Security and Standards, Services, and Printers

Officials from the International Organization for Standards (ISO) recently announced a standard which focuses on business continuity. In other news, vulnerabilities were exposed on a set of Canon USA, Inc. multi-function printers, while company executives from The Opal Group announced the availability of new security services.

Focal Points:

• The ISO recently published a new standard on security techniques. The document, "ISO/IEC 24762:2008, Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services," provides guidance to IT professionals on what communications and services are required for effective disaster recovery and business continuity. Document authors state the intent of the standards are to increase the emphasis that risk management should play in identifying overall threats to businesses, and providing a framework to build and manage resilient business operations. Processes discussed in the standard include responses to facility disasters and failures.
• Researchers from Indiana University recently published security vulnerabilities that relate to Canon multi-function printers. Vulnerabilities were found in 20 different Canon printers. The vulnerabilities could give hackers the ability to redirect traffic via the PORT command. This problem is similar to a vulnerability that used to exist on older file transfer protocol (FTP) servers known as an FTP bounce. Officials from Canon acknowledged the issue. There is firmware available that can fix this vulnerability, but it is not installable by end users on the affected printers. Canon technician must install the patch, and Experton Group suggests that users of the affected printers disable the printers FTP capability.
• Officials from Opal said that they would announce the availability of new security services in April. The services, WebController and MailController, are intended to allow customers to minimize the amount spam and viruses that get into internal computer networks and mail servers. The services will also allow clients to limit employee Web access, putting tighter control on access to corporate resources. Opal officials claim no hardware or software is required for installation by either the end user or the systems reseller. The company will provide training for its service. Further, the service will be available at a fixed fee which can be customized based on the number of users and the details of what is bundled in the solution.

Experton Group believes companies will start to embrace security standards, but enterprise focus on security will continue to emphasize reducing business risk over adhering to industry-wide standards. Standards that can be shown to save money and reduce compliance costs will be the first types of security standards to be embraced. However, where the cost of moving to standards are high, or no ROI can be shown for reducing specific security threats, standards will be put off in favor of protecting the enterprise from specific financial loss. IT and security executives should push standards communities to adopt security standards that can help achieve concrete business value.