Fax Security Issues
Most companies do not lack for information security products. Its data centers are likely full of firewalls, virtual private networks, security appliances and much more. Yet there is a device, hundreds of them perhaps, in many organizations, that lack any sort of security. This is the lowly fax machine.
The fax machine poses serious potential security issues and risks to every company where it us used. The good news is that most of these risks can easily be mitigated. The issue is that most companies are oblivious to those threats and do not take the appropriate countermeasures.
Group 3 (G3) Fax Protocols
An introduction to basic fax operations is in order. The reason faxing is so seamless is that all modern fax machines operate using the same protocol, namely the Group 3 Facsimile protocol (G3). The G3 protocol was first published in 1980 by the ITU-T (International Telecommunication Union - https://www.itu.int).
The G3 standard for facsimile communications over analog telephone lines was originally approved by the CCITT in its T.4 and T.30 recommendations in 1980. This standard is supported by nearly every fax machines in use today and continues to be updated.
G3 is specified in two standards:
- T.4 - image-transfer protocol.
- T.30 - specifies the session-management procedures that support the establishment of a fax transmission.
T.30 allows the two endpoints to agree on such things such as transmission speed and page size. Since G3 is specified for switched analog networks, and it is an all-digital procedure, it must use modems or a fax relay. They are also specified in ITU standards:
- V.21 (300 bps) for the T.30 procedures, and for image transfer
- V.27ter (2400/4800 bps)
- V.29 (7.2k, 9.6k)
- V.17 (7.2k, 9.6k, 12k, 14.4k)
- Real-time IP fax transport is specified in T.38 and replaces modems.
There is a G4 standard, but this is for digital telephone networks and was approved in 1984 and updated in 1988. This standard has found greater acceptance in Europe and Japan than in the USA and is predominately used for fixed point to point high volume communications.
The T.30 specification divides a call into five phases:
- Phase A - Call setup
- Phase B – Pre-message procedures
- Phase C – Image transfer
- Phase D – Post-message procedures including multi-page and end of procedure signals
- Phase E – Call release
One of the more important works on fax security was Guidelines on Facsimile Transmission Security issued by the Information and Privacy Commissioner of Ontario, Canada all the way back in 1989. This document was one of the first to bring to light the need to deal with fax security. The document was updated in 2003 , and its sets out guidelines for government organizations to consider when developing systems and procedures to maintain the confidentiality and integrity of information transmitted by fax. While the paper was written for government organization, most of the issues and guidelines are relevant for non-government organizations.
According to Ontario, Canada based Natural Data, Inc., there are over 100 million fax machines in use worldwide today. Almost all of these fax machines are unable to connect to the Internet and as a result can only send and receive faxes using the unsecured public fax line services.
Fax Advantages and Security Issues
The fax machine, like all technologies, have security risks. The most notable fax issues are that the faxed document will sometimes not reach its intended destination. This is due to both human error (wrong number dialed) or technical issues (poor communication lines, incompatible equipment, and more).
While there are fax security issues, one of the main benefits of a fax is that unlike an e-mail attachment, a fax document is an image file and, therefore, is inherently not an editable file. That means that no one can alter the original itself to embed another program within it, meaning a fax can never cause a computer virus or worm to invade your network.
Creating a Secure Fax Infrastructure
It is important to note that in a perfect world, every fax machine will be deployed with the highest levels of security. In the real-world, such an approach is not practical.
Computer security is simply attention to detail and good design and effective information security is built on risk management, good business practices and project management. Creating a secure fax infrastructure is no different.
The initial step of this infrastructure is to establish policies around the use of fax machines. The ultimate level of fax security is built on this foundation of effective policies and procedures which govern their use. At the end of this article is a set of core policies around fax security that can be used.
While the basic use of a fax machine is often intuitive; the secure use of a fax machine is often not so intuitive. By creating a set of standard operating procedures (SOP) around the use of secure faxes, you can mitigate most of the threats involved.
Some of the basic procedures around fax security include ensuring the number of pages of the fax received are the same amount sent, reassembling the received document, appropriate distribution, confirmation of receipt, and more.
As part of the SOP’s, all faxes sent should have a standardized cover sheet containing the name, title and company name of both the sender and the recipient, and the total number of pages faxed.
Some organizations request that that recipient confirm successful receipt of the fax, but such a request should be used with caution, as such a request can be onerous to the receiving party.
Many companies include disclaimers on their fax cover sheets stating that the information in the fax is confidential and that the information should not be distributed, copied, or disclosed to any unauthorized persons without prior approval of the sender.
Receiving Misdirected Faxes
Just as your users will eventually and invariably send a fax to the wrong number, you will also invariably be on the receiving end of an errant fax. Your SOP’s should deal with such scenarios and detail to employees what they should do when an errant fax is received.
The first thing to do is to notify the sender that a fax was received in error. It is assumed that the sender followed guidelines and used a cover sheet.
Your users should be instructed that incorrectly sent faxes should never be forwarded to the recipient. They should either be returned to the sender or shredded.
Many organization have master lists of fax numbers. The challenge with such master lists is that fax numbers are often changed. If such lists are used, they should be audited regularly to ensure that the number is indeed current and accurate.
Secure Fax Locations
A key point to realize about security is that nearly every operating system, from UNIX, Linux, NetWare, and Windows and more all place the foundation of their security architecture at the physical server level. Unfortunately, physical security is more often an afterthought when deciding where to place a fax machine. Such consequences can leave fax machines open to a security breach.
When attempting to create a secure fax infrastructure, fax machines must be isolated in a secure area. This area must be restricted to only authorized employees. These secure fax machines should be placed in locations that are not accessible to the general populace. Given that faxes can come in any times 24/7/365, this level of segregation ensures that confidential information sent during off hours is not compromised.
Even with the advent of email, one significant advantage the fax has over other forms of data exchange is that the sender immediately knows if the transmission was successful or not. When it comes to email, it can often take hours or days for the information to actually appear on the recipients desktop.
With that, all fax machines have the capability to print a fax confirmation sheet after each sent fax. This sheet confirm if the fax has been successfully transmitted, the destination fax number, and the number of pages transmitted. The sender of each fax should confirm the success of a transmission by checking this log after each secure fax message is sent.
Similarly, recipients should be trained to match the number of pages received against the transmitted fax cover sheet. In the event that pages are missing, the recipient should contact the sender and request a retransmission.
Secure Fax Hardware
To use fax encryption technology, both senders and recipients must have the same type of fax encrypting hardware. Most secure fax machines are identical in appearance to a typical fax machine, built on a standard commercial-based platform of product sold for general use. For secure fax machine, most of the functionality is transparent to the end-user.
There are various standards for secure fax machines, including:
- NATO STANAG 5000
- NSA NSTISSAM 1-92 TEMPEST Level 1
- NATO AMSG720B
TEMPEST models are internally shielded to prevent electromagnetic emissions from escaping, preventing interception of transmitted data signals. This is needed as anyone with the proper equipment can monitor, intercept and reconstruct those signals, possibly while parked outside a corporate headquarters or military base. The downside is that TEMPEST capabilities can up the price of a standard fax machine to well over $2,000.00.
When communicating in secure mode, a fax uses an RS-232C connection to cryptographic equipment, such as a Secure Terminal Equipment (STE), a device that looks much like a telephone and utilizes digital signaling.
Creating a secure fax infrastructure does not take a lot. The function of this article to was raise the issue and to be a starting point for companies in creating their secure fax plan.