How secure are document scanners and other 'scan to email' appliances?
Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices.
It seems that every new copier now has a scan-to-email feature that allows a document to be scanned, converted to a PDF and emailed directly from the copier itself. Since there is no provision for encryption or password protection, even though the attachment isn't in plain text, how secure is the scan-to-email feature and the resulting attachment?
Copiers and document scanners have always posed challenges for information security teams. Currently, professionals use data classification and acceptable usage policies to control these devices. Also, for compliance and audit purposes, log data often shows when a device is being used and who is using it.
As far as I am aware, we haven't reached the point yet where copiers have their own built-in mail servers. So when a document is copied or scanned on a device that has an "email to" feature, the document is attached to a new email message. The client email application then sends the message to the recipient via a mail server. The use of a mail server allows gateway antivirus software and application-layer firewalls to scan the outbound email and its attachment. Also, the mail server will provide the logging service, creating an audit trail of who sent what and when. Many vendors actually now include bundled software packages that give a wide choice of file-distribution options. Canon, for example, has a scanning application called CapturePerfect; its security features allow users to encrypt scanned documents and control viewing, printing and editing privileges of the PDF files that the tool creates.
If you are concerned about the lack of security in your scan-to-email devices, then I would look to upgrade to a product that offers the necessary security features. Keep in mind these features need to be backed up by an enforced data classification policy; that way, users will know which documents and information has to be protected and which can be copied and emailed in the standard way.
Many organizations feel that they do not need to classify data. A typical comment often heard is, "We're not the secret service." However, if you do not classify data and documents in any way, it is impossible to know what needs protection and what does not. Data classification provides employees with a means to evaluate and protect sensitive information. It also minimizes -- or hopefully eliminates -- the risk of data breaches. Scanning the monthly office newsletter obviously poses no risks or concerns regarding security, but scanning a yet-to-be-released press announcement can lead to early and inappropriate disclosure of sensitive corporate information.
For confidential information, a common faxing policy is to only permit sending between approved locations and with the recipient standing by. If such documents are now being scanned to email, then it should only be emailed internally and with a request for confirmation of receipt. For distribution outside of the organization, approved encryption should be used where possible, and, again, a receipt confirmation should be obtained.
For strictly confidential information, the sender should ensure that all copies have been received by direct contact. In this case, transmitted copies should be deleted from a mail system once secured locally. Copying to third parties should be made subject to a non-disclosure agreement.
- See why network printers are becoming a juicy target for hackers.
- The FFIEC mandates data classification. Expert Tom Bowers explains where to start.
Dig Deeper on Threats and vulnerabilities
Related Q&A from Michael Cobb
Symmetric vs. asymmetric encryption: What's the difference?
Explore the differences between symmetric vs. asymmetric encryption, including how they work and common algorithms, as well as their pros and cons. Continue Reading
What is shellcode and how is it used?
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
Is bitcoin safe? How to secure your bitcoin wallet
As bitcoin use increases, so too have the number of cyber attacks on cryptocurrency exchanges and wallets. Learn how to keep bitcoin use secure. Continue Reading