It’s all too often I see a threatening email with the subject “Scanned from a Xerox Multifunction Device” which could simply be spam, but it could also carry a malicious payload. These devices come with enough vulnerabilities as it is, and everyone who deploys them should go through all the default settings. All too often, the leasing company brings them in and only pops in the bare minimum to get the device up and running on the network. I try to make my rounds and customize the settings, but how many IT shops actually do.
The most basic thing you can do to improve your organization’s security posture is user training, such as don’t open suspicious email. By not changing these default settings, you are actually undoing that very training! It only takes a few minutes during the initial setup to change the default subject line and email address to something more fitting to your organization. Even if you have no access to the device, you will be providing the installer with basic settings such as the device’s IP address, your internal SMTP server address, the device name, etc. So why not have them set the subject line to “XYZ Company – IT Department Scanner” and an email address of “email@example.com?” This would take an extra few minutes and actually help you to help your users have a more secure mindset.
I’m interested in hearing anyone’s feedback on this; especially if anyone has verbiage in purchasing agreements to help enforce these types of more secure configurations.