Security Testing Summary of Konica Minolta bizhub vcare 2.8 Device Management and Communications System and Various bizhub Products

Similar documents
How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Lab Testing Summary Report

Huawei Technologies engaged Miercom to evaluate the S2700-EI

White Paper. 2005, Ricoh Corporation

WildPackets TimeLine network recorder featuring the OmniPeek

Huawei Technologies engaged Miercom to conduct an evaluation

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Securing Access to Network Devices

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Huawei Technologies engaged Miercom to evaluate several series

Qualys Cloud Platform

epldt Web Builder Security March 2017

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Aruba Networks engaged Miercom to provide an independent

Huawei Technologies engaged Miercom to conduct an

Facilities Manager Technical Overview

3all environmental impact and business enabling green benefits that

Huawei Technologies requested Miercom evaluate the

ForeScout Extended Module for Tenable Vulnerability Management

Windows 2000 minimum SP3, Windows Server 2003, Windows XP minimum SP2, Windows 7 d. TCP/IP Communication at the ATM with connectivity to Internet

What to Look for When Evaluating Next-Generation Firewalls

Hosted Testing and Grading

Vulnerability Management

Infinite Device Management

Lab Testing Summary Report

Securing CS-MARS C H A P T E R

Inventory and Reporting Security Q&A

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

How-to Guide: Tenable Core Web Application Scanner for Microsoft Azure. Last Updated: May 16, 2018

RSA pro VMware. David Matějů. RSA, The Security Division of EMC

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

Enterprise Manager/Appliance Communication

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Tenable.io for Thycotic

Intel Security Advanced Threat Defense Threat Detection Testing

Security in Bomgar Remote Support

BMC Remedyforce Discovery and Client Management. Frequently asked questions

Security

SONICWALL SECURITY HEALTH CHECK SERVICE

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

PCI DSS Compliance. White Paper Parallels Remote Application Server

SECURITY PRACTICES OVERVIEW

WHITE PAPER. Fail-Safe IPS Integration with Bypass Technology

Chapter 5: Vulnerability Analysis

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Hbusiness enabling green benefits that the A G SI offers to its

PCI Compliance Assessment Module with Inspector

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

CS 356 Operating System Security. Fall 2013

IBM Proventia Management SiteProtector Policies and Responses Configuration Guide

SONICWALL SECURITY HEALTH CHECK PSO 2017

Cisco ASA Next-Generation Firewall Services

Juniper Vendor Security Requirements

Network Intrusion Detection for the E-Commerce Environment by Eddie Powell last updated Monday, July 10, 2000

Tenable.io User Guide. Last Revised: November 03, 2017

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Sonus Networks Cloud Link Performance and Security Assessment

SONICWALL SECURITY HEALTH CHECK SERVICE

ForeScout Extended Module for HPE ArcSight

Juniper SRX Services Gateway Performance Testing

Magento Commerce Architecture and Security Model Last updated: Aug 2017

Are You Avoiding These Top 10 File Transfer Risks?

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Sonus Networks engaged Miercom to evaluate the call handling

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Recommendations for Device Provisioning Security

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Tenable for Palo Alto Networks

Data Security at Smart Assessor

Cloud-Based Data Security

TestBraindump. Latest test braindump, braindump actual test

IBM SmartCloud Engage Security

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Inspector Software Appliance User Guide

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

OpenWay by Itron Security Overview

Security by Default: Enabling Transformation Through Cyber Resilience

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

GUIDE. MetaDefender Kiosk Deployment Guide

bizhub Security: Hard Disk Drive Data Protection

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Security+ SY0-501 Study Guide Table of Contents

OpenText RightFax 10.6

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

NASCIO Recognition Award Nomination. Title: Central Issuance of State Drivers Licenses. Category: Digital Government Government to Citizen

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Payment Card Industry (PCI) Data Security Standard

Red Condor had. during. testing. Vx Technology high availability. AntiSpam,

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

Turn-key Vulnerability Management

Verizon Software Defined Perimeter (SDP).

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Cisco Network Admission Control (NAC) Solution

Turn-key Vulnerability Management

Enterprise Guest Access

Transcription:

Security Testing Summary of Konica Minolta bizhub vcare 2.8 Device Management and Communications System and Various bizhub Products SR140630B July 2014 Miercom www.miercom.com

Overview Konica Minolta Business Solutions USA, Inc. engaged Miercom to perform a comprehensive security assessment of the latest version of bizhub vcare, 2.8, and six bizhub products that served as endpoints of the test environment. Individual components of bizhub vcare 2.8 subjected to vulnerability scans and protocol mutations attacks included vcare server, vcare database server, vcare Web interface and the vcare Data Collection Agent. The purpose of testing was to attempt to disrupt communications between bizhub vcare and the endpoints. About bizhub vcare 2.8 and bizhub Products bizhub vcare is the name used in the United States and Canada for the device management and communications system introduced in 2008 by Konica Minolta Business Solutions USA, Inc. The system is known by four other names elsewhere in the world. Register collected information Periodically collect counter information, status, warning notifications, etc. KONICA MINOLTA bizhub vcare bizhub vcare Data Collection Agent Send commands bizhub and bizhub PRO products manufactured since 2005 can be managed remotely by the system. At present, July 2014, it is managing more than 200,000 products in the United States and Canada and approximately 800,000 worldwide. bizhub vcare consists of embedded technology within the Konica Minolta product and an off-site vcare server. New in bizhub vcare 2.8 is the vcare Data Collection Agent, also deployed worldwide as the CS Remote Care Data Collection Application, which runs on a computer on the end-user organization s enterprise network and can manage up to 1,000 bizhub or bizhub PRO products. This node regularly collects information about operational status and sends it to a Konica Minolta branch office or authorized reseller that provides the management service. The information enables the service provider to initiate appropriate action to keep the products in optimal operating condition. bizhub and bizhub PRO devices manufactured since 2011 communicate with bizhub vcare via one-way e-mail or one-way HTTP(S) based on the reporting schedule set within the device. The vcare Data Collection Agent utilizes network polling to transmit data to the system via HTTPS. Device manufactured by KONICA MINOLTA Source: Konica Minolta Business Solutions USA Copyright 2014 Page 2 SR140630B

Older devices communicate with bizhub vcare by way of short, bidirectional e-mail messages. The service provider assigns and manages email addresses and HTTP(S) credentials for all bizhub and bizhub PRO products on the enterprise network of customers. bizhub or bizhub PRO products send service alerts, warnings and jam notifications in real-time as well as daily messages to bizhub vcare to ensure that the service provider can act proactively if needed. That data includes: Current meter reading, which has enabled the service organization to automate billing Level of consumables, such as toner in the graphic to the right, which can automatically generate an immediate delivery if required Error code alerts, which pinpoint operational problem(s) and, if necessary, can prompt a service technician to be dispatched immediately with the proper repair or replacement part(s) Source: Konica Minolta Business Solutions USA Status of key components, which notifies the service provider when a part critical to optimal print quality, such as a fuser or laser, is nearing the end of its service life The bizhub products in the test environment were: 20P and 25e all-in-one desktop devices, 4700P high-resolution monochrome laser printer, C360 and C754e standalone multifunction printers, and PRESS C1100 digital press for production printing. 20P 25e 4700P C360 C754e PRESS C1100 Copyright 2014 Page 3 SR140630B

Key Findings and Conclusions bizhub vcare does not pose a security risk for enterprise network of end-user organizations bizhub vcare Web interface as well as database and Data Collection Agent (DCA) servers exhibited resilience against vulnerability scans by Nessus and Nmap Components of bizhub vcare in the local test environment and the data center that hosts the system for North America were impervious to a variety of protocol mutation attacks Security Functionality of bizhub vcare The system uses an external e-mail server. Also, the e-mail payload is encrypted. The data is statistical and non-sensitive. With an effective firewall located at the customer premises, open ports are unlikely to allow undesired access. Test Conditions The bizhub products in the local test environment had no security countermeasures, a worstcase scenario for testing security vulnerabilities. The vcare Data Collection Agent application also was in the test environment, on a Windows 7 laptop that was not hardened. This, of course, would not occur in a real-world deployment. The test environment was connected via a Netgear hub to the production bizhub vcare system in the Konica Minolta Business Solutions USA data center in Ramsey, NJ. Components of bizhub vcare tested that reside in the data center were a vcare server and a vcare database server. Test Tools Used in Vulnerability Scans and Protocol Mutation Attacks OmniPeek from WildPackets Nessus from Tenable Network Security Nmap from nmap.org Wireshark Spirent Studio Security software and Mu-8000 appliance Two vulnerability scanners, Nessus from Tenable Network Security and Nmap from nmap.org, were utilized to attempt to identify vulnerabilities in bizhub vcare and the bizhub products. A Spirent solution, Studio Security software housed on a Mu-8000 appliance, directed protocol mutation attacks against one or more of the following: bizhub products, vcare Web interface, vcare server, vcare database server and vcare Data Collection Agent server. The attacks included many known (published) vulnerabilities. Also, external attacks using test cases and customer scripts were utilized. Copyright 2014 Page 4 SR140630B

The OmniPeek network analyzer from WildPackets and the Wireshark packet analyzer were used to monitor and capture Simple Network Management Protocol (SNMP) traffic between bizhub devices and the vcare Data Collection Agent server. Recovery alert conversations between the bizhub products and the vcare server were captured. Results Nessus was utilized to perform preliminary port scans on the vcare Web interface, vcare database server and the vcare Data Collection Agent server. Of the more than 60,000 plugins for both local and remote vulnerability checks, approximately 12,000 were chosen that we deemed appropriate for the test environment. Those plugins were in the categories that included: Backdoors (Operating System Level testing) Common Gateway Interface Abuses (specific to Web management) Common Gateway Interface Abuses: Cross-Site Scripting (specific to Web management) Firewalls (Operating System Level checks) Remote Shell Access (Operating System Level backdoors) Service Detection (identification of unknown services) SNMP (management protocols and configuration) Web Services (specific to Web management) Microsoft Windows (agent installation) The performance by bizhub vcare and the bizhub products was near-flawless. Out of all of the tests performed, only 33 required further analysis. Highlights of Nessus Vulnerability Scans Attack PCI Data Security Standard Compliance Simple Network Management Protocol Service Detection HTTP HeartBleed SSL Source: Miercom, July 2014 Result The Nmap vulnerability scan did not reveal any open ports. It did reveal that the vcare Web interface, the vcare database server and the vcare Data Collection Agent had ports 21, 139, 443 filtered. However, the ports were responsive. Therefore, our conclusion is that the vcare Web interface, the vcare database server and the vcare Data Collection Agent are secure. Ports 21, 139 and 443 were filtered appropriately, in a way that allows only authenticated users to communicate. Lastly, bizhub vcare and the bizhub products were impervious to all four protocol mutation attacks. The type of attack and the bizhub components challenged follow: Transmission Control Protocol: bizhub products as well as bizhub vcare and (DCA) servers Dynamic Host Configuration Protocol: bizhub products and vcare server HTTP/HTTPS: bizhub vcare and bizhub Data Collection Agent servers Address Resolution Protocol: bizhub vcare database server and bizhub Web interface Copyright 2014 Page 5 SR140630B

Conclusion Miercom conducted a battery of assaults to attempt to disrupt the communication between the bizhub products tested and bizhub vcare. It was not possible to hack into bizhub vcare through the network ports. As a result, the ability of the bizhub products to function, be managed or actively provide information to bizhub vcare was not affected. The uptime management benefits of utilizing bizhub vcare are tremendous. The system maximizes uptime of bizhub and bizhub PRO products through real-time service alerts. We observed bizhub products provide real-time alerts in the form of one-way e-mail for critical events, such as a cooling fan failure, consumables needed and service required. We see no risk and only benefits to implementing bizhub vcare on the enterprise network of Konica Minolta customers. The requirements to use the system should not concern even the most security conscious customers. We do recommend that any organization employ layered, active security on its enterprise network. The Konica Minolta bizhub vcare 2.8 device management and communications system and the bizhub 20P, 25e, 4700P, C360, C754e and PRESS C1100 have earned Miercom Certified Secure. About Miercom Founded in 1988, Miercom pioneered the business of independent, hands-on testing of products and services for the enterprise network and communications industry. For over 26 years the company has provided test services and consulting and is considered a leading independent test facility. Private test services include competitive product analyses as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Performance Verified, Certified Secure, Certified Green and Certified Reliable. These certifications are recognized by networking vendors and end-user organizations as an accurate, unbiased validation of the ability of the product or service to perform in a real-world network. Miercom has published hundreds of network-product-comparison analyses in leading trade periodicals and other publications. For more information about Miercom testing and certifications as well as consulting services, please visit www.miercom.com. Copyright 2014 Page 6 SR140630B

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback