NET.4.3 Fax Machines and Fax Servers
This building block examines the security aspects of transmitting information via standard fax machines and fax servers. The transmitted information is referred to as a fax (short for telefax)...
Description
Introduction
This building block examines the security aspects of transmitting information via standard fax machines and fax servers. The transmitted information is referred to as a fax (short for telefax) or, less commonly, as a telefacsimile or remote copy. In a conventional fax machine, the contents recorded on a document are scanned point by point by the sending device and transmitted to the receiving device. The receiving device reconstructs these contents point by point and usually outputs them directly on paper.
A fax server, on the other hand, is a service installed on a server that enables other IT systems in a data network to send and receive faxes. Fax servers are frequently integrated into existing email or groupware systems. This makes it possible for incoming fax documents to be delivered to users by the fax server via email. Documents to be sent are transferred to the fax server either via a print queue or by email. As a rule, the document is sent or received between the fax server and clients in the data network as an image file. The transmitted image file cannot be directly processed further in word processing systems. For this, optical character recognition (OCR) is usually first required. Documents received and processed by a fax server can generally be easily archived—for example, by the fax server service itself, by document management systems, or by the groupware directly connected to the fax server service.
Objective
One objective of this building block is to protect information transmitted and processed using fax transmissions. Another objective is to protect fax machines and fax servers against manipulation by unauthorized persons. The transmission medium plays no role in applying the building block, so the requirements of the building block SHOULD also be implemented for Fax over IP (FoIP).
Scope and Modeling
The building block NET.4.3 Fax Machines and Fax Servers is to be applied to every fax machine and fax server in the information domain.
In this building block, standard standalone fax machines and fax servers are examined as the technical basis for fax transmission. Additional aspects of fax machines found in a multifunction device (all-in-one device) are addressed separately in building block SYS.4.1 Printers, Copiers, and Multifunction Devices. To protect the information processed, offered, stored, and transmitted on fax servers, building block SYS.1.1 General Server and the respective operating system-specific building blocks SHOULD be considered. Information on proper archiving can be taken from building block OPS.1.2.2 Archiving.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.4.3 Fax Machines and Fax Servers.
Insufficient or Incorrect Supply of Consumables
Fax machines receive documents and usually print them directly on paper. For smooth and uninterrupted operation of a fax machine, consumables such as paper and toner must be available in sufficient quantities. If this is not the case, fax documents often cannot be received. Furthermore, transmission confirmation reports that may be urgently required cannot be printed out.
Erroneous Fax Transmission
Numerous disruptions can occur on the transmission path between the sending device and the receiving device of a fax document. This can result in fax documents being incomplete or illegible, or not reaching the recipients at all. Decisions dependent on this information can be erroneous and thus cause significant damage.
Time delays—arising because the problems must first be identified and the document must be resent—can lead to further complications. Often the senders or recipients have no way of influencing the transmission path, so they must wait until the disruption has been resolved by third parties. Frequently, senders even believe that the fax document was properly transmitted to the desired addressees, and the resulting problems are recognized only very late.
In addition, it cannot be ruled out that a fax document was transmitted to the wrong receiving device—for example, because there is a switching error in the public telecommunications network. It is also conceivable that fax machines dial incorrect numbers or that speed dial keys are incorrectly programmed. If a fax server is used, telephone numbers can also be entered incorrectly or stored incorrectly in the address book. This can potentially result in confidential information being transmitted to unauthorized persons.
Manipulation of Address Books and Distribution Lists
Fax machines can often maintain address books and distribution lists. If a fax server is used, similar address books and distribution lists can generally be maintained in a central location via the groupware that can be used by multiple users. Recipient numbers can be stored in the address books so that these do not need to be re-entered every time a fax is sent. In addition, it is possible to create a group of recipients via distribution lists and thus send faxes to several persons simultaneously.
Once programmed recipient numbers or distribution lists are often no longer checked when a fax document is to be sent. If unauthorized persons change the address books or distribution lists on the fax machine or in the groupware, confidential information can reach the wrong recipients. It can also happen that the intended recipients do not receive urgently needed information. For example, a fax number in the address book could be replaced or additional recipients added to the distribution list without the responsible persons in the respective institution noticing.
Unauthorized Reading of Fax Transmissions
In almost all cases, it is most economical for several users to share a fax machine. They are therefore generally placed in rooms that all employees of an institution can enter, such as printer rooms. Since the fax machines are thus freely accessible to all employees, all employees can also read received fax transmissions and thereby obtain confidential information.
Evaluation of Residual Information in Fax Machines and Fax Servers
Depending on the technical method by which fax machines store, process, or print information, residual information of varying scope can remain in the fax machine after fax transmission and reception. Unauthorized persons who come into possession of the device or the corresponding components can under some circumstances reconstruct this information.
On the hard drive of a fax server, fax transmissions are stored at least until they can be delivered to the destination. Furthermore, modern operating systems use swap files that can also contain residual information. This information could be unlawfully evaluated when accessing this fax server.
Impersonation of a False Sender in Fax Transmissions
Fax transmissions are a popular medium for transmitting documents that are only valid with a signature. But in the same way that false senders can be simulated with a false name and a false letterhead, a fax transmission can also be manipulated. For example, signatures from other documents can be scanned and copied onto the fax document. A distinction between whether it is an actually made signature or a reproduced graphic file is generally not detectable. Damage occurs when recipients regard the information contained therein as authentic or even legally binding.
Requirements
The following are the specific requirements of building block NET.4.3 Fax Machines and Fax Servers. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Specialist Responsibility |
| Additional responsibilities | Users, Procurement Office, IT Operations, Facility Management |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
NET.4.3.A1 Appropriate Placement of a Fax Machine (B) [Facility Management]
Fax machines MUST be placed so that incoming fax transmissions cannot be viewed or removed by unauthorized persons. The installation location SHOULD also be selected based on whether adequately dimensioned telecommunications lines or channels are available. The installation location MUST have an appropriate network connection for the fax machine. Fax machines MUST NOT be connected to network connections not intended for this purpose.
NET.4.3.A2 Information for Employees on Fax Use (B)
All employees MUST be informed about the special features of information transmission by fax. They MUST also be informed that the legal binding force of a fax transmission is severely limited. A comprehensible user manual MUST be available at the fax machine. Users SHOULD receive at least a quick reference guide to the fax client software of the fax server. Furthermore, instructions for correct fax use MUST be available.
NET.4.3.A3 Secure Operation of a Fax Server (B) [IT Operations]
Before a fax server is put into operation, a test phase SHOULD take place. Configuration parameters and all changes to the configuration of a fax server SHOULD be documented. The archiving and deletion of fax data SHOULD be regulated. Furthermore, the connection from the fax server to the PBX system or to the public telephone network MUST be regularly checked for correct functioning. It MUST also be ensured that the fax server exclusively offers fax services and is not used for further services. All unnecessary features and access points of the communication interfaces used MUST be deactivated.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
NET.4.3.A4 Creation of a Security Policy for Fax Use (S)
Before a device is released, a security policy for fax use SHOULD be created. The type of use SHOULD be specified therein. Furthermore, rules SHOULD be established for handling incoming and outgoing faxes. A regulation for the handling of undeliverable fax transmissions SHOULD also be created. Furthermore, the policy SHOULD contain information and instructions on emergency preparedness and the resilience of fax operations.
NET.4.3.A5 DISCONTINUED (S)
This requirement has been discontinued.
NET.4.3.A6 Procurement of Appropriate Fax Machines and Fax Servers (S) [Procurement Office]
Before fax machines or fax servers are procured, a requirements list SHOULD be created. Based on this list, the candidate systems or components SHOULD be evaluated. The requirements list for fax machines SHOULD also cover security-relevant aspects such as the exchange of subscriber identification, the output of transmission reports, and error logging and journal keeping. Furthermore, adequate additional security functions SHOULD be taken into account based on protection needs.
For a fax server, all requirements for the IT system including operating system, communication components, and application software SHOULD be collected and taken into account. The possibility of integrating a fax server into an existing data network and a groupware system SHOULD be taken into account if required.
NET.4.3.A7 Appropriate Labeling of Outgoing Fax Transmissions (S) [Users]
The source and destination of each fax transmission SHOULD be visible on all outgoing fax transmissions. If this information cannot be determined from the document sent, a standardized fax cover sheet SHOULD be used. In general, the fax cover sheet SHOULD list at minimum the name of the sender’s institution, the name of the contact person, the date, the number of pages, and an urgency note. It SHOULD also contain the names and institution of the recipients. If necessary, the fax cover sheet SHOULD be adapted for each outgoing fax.
NET.4.3.A8 Appropriate Disposal of Fax Consumables and Spare Parts (S)
All fax consumables from which information about sent and received fax documents can be obtained SHOULD be rendered unrecognizable before disposal or disposed of by a reliable specialist company. The same procedure SHOULD also be followed for replaced information-bearing spare parts. Maintenance companies that check or repair fax machines SHOULD be obligated to handle these appropriately. It SHOULD be regularly checked whether this handling is being observed.
NET.4.3.A9 Use of Transmission and Reception Logs (S)
The transmission processes of incoming and outgoing fax transmissions SHOULD be logged. For this purpose, the communication journals of standard fax machines SHOULD be used. If fax machines have logging functions, these SHOULD be activated. For a fax server, logging SHOULD also be activated. It SHOULD also be decided what information is to be logged.
The communication journals of the fax machines and the log files SHOULD be regularly evaluated and archived. They SHOULD be checked on a spot-check basis for irregularities. Unauthorized persons SHOULD NOT be able to access the communication journals and the logged information.
NET.4.3.A10 Checking of Programmable Destination Addresses, Logs, and Distribution Lists (S)
Programmable speed dial keys or stored destination addresses SHOULD be regularly checked to determine whether the desired fax number matches the programmed number. Fax numbers that are no longer needed SHOULD be deleted. It SHOULD be documented in an appropriate manner when a new entry is added or a destination number is changed.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.
NET.4.3.A11 Protection Against Overloading the Fax Machine (H) [IT Operations]
Sufficient communication lines or channels SHOULD be available. For a fax server, the expected fax volume SHOULD be estimated. Correspondingly powerful components SHOULD be selected. Fax server logs SHOULD be regularly checked to counter bottlenecks from overloads in a timely manner. Fax data that is no longer needed SHOULD be promptly deleted from the fax server.
NET.4.3.A12 Blocking Certain Source and Destination Fax Numbers (H)
Unwanted fax addresses SHOULD be blocked. Alternatively, only certain telephone numbers SHOULD be permitted. It SHOULD be checked which approach is appropriate in which situation.
NET.4.3.A13 Definition of Authorized Fax Operators (H) [Users]
Only a few employees SHOULD be selected who are allowed to access the fax machine. These employees SHOULD distribute incoming fax transmissions to the recipients. Employees SHOULD be instructed on how to handle the device and how to implement the required security measures. Every authorized user SHOULD be informed about who is allowed to operate the fax machine and who is responsible for the device.
NET.4.3.A14 Making Copies of Incoming Fax Transmissions (H) [Users]
Fax transmissions printed on thermal paper that are required for a longer period SHOULD be copied onto plain paper or scanned. It SHOULD be taken into account that the ink on thermal paper fades faster and thus becomes unrecognizable. The copies or scanned fax transmissions SHOULD be archived in an appropriate manner.
NET.4.3.A15 Announcement and Verification When Handling Fax Transmissions (H) [Users]
Important fax transmissions SHOULD be announced to recipients before they are sent. For this purpose, it SHOULD be defined which documents are to be pre-announced. Employees who wish to send confidential fax documents SHOULD be instructed to have recipients confirm complete receipt. In turn, for important or unusual fax transmissions, recipients SHOULD have the senders confirm that the fax document is from them and has not been forged. An appropriate form of communication SHOULD be selected for announcing or confirming fax documents—for example, by telephone.
Additional Information
Good to Know
No additional information is available for building block NET.4.3 Fax Machines and Fax Servers.