack by flooding the mail server with mail to cause a Denial of Service can be prevented by using a number of restrictions and limiting techniques including:  CONNECTION RATE THROTTLING — The number of connections the server can receive per second. Setting a limit on this number can delay further connections.  MAX DAEMON CHILDREN — The maximum number of child processes that can be spawned by the server.  MIN FREE BLOCKS — The minimum number of free blocks which must be available for the server to accept mail.  MAX HEADERS LENGTH — The maximum acceptable size (in bytes) for a message header.  MAX MESSAGE SIZE — The maximum acceptable size (in bytes) for any one message. 8. Follow procedures outlined later in the document for mitigating risk for SMTP regarding firewalls and other network hardening measures.
  • 14.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 14 7.0 Security Assessment of the vCare-enabled MFP's vulnerability from OUTSIDE the customer's firewall - MFPs utilizing SMTP email Like many other tools, SMTP can have a dark side. This is mainly due to the fact that, as you'd expect from something with the word "simple" in its name, SMTP is simple to install and use. Because of that, SMTP email, like POP3 email hacking in its most common form, is often improperly used to access mail accounts or spoof (unauthorized send on behalf of) messages that may flood a network or overwhelm a mail server. The key is creating good policies for SMTP’s use on networks. A properly configured firewalled network with mail filtering systems installed alleviates this threat. 7.1 Can opening the customer's firewall to SMTP be a conduit for attacks on the network? It is highly unlikely a hacker would choose to use SMTP as a network ingress point except for installing malicious code in the payload or attachment part of a mail message. During our tests, we found the vCare service to be highly resilient to Trojans or other ingress points for network attack. Even with the low risk to attack by opening ports to SMTP, the following are steps that a customer could take to further harden the network environment. 7.2. Steps for the CUSTOMER to mitigate risk when implementing SMTP email systems 1. Reduce the number of gateways that are allowed to communicate via SMTP on the Internet to only those required. All processes that must send email should be allowed to forward it only through an authorized gateway. 2. Administrators should establish firewall rules that allow only authorized gateways to communicate with outside servers on TCP ports 25 or 465. 3. Again, although vCare will not utilize the customer premise mail server, the customer may still wish to harden their own mail server from attack if ports are opened for SMTP access through the customer premise firewall. To help stop attackers from speaking SMTP directly to a full-featured server, experts recommend using a substitute server. Only a handful of commands are needed by an SMTP server to accept mail. A few ways to mitigate this risk are outlined below: a. Use a substitute SMTP server - consider using smap, if you have a Linux/Unix based server, as a "wrapper" for your SMTP server. Wrapper or mail proxy programs accept incoming messages from the Internet via SMTP, using the very minimum necessary set of SMTP
  • 15.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 15 commands. It then stores each message it receives in a separate file that is then accessed by the primary mail server. The result of using this substitute SMTP server is that a hacker never has a direct SMTP connection to the primary mail server. b. Test your firewall - you can test your firewall rules to ensure they are working properly. We recommend scanning tools for this purpose. Some recommended all-in-one tools that allow for broad testing capabilities that make the network scanning process less painful and time consuming: Nessus, QualysGuard, NetCat, Traffic IQ Pro by Karalon, and GFI LANguard Network Security Scanner. These tools identify open ports on the test networks and present information on SNMP, operating system, and special alerts. 4. Countermeasures against firewall attacks - the following countermeasures can prevent a hacker from testing the firewall a. Limit traffic - set rules on the firewall or router to allow authorized traffic. Have permission/rules in place for external access that allows only specified inbound and outbound traffic. This is the best defense to prevent an attack on the firewall. b. Block ICMP to help prevent abuse from automated tools, such as Firewalk. c. Stateful packet inspection on the firewall can block unsolicited requests.
  • 16.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 16 8.0 Security Assessment of the vCare-enabled MFP's vulnerability from INSIDE the customer's firewall - MFPs utilizing POP3 or SMTP email. In the event of a hacker successfully infiltrating the firewall and other network defenses and having gained access to the network, a second level of security countermeasures are needed to protect resources inside the network. A layered defense, rather then an all-in-one solution, with a strong external firewall is required. Once inside the firewall, it is easy to see the passwords for POP3 email accounts in the clear. This allows for logging into the POP server to get mail, since unencrypted usernames and passwords appear on the network. The use of Web forms that contain usernames and passwords can also expose usernames and passwords. The primary vulnerability seen from within the network regarding POP3 is the potential access to the email accounts themselves. SMTP service is always a “push” sending email out from the MFPs off the customer network. There is little to no risk from inside the network from an SMTP standpoint. 8.1 Can opening the customer's firewall to POP3 be a conduit for attacks on the network? Using techniques described previously in this document for network and email server hardening will mitigate this risk. Hands-on vulnerability testing that Miercom conducted with “privileged” local access could only disrupt the vCare management system. We could not conduct further attacks on the network using POP3. The mail server for POP3 is located off the customer premise. We were unsuccessful as previously discussed using POP3 as a means to provide a greater DOS attack. 8.2 Protocol Mutation test against vCare server Protocol mutation attacks created by the Mu-4000 Service Analyzer were directed at the Konica Minolta vCare server to test for vulnerabilities in protocol implementation. The mutation engine maps the attack surface (vCare server) looking for fault conditions. These include highly specific, stateful test cases that are built based on the state, structure and semantics of protocols as well their interdependencies on other protocols. Test The HTTP/HTTPs mutation attack was run with 11,135 different variants. Each variant/attack vector carried a single protocol mutation directed to the vCare server. We sent mutated HTTP/HTTPS requests to the vCare server once we achieved a TCP connection.
  • 17.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 17 Observations All directed attacks to the vCare server were handled successfully and no faults were found. The vCare server was available for the duration of the test. There were no vulnerabilities detected with HTTP/HTTPs protocol implementation on the vCare server. 8.3 Steps for the CUSTOMER to mitigate risk inside the network Although vCare poses no additional risk to customer networks, Miercom recommends implementing intrusion detection technologies and switching equipment that employs rate limiting and other DoS thwarting measures on any network.
  • 18.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 18 9.0 Conclusion “Konica Minolta offers the market the most resilient and secure MFP solutions with exceptional uptime management. Konica Minolta is the only vendor to date to have achieved Miercom Certified Secure for a third consecutive year for the multifunction printer products with uptime management provide by vCare Device Relationship Management System.” --- Rob Smithers, CEO Miercom vCare is a secure device relationship management system that enables uptime management of network multifunction printers and copiers. Based in extensive security vulnerability analysis of the complete vCare system, Miercom believes vCare can be installed without compromising the security of a customer’s network. The reasons that the vCare solution does not pose a security risk to a customer’s network: 1. Information that is transferred using vCare is of no significant use to a hacker. 2. Three layers of security are employed on all email messages used for vCare. 3. An SMTP push only for sending information off net requires no inbound network security access reconfiguration 4. Management option available through secure HTTP/HTTPs; also through “push only” default option for maximum security. Miercom conducted a battery of assaults to disrupt the multifunction printers using vCare. We were unsuccessful in hacking into the bizhub solutions through the network ports and unable to affect the ability of the multifunction printers to print, be managed, or actively participate in vCare reporting by any attacks through the vCare functionality. HTTPs tested favorably although the ability for Konica Minolta to support it through their infrastructure is under development. The uptime management benefits of utilizing vCare are tremendous. The system maximizes MFP uptime through real-time service alerts. Real-time email alerts were observed for critical events, such as a cooling fan failure in the device, and, depending on the model, there are over 100 trouble counters supported. Miercom recommends customers to employ a layered active security defense to any network. The deployment of vCare on a customer’s network is strongly encouraged as an aid with MFP device uptime management. We see no risk and only many benefits of implementing vCare in customer environments. The requirements to use the system should not concern even the most security conscious customers.
  • 19.     Copyright © 2010 Miercom Konica Minolta bizhub vCare Page 19 About Miercom Miercom has hundreds of product-comparison analyses published over the years in leading network trade periodicals including Network World, Business Communications Review - NoJitter, Communications News, xchange, Internet Telephony and other leading publications. Miercom’s reputation as the leading, independent product test center is unquestioned. Miercom’s private test services include competitive product analyses, as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Certified Interoperable, Certified Reliable, Certified Secure and Certified Green. Products may also be evaluated under the NetWORKS As Advertised program, the industry’s most thorough and trusted assessment for product usability and performance. This report is available for download at http://www.miercom.com/konicaminolta Konica Minolta is a trademark of Konica Minolta Holdings, Inc. bizhub is a registered trademark of Konica Minolta Business Technologies, Inc. All other trademarks mentioned in this document are the property of their respective owners.