The Way Business Is Moving published by
Issue Date: February 2008

MFDs - the stealthy security threat

1 February 2008
Anthony Ho, product support manager at Gestetner

The multifunction printer (MFP) bought to handle the company's scanning, printing, copying and faxing needs is becoming a security risk.
Anthony Ho, product support manager at Gestetner
Anthony Ho, product support manager at Gestetner
Worms, Trojan horses, viruses and other malware are all security threats companies know well. But now comes a new threat by way of a most unlikely source. The multifunction printer (MFP) bought to handle the company's scanning, printing, copying and faxing needs.
MFPs evolved from copiers back in 1999. Inside, they are essentially computer terminals, complete with hard drives and memory that captures image data and converts it into bits and bytes. Every time someone prints, scans, copies or faxes a document, the MFP retains this information in its memory. With network capabilities added to the mix, this makes these devices vulnerable to attack by unauthorised users.
The security risks of MFPs have emerged slowly but steadily as these devices have increased in sophistication. For companies in the financial, healthcare, accounting, legal or public sector industries dealing with critical data, this risk is unaffordable.
Besides actual attacks, human error also plays a role. Just think of how often you have copied confidential documents only to forget a page in the machine.
Devices in open areas further offer access to everyone. While colour printing is becoming more affordable, it still costs a lot more than black and white. Misuse can see costs go through the roof. Remember the television advertisement of an employee colour printing and copying posters for the return of the family's lost dog, Spot, on the office's equipment?
Essentially you have got two issues. Firstly, you need to guard against data compromise with attacks through network ports. Secondly, you have to protect the business against unwanted expenses by restricting access to the machines.
One example of what can go wrong is with e-mails sent from an MFP. If the device is not set up to request a user ID password, unauthorised documentation can be sent in your name with the recipient believing the message is from you. This can have dire consequences if financials are involved. To prevent this from happening, the device can be set up to request users to identify themselves, avoiding unsolicited mail.
Another security threat that often occurs is with refurbished computers where companies redeploy machines used in one part of the business in another division, or even sell the machine. With documents and templates stored on MFPs' internal hard drives, sensitive information can easily be retrieved if these drives are not properly scrubbed.
These and many other security features have been built into MFPs as manufacturers seek to differentiate their devices through increased security functionality. But, the fact that they exist does not necessarily mean they are activated.
Many vendors' installation staff lack the necessary skills and expertise to offer these consultancy services. Others prefer to take the easy way out by not incorporating security aspects into companies' strategy planning as it can be time-consuming and laborious.
The level of security employed can be as simple or as complex as the organisation dictates. In organisations where other IT issues are already under control, the step to IT advancement protocols will naturally be a much easier process.
While companies can invest in as much physical safety, network security, firewalls and data back-ups as they want, by failing to secure networked printers and MFPs, they will continue to put their most valuable asset at risk - their data.
Covering all the bases
The four most vulnerable security areas are:
* Access to device - access to the document server can be controlled with the User Authentication function, requesting a PIN code to be entered on the control panel to open and view the document. Passers-by can be prevented from browsing documents left in a print tray through the Locked Print function, holding print jobs until a password is entered at the device, or the Secure Document Release function, which deletes a job from the server if it is not collected after a certain time. Secure audits trail further tracks network activity, keeping a record of individual users' activities and an accurate record of what has happened to each document.
* Transmission - documents scanned and printed to the device can be safeguarded from interception and decoding by hackers with 128 bit data encryption, using Secure Sockets Layer (SSL) technology through Internet Printing Protocol. Using SSL through a SNMP v3 technology, hackers can be prevented from tapping the machine settings. Restricting manual e-mail address entry can further protect scanned documents, ensuring employees only distribute confidential documents to authorised destinations. To prevent unauthorised access to the network, system administrators can conduct IP filtering and apply network protocol restriction, terminating connection to a remote terminal that is not using the approved protocols to connect.
* Unauthorised copy protection - some documents contain information you do not want to be copied, for example certificates. To prevent this, the unauthorised copy function can be enabled in the printer driver, which encodes documents with embedded patterns in the case of unauthorised copy. When the document is photocopied illegally, grey marks or text will appear on the document branding it as 'unauthorised'.
* Data overwrite security - information stored on the hard disk over time can be prevented from leaking through with the Data Overwrite Security function. This secures the hard disk drive, making confidential documents unrecoverable, by overwriting print, copy and scan data. Securing the hard disk data also includes encrypting the address book to prevent e-mail and faxes from being compromised. Look out for solutions with international compliance standards such as ISO 15408 Certification to guarantee its security standards.

Others who read this also read these articles

Search Site


Previous Issues