Canon has launched the first in its series of 'hardening guides' advising on best practice security configuration...
for its imageRunner Advance series of multifunctional devices (MFDs) at Infosecurity Europe 2011 in London.
The security hardening guide forms part of Canon's campaign to highlight the importance of document security.
Despite organisations understanding the need to secure data stored on an MFD, it is often overlooked within an organisation's overall security policy, says Canon.
With nearly a quarter of security breaches being paper-based, the guides are designed to highlight common pitfalls and advise on best practice configuration options to help lower the risk of exposure to potential threats.
The most common threat organisations face, says Canon, is data leakage through the copying and distribution of unauthorised documents.
"Organisations need to understand the risk they potentially expose themselves to by leaving MFDs unprotected, as well as the positive impact on security MFDs can provide," says Quentyn Taylor, director of information security, Canon Europe.
"We have effectively tested the imageRUNNER ADVANCE series from a hacker's perspective, firstly to give third party assurance regarding the security of our products, but secondly to develop a guide for customers highlighting any potential risks through improperly configured printing solutions. This in turn allows us to advise on best practice implementation to protect against malicious attackers and accidental leakage," he says.
The MFD guide has been produced in conjunction with industry leading security consultancy IOActive, following its vulnerability testing of Canon's imageRUNNER ADVANCE series.
The second guide in the series focuses on Canon's uniFLOW 5.0 software, and will be published later this year.
"By producing this guide we are building on the support and advice we offer customers, to enable them to minimise their risk of exposure to malicious attacks and information leakage," says Taylor.
Canon tips for securing printers
Printers are no longer just printers
-Multifunctional devices are actually servers in their own right, providing a number of networked services; for example email, file transfer (ftp), web and eFax servers, with some having significant hard drive storage as well. As such, they need to be treated in the same way, but are often not controlled to the same degree as corporate email servers or company web servers.
- Organisations of all size should produce a configuration guide and ensure it is adhered to at all times. This will ensure all functions on the MFD are looked at critically, and can be enabled or disabled as required. It will also mean third parties fully understand the configurations and do not disrupt them.
Password protect your organisation
- With the popularity of social networking in people's lives, password theft has become even easier for malicious attackers. For example, password stealing Trojans and other malware can use fake password reset messages, which when activated then install on people's machines. It has then been widely reported that one third of people use the same password for all websites and corporate accounts, meaning once the attackers have it they can access not only the individual's personal data but also their professional information.
- To ensure the MFD is a secure link in the information flow, organisations should disable default passwords and ensure employees have strong, unique passwords which are changed every 90 days for accessing their print jobs. These should ideally be between 8 - 10 characters long, and include a mixture of letters, numbers and symbols rather than a dictionary word which can easily be remembered.
- Nearly a quarter of security breaches are paper-based. It is really important for organisations to make sure their MFD is not a key contributor to this - ask yourself, how frequently are printouts left in the output tray or dropped into the recycling bin, without being shredded?
- Organisations can minimise the risk by using 'Secure Job Release', a function which means print jobs are locked in a queue on the device until the corresponding user PIN is entered. This will minimise the number of printouts left on the output tray, as documents will only be printed when they are required.
Minimise the insider threat
- One of the ongoing risks for security professionals is not just the threat of malicious attacks, but the insider threat. Be it a disgruntled ex-employee leaking information for money or a well-meaning current employee, or simply human error - the risk of someone who has access to confidential information can be difficult to protect against.
- For example, many organisations use sub-contractors who require access to the most up-to-date data to complete their work. By enabling the secure print options including 'Secure Job Release' outlined above, it protects from people stumbling on printed documents left on the output tray or illegally gaining access to an employee's mailbox.
- A further configuration which can help protect against this type of threat is 'Job Log Conceal'. This hides the details of recent print jobs so people can't watch them, and also removes all traces after confidential jobs are printed so no data trail is left.
- Lastly, it is very important to consider what happens to the device at the end of its life. Would you simply throw away a laptop once you'd finished with it, or would you clean the hard drive to remove all your data such as photos and music? The hard drive of a printer must be erased and securely disposed of at the end of its life.
Ultimately the true victims of data loss are the people whose data is stolen, not the company receiving the fine. This should be remembered at all times and everything done to minimise the risk and the MFD can be a valuable asset in the battle to keep information safe.