Canon MFP Security Checklist - The Defences that Could Save Thousands...

Monday, 05 September 2011 19:00

Photocopier News - General News

Every device in a networked environment requires robust security defences. Any weak link in the chain can and usually will be exploited by cyber-thieves or online criminals and could end up costing the organisations affected very dearly indeed. McAfee, the online security experts, estimated that the overall cost of cyber crime had reached a staggering $1 trillion by 2009. The average cost of a corporate data breach in 2010 was $7.2 million and the number of such breaches has been growing every year since 2000. According to the Forrester's Global IT Budgets, Priorities and Emerging Technology Tracing Survey of Q2 2010, upgrading the security environment has been a major priority for IT decsion-makers for the past four years and in 2010, for the first time ever, it became a critical or high priority for over 62% of IT decision-makers. But quite a number of those IT decision-makers can appear fairly complacent of the risks when it comes to office MFPs, which over the past decade or so, have morphed from analogue one or two function photocopiers into sophisticated, networked office task-masters. MFP's now have one or more operating system, a hard disk drive, a web server, fax functionality and even have their own IP addresses. It's essential with such a high level of risk exposure that organisations take as much care to protect their MFPs and printing operations as they would over their day-to-day PC or server security. The list which follows outlines the core layers of defence across the main areas of MFP security - data, document, network and authentication.

MFP Data Security

Hard Disk Drive Encryption. Recent revelations in both the US and the UK have shown that many businesses are unaware of the power of the MFPs in their offices. For over a decade, most MFPs have contained a hard disk drive which will typiclly store an image of every document that has been scanned or copied with the device. Data encryption can help protect the hard drive from the risk of external attack. Most manufacturers, including Canon, now offer a data encryption package. Canon's is essentially a plug-in board containing a special key which is able to encrypt and decrypt data as in enters or leaves the hard drive. This means that the information on the hard-drive is entirely meaningless to anyone without the plug-in board and the device with which it is associated.

Hard Disk Drive Data Erase. Not a lot of people are aware that until information contained on a hard disk drive is over-written, technically, it remains accessible to anybody with the right skills to find it. Many MFP manufacturers now supply data erase kits which protect hard drives by permanently deleting information, with over-writing technology. Disk data is either over-written with null data, random data or random data three times (!) to ensure complete peace of mind.

MFP Document Security

Secure Print. In the most straightforward secure print configurations, sensitive jobs which are 'printed' by a given user will be held at an MFP until that user or the intended recipient 'releases' the document by identifying themselves with a personal identification number (PIN). This ensures that documents printed with secure print are only ever printed in the presence of authorised recipients, greatly minimising the risks of them ending up in the wrong hands.

Secure Watermarks. Leading manufacturers, including Canon and Xerox, now allow users to add a secure watermark to documents being printing at an MFP. If such a document with a secure watermark is then copied, the watermark image becomes visible on the duplicate document, making it apparent to anyone viewing it that it should not have been copied and may contain sensitive information.

MFP Network Security

As has been observed, network security depends on all the links in the chain - it's about achieving a standard of security common to all devices on the network...

IP Address Filtering. IP address filtering allows system administrators to create rules to accept or reject information coming to an MFP, based on protocols, IP addresses or ports. This gives the system administrators very firm control over who can and cannot access the MFP.

IPsec Encryption. Internet protocol security encrypts the connection between clients and printers. IPsec is supported by most PC operating systems including MS Windows. It provides a number of safeguards:

- Traffic encryption

- Peer authentication

- Anti-replay

- Integrity validation

Network Ports On/Off. With the network ports on/off function on most modern MFPs, unused or unecessary ports and services can be shut-off to prevent unauthorised or malicious access. On desktop devices these can be typically adjusted through the control panel or the PC-based device configuration software.

IPv6. Internet protocol version 6 is a netwrok protocol for routing traffic and identifying any devices connected on the network. IPv6 offers some impressive security benefits to users on a network as well as the network's system administrators and developers. Specifically, IPv6 is able to integrate the typical IPsec suite of protocols onto a network.

IEEE 802.1X is an IEEE standard for port-based network access control (PNAC). IEEE 802.1X provides an authentication system for any devices which attempt to access the local area network(LAN) or wireless LAN. IEEE 802.1X is now one of the most popular network protocols for use in wireless networks. Many system administrators find it is also the simplest means of locking-down port access to their internal networks, with its very effective mechanism for preventing infomation from unauthorised devices entering onto the network. With IEEE 802.1X, if unauthorised devices do attempt to access the network, the port can be locked-down until such time as it is unlocked by the system administrator.

Fax and Network Separation. Most MFPs now provide fax functionality. But the phone line which is used by the MFPs fax function is also a potential weak-spot in network security. System administrators must ensure that the MFP fax interface is kept separate from the network controller. Manufacturers such as Canon and Xerox now use a separate fax protocol which only responds to fax commands and only allows the exchange of fax data. The fax protocol on the MFP will only recognise compressed image data with destination information - any other types of data (which could disguise viruses, Trojans or worms) is barred.

MFP Authentication

Role Based Access. Many manufacturers now equip MFPs to differentiate device functionality by user access levels. It is up to the system administrators to determine which functions are allocated to the specific access levels - most typically 'user', 'operator' and 'administrator'.

Smart Card Authetication. Related to the secure print function mentioned earlier in connection with document security, smart card authentication is where a user is required to present a user card when attempting to process a job at an MFP. Typically a special card reader will be installed on the device but as the user interface functions as normal, administrators can effectively operate a two-tiered authetication system, requiring users to produce their card and to enter a PIN number as with standard cardless secure print configurations.

Canon Copiers hopes the list above will equip administrators and users of MFPs, colour copiers and any of the leading Canon imageRUNNER Advance devices with all the information they require to secure their MFPs and the networks they belong to. For any further information or for advice on copier leasing, Canon Copiers welcomes all enquiries.