Tuesday, February 24, 2009

MFP's: Security Leak?

I want to pass this along.

A security article around MFPs.

Nothing new really, security is an issue with every network connected device.

MFP's have always had issues (small) with possible security breaches. These potential leaks can usually be addressed with "check in a box"configuration, closing the open channels.

But, just like everything else around the print fleet, these issues have been overlooked. A printer or copier or MFP just isn't as sexxxy as a Blade, or Citrix, or VMWare, is it?


MFP security--or how the IT guy is becoming the security guy
Wednesday, 11 February 2009 12:15 Vince Jannelli, Sharp Information and Imaging Company of America

NetworkingI recently read an interesting article in the Wall Street Journal (October 16, 2008, “New Data Privacy Laws Set for Firms”) that outlines new state-by-state regulations for data security. The article contains a great quote that I think sums up the major concerns for IT managers right now, but it doesn’t come from IBM or Cisco or even Sharp. It comes from the network manager for the Northeast-based pizza chain, Papa Ginos, who says, “Anybody in IT has to become the security guy.” I truly believe this quote illustrates how IT managers in companies of all sizes are quickly realizing the importance of data security and are learning more about what steps need to be taken to ensure that the network, and ultimately the company, are safeguarded against data theft.

Technology makes an ever-increasing contribution to profitability in today’s highly competitive business landscape. However, the same technology that enables high productivity in the workplace can easily be compromised if not sufficiently secured. The consequences of inadequate protection could be financial loss, identity theft, risk to intellectual property, or even the ruination of an upstanding business due to identity theft.

Organizations spend significant capital to protect digital assets from threats, yet frequently overlook one of the most used network devices today -- the office multi-function peripheral (MFP). As these devices become more advanced and integrated, they offer companies a myriad of new benefits. However, because they are a document’s entry and exit point on your network, they also pose a number of threats that cannot be overlooked. For a comprehensive security strategy to be effective, it is imperative for organizations to demand a greater level of protection from MFP vulnerabilities.

MFP: The Overlooked Security Risk

An MFP is a powerful asset in your office’s environment. Left unsecured however, an MFP can pose one of the greatest threats to your organization. Just consider the types of documents that are copied, printed, faxed or scanned on a daily basis -- personal information, financial statements, confidential reports, e-mails, memos, customer data and employee information. Much like a computer, this data remains on the unit’s hard drive indefinitely.

The Risks to Office Multifunction Peripherals

Internal Threats

Important information can be at risk at the internal level, from threats within your organization. At the device level, confidential information can be accidentally or even purposefully copied from stored documents on the unit’s hard drive, taken from the output tray or faxed without authorization. Any information stored on a local desktop computer or accessible through the Local Area Network ( LAN) can be printed without authorization. And since many of today’s offices MFPs are running over a network, this provides employees with another entry point to the network that could be used to bypass user restrictions and access information on other computers on the same network.

External Threats

Data is also at risk via external threats, outside the company’s realm. From across a Wide-Area Network (WAN), the Internet or a Virtual Private Network (VPN), information such as stored documents, scanned data or print data can be intercepted. In the worst case, a user from the outside can obtain confidential information, unleash a Denial of Service (DOS) attack, or even place a virus on the device via the network or a phone line. Through a FAX line, or corporate LAN, communications could be intercepted or sent without permission anywhere in the world. Data stored on the copier’s hard disk drive or in memory could also be compromised or even taken off-site and stolen if not protected.

IT mangers need to also consider what happens to office equipment once they have reached their end of life. If copiers or MFPs are being leased, there is always a chance that these units can fall in to the hands of hackers who can unlock data stored on the hard drive.

The Solution: Multi-Tiered Security

In any situation, protecting your MFP from just one threat is not adequate. A solid security suite will offer a multi-layered approach to protection -- providing better control over the users, devices, ports, protocols and applications on your MFP(s). A comprehensive approach to security will account for protection at every step in the document lifecycle, from the initial scan or print to final output and distribution.

Solutions for Internal Threats

The first step is to secure data that is stored right on the MFP that users can access locally. Manufacturers have introduced Common Criteria security solutions to offer encryption and data overwrite features for various levels of use. Ensure that your MFP meets the highest commercial level of Common Criteria Validation.

Data Security

A powerful security suite or security kit protects and controls the major MFP systems, subsystems (print, copy, scan, fax jobs, network settings, operating system, memory components, local user interface, engine and job controller) and all data before it is written to RAM or Flash memory and the disk. Be sure to enable overwriting routines for deleted data so that all information is virtually irretrievable by unauthorized users.

Access Control Security

To limit unauthorized access to each device, specify account codes, user/group profiles, passwords, or external user accounts contained in an LDAP or Active Directory server. And to mitigate the risk of interception, user credentials should be transferred using a proven combination of encryption standards, such as, Kerberos, SSL or Digest-MD5.

An MFP security suite should also enable you to customize your solution to meet your unique requirements and ensure data confidentiality and integrity. For instance, government agencies should seek out a security suite or development platform that can be customized for use with MFD or CAT card readers. Without a CAT card reader, the MFP is not compliant with HSPD-12 (homeland security presidential directive 12) and renders the network functionality of your built-in fax or copier unsafe.

Audit Trail Security

A modern MFP will provide an internal audit trail, and/or third party application software such as Equitrac Office, for comprehensive auditing of all user activity. Certain federal regulations parameters, such as 'to', 'from', 'when' and 'file name' can be logged, reviewed and archived for conformance. Be sure that your MFP is customizable so that, if audit trail software is not embedded, you can easily request or download the appropriate software.

Solutions for External Threats

Unlocking the true potential of your MFP means having it fully integrated with your network, so employees can scan to email, or browse and preview data from the server right on the MFP. Of course, adding another entry point to the network present another possible threat to a company’s data. A security suite should provide you with the proper safeguarding against external threats too, allowing you to scale up as needed, but adequately safeguarding the network infrastructure and MFP installed base, without affecting network traffic or workgroup productivity.

Network Security

A multi-tiered security suite will feature an intelligent network interface that can limit access to specific computers on a network by IP or MAC address, and selectively enable or disable any protocol or service port on each device. All communications to and from the MFP will utilize Secure Socket Layer ( SSL) for secure transmission over the network, and most devices also support SMB, IPv6*, IPSec* and SNMPv3.

Fax Security

Often times attackers can gain access to the internal systems of the MFP or the local network via fax lines. The MFP should provide a logical separation between the fax telephone line and LAN.

Platform Virus Security

Be sure that the MFP operating platform is secure. A proprietary platform is ideal, since it won’t be susceptible to viruses designed to attack more popular operating systems available on personal computers.

Taking the time to talk to your dealer about these features is vital. The time spent will be minimal but the cost savings, both tangible and intangible, will be enormous. Regardless, do not settle for a cookie-cutter, one-size-fits-all security package. Threats to private information and data will always be present and are always evolving. Make sure you are ahead of the game when it comes to security and that your MFP security suite is evolving fast enough to stay ahead of these threats.

Vince Jannelli is the associate director, Applications and Partners, for Sharp Information and Imaging Company of America.

Here is original.

Click to email me.


  1. About security leaks - they can be unintentional, too.
    One of the most stupid security leaks I ever saw in my life was this:
    A bomb threat was called in to a nuclear energy plant in Sweden. National elevision found out about it and sent a reporter. The camera man took some footage of the plant and its surroundings. Later ther was an interview with the boss of the plant just outside the entrance of the building.Suddenly, in the middle of the interview, a close-up of a person about to enter, digiting the codelock. Now half of Sweden knew, theoretically, the code to the entrance door lock of one of the biggest Nuclear plants in the country. Needless to say, like a zillion viewers called in to complain big time about security issues...

  2. LOL!

    Good observation - the best part of getting certified on security from HP was intercepting a print stream for a check, putting my name on it and changing the amount to 1 million dollars..

  3. I would take it a step further by pointing out that SaaS tools will quickly outpace the older competitors in the market with their inherent ability to quickly and easily add very sophistiacted features and functions and to also support very customized look and feels for every single user.