Layer 4: Device security

Security threats are no longer limited to personal computers, servers, or networks. Any device — even basic networked printers — needs countermeasures against a diverse range of threats. As multifunction printers’ (MFPs) functionality has evolved, they have become core IT assets. As the computing capability of what was traditionally categorized as “printer/copiers” has grown, so have potential threats, which can include:

Simply hoping you don’t get hit is not the answer. Superior technology, diligence, and knowledge are essential, requiring a deep understanding of how to tackle potential issues caused by vulnerabilities in your devices, the data they process, and the networks to which they connect.

Device authentication

Controlling access by authentication according to your security policies is necessary. Healthy, secured devices can offer another critical level of security, including remote insight into device configuration, alerts related to usage and supplies, critical service alerts, and warnings for upcoming service issues.

Device user authentication

The ability to track, control usage, and prevent unauthorized access is predicated on requiring users to authenticate before they can print, scan, fax, etc. Once logged in, users will only see the device functions and features they’re authorized to use. Various authentication options give you the ability to control the level of capabilities granted to each user or group of users. This may include restricting the ability to change machine settings and view address book entries or granting access to scanning workflows, document servers, and other functions. In addition, the User Lock-out function — which triggers if it detects a high frequency of successful or failed login attempts — helps guard against Denial of Service attacks or brute-force password cracks.

Network user authentication

Ricoh devices support network user authentication to limit access to authorized users. For example, Windows® authentication verifies a user’s identity at the MFP by comparing login credentials (username and password, ID badge with or without PIN, or a combination of both) against the database of authorized users on the Windows network server. In the case of access to the global address book, LDAP authentication validates a user against the LDAP (Light-weight Directory Access Protocol) server — so only those with a valid username and password can search and select email addresses stored on the LDAP server.

For customers utilizing SmartCards for authentication, such as U.S. Government Common Access Cards (CAC) or Personal Identity Verification (PIV) IDs, Ricoh offers solutions for enabling this type of authentication.

Software such as RICOH Streamline NX — a modular suite that covers scan, fax, print, device management, security, and accounting processes — provides additional network authentication options. These include authenticating against the LDAP, Kerberos authentication, and an available SDK for custom integrations.

Device network authentication

Many Ricoh devices support the IEEE 802.1X authentication protocol, which is frequently part of zero-trust architecture (ZTA) network implementations. This port-based network access control allows a network administrator to restrict the use of a network until a device has been properly authenticated. This ensures secured communication between authenticated and authorized devices.

Device protection

When machines aren’t performing as expected, there are not only costs associated with downtime, but it can negatively impact other user behavior, which may include less than desirable workarounds.

Keeping device firmware updated can be accomplished remotely and in batches, and updates can be set to your schedule.

Firmware and driver management

Working with your service provider, organizations can maintain a line of defense by ensuring current firmware on your devices through proactive remote management. You can prevent printer device firmware from becoming outdated via a remote cloud portal. A device’s firmware can be remotely checked, and an update can be immediately pushed. Or, updates can be performed automatically on a scheduled basis.

Refreshing firmware for large numbers of devices or across an entire fleet can be handled as a batch upgrade in moments. Drivers can also be pre-configured and pushed to devices remotely. You can package drivers with the appropriate defaults according to your print and security policies — and control who has access to different driver packages.

Digitally signed firmware

If an MFP or printer’s built-in software — also known as firmware — is altered or compromised, that device can then be used as a method of intrusion into the corporate network to damage the device or platform for other malicious purposes. Ricoh-designed devices are built using a Trusted Platform Module (TPM) and are designed to not boot up if the firmware has been compromised. Ricoh’s TPM is a hardware security module that validates the controller core programs, Operating System, BIOS, boot loader, and application firmware.

Ricoh MFPs and printers use a digital signature to judge firmware validity. The public key used for this verification is stored in an overwrite-protected, non-volatile region of the TPM. A root encryption key and cryptographic functions are also contained within the TPM and cannot be altered from the outside. Ricoh uses a Trusted Boot procedure that employs two methods to verify the validity of programs/firmware:

• Detection of alterations
• Validation of digital signatures

Ricoh devices are designed to boot up only when firmware and applications are verified to be authentic and safe for users.

Disable unused protocols and services

To make it easy to add network devices, many vendors’ network-enabled systems are routinely shipped to the customer with all network protocols and services set to “enabled or active” — but unused services on network devices pose a security risk. Compromised ports can lead to various threats, including the destruction or falsification of stored data, Denial of Service (DoS) attacks and viruses or malware entering the network.

There is a simple but often overlooked solution for this particular risk source: disable all unrequired services. Ricoh device administrators can easily lock down unneeded services, helping to make devices less susceptible to hacking. In addition, specific protocols — such as SNMP or FTP — can be completely disabled to close off the risk of them being exploited.

Fax line security

Enabling a device’s fax feature may mean connecting it to the outside via a telephone line — which means that blocking potential unauthorized access via the analog fax line is critical. Ricoh embedded software is designed to only process appropriate types of data (i.e., fax data) and send that data directly to the proper functions within the device. Because only fax data can be received from the fax line, the potential for unauthorized access from the fax line to the network or to programs inside the device is eliminated.

The Facsimile Control Unit (FCU) in Ricoh fax-enabled devices supports only G3 FAX protocols. Therefore, even if an initial connection is established with a terminal that does not use these protocols, the MFP will view this as a communication failure and terminate the connection. This prevents access to internal networks via telecommunication lines and ensures that no illegal data can be introduced via these lines.

Simplify managing devices

Managing devices can be time-consuming, and security gaps can emerge unintentionally when aspects of proper device management go unattended. Ricoh device management software, such as Streamline NX, gives IT managers a central control point to monitor and manage their fleet of network-connected print devices — whether spread across multiple servers or geographic regions — from a single management console.

Here’s how Ricoh does it:

• SNMPv3-encrypted communications between devices and servers
• Central controls allow administrators to control access, monitor security settings, and manage device certificates
• Automated firmware update tasks reduce exposure from outdated firmware
• Deploy customer-approved firmware versions, or use the latest firmware available from Ricoh

The Security Analyst add-on for Streamline NX provides an at-a-glance dashboard for assessing device security policy compliance and offers a best practices checklist for whether devices are in policy.

Meters and alerts

When an early warning enables teams to resolve a problem before it causes downtime, it helps reduce the risk of unexpected user behavior, such as unsanctioned workarounds. If machines are not operating as expected, users may choose a different, unsecured course of action. They may print or scan from a local device with no ability to audit activity or protect the data being moved.

Using monitoring and management software with devices lets you collect information and keep your device healthy with timely alerts. This includes automatic collection of meter data based on your set schedule, low/replace toner alerts, critical service alerts, and upcoming critical service issues.

@Remote.NET

Ricoh’s @Remote Connector NX enhancement for Streamline NX collects approaching critical service alerts and communicates them directly to your service provider. Your provider can schedule remote firmware updates and push critical updates immediately. The @Remote Connector also collects device meters and makes them available on a pre-defined schedule — along with notifications of consumables levels — to maintain uptime and reduce administrative burden. The collected data is available via the @Remote.NET web portal.

Types of Encryption

1. Drive encryption
   
   If the drive is physically removed from a Ricoh machine, the encrypted data cannot be read. Once enabled, the drive encryption function can help protect an MFP’s drive against data theft while helping organizations comply with corporate security policies. Encryption includes data stored in a system’s address book — reducing the danger of an organization’s employees, customers, or vendors having their information misappropriated.
   
   The following types of data — which are stored in non-volatile memory or on the drive of MFPs — can be encrypted:
2. Device data in transit encryption
   
   As information moves through the network, it is possible for a knowledgeable hacker to intercept raw data streams, files, and passwords. Without protection, unencrypted information can be stolen, modified, or falsified and re-inserted back into the network with malicious intent. To combat this, Ricoh uses encryption and robust network security protocols that can also be configured according to customers’ needs. For example, the Transport Layer Security (TLS) protocol is used to help maintain the confidentiality and integrity of data being communicated between two endpoints.
3. Print stream encryption
   
   Data sent in a print stream can be exploited if unencrypted and captured in transit. Ricoh enables the encryption of print data by means of Secure Sockets Layer/Transport Layer Security (SSL/ TLS) via Internet Printing Protocol (IPP) — encrypting data from workstations to network devices or MFPs. Because this is a protocol that helps maintain data confidentiality, attempts to intercept encrypted print data streams in transit would only produce data that is indecipherable. Data sent to printers could be misused or attacked if it is not encrypted.
4. End-to-end driver-based encryption
   
   Concerns about a malicious attack on print job data can be addressed using the Ricoh Universal Print Driver for end-to-end encryption of print data between the user’s system and the Ricoh MFP. End-to-end encryption can be enabled in the print dialog so a user can set an encryption password. To release the print job, the user enters the encryption password at the Ricoh device, which then decrypts the data and prints the job. This method of print data encryption utilizes AES-256 encryption.
5. Locked print
   
   Printed documents sitting on the paper tray or left out in the open can be picked up by anyone. This puts the document’s information at risk, and the potential impact grows dramatically when printing confidential documents. Ricoh locked print capabilities can hold encrypted documents on the device’s hard drive until the document’s owner arrives and enters the correct PIN code or network credentials. For even more capability, software such SLNX can provide full-featured secure document release — giving users options over their secure print queue while letting administrators maintain control.
6. Copy data security
   
   Ricoh offers functions to thwart unauthorized copying of hardcopy documents — helping prevent possible information leaks. The copy guard function prints and copies documents with special invisible patterns embedded across the background. If the printed or copied document is photocopied again, the embedded patterns will become visible on the copies.
   
   The unauthorized copy control function protects against unauthorized copying in two ways. Masked Type for Copying embeds a masking pattern and message within the original printout, safeguarding the information. If unauthorized copies are made, the embedded message appears on the copy. This might include the document author’s name or a warning message. When the Ricoh device detects the masking pattern, the printed data is obscured by a gray box that covers all but a 4mm margin of the masking pattern.
7. Mandatory secure information print
   
   Stamping documents with key identifying information can achieve greater accountability and management control. Mandatory security information print is a feature that forces key information — including who printed a document, when it was printed, and from which device — to be printed with a document. This feature can be enabled for copy, print, fax, and document server functions.
   
   Administrators can select the print position and which types of information will be automatically printed on the output, which may include:
• Date and time the job was printed
• Name or login user ID of who printed the job
• IP address and/or serial number of the device used

 

8. Temporary data removal
   
   When a document is scanned or when data is received from a PC, some may be stored temporarily on the hard disk drive or memory device. This can include scan/print/copy image data, user-entered data, and device configuration. This temporary data represents a potential security vulnerability.
   
   The DataOverwriteSecurity System, built into most Ricoh devices, addresses this vulnerability, destroying temporary data stored on the MFP’s hard disk drive by overwriting it with random sequences of 1 and 0. Temporary data is actively overwritten and thereby erased each time a job is successfully completed. The DataOverwriteSecurity System can also:
   
   Include options for National Security Agency (NSA) and Department of Defense (DoD) recommendations for handling classified information
   
   Make it virtually impossible to access latent data from copy/print/scan jobs once the overwrite process is complete (overwrite process can be selected from 1 to 9 times)
   
   Assist customers in their compliance with HIPAA, GLBA, FERPA, and other regulations
   
   Provide visual feedback regarding the overwrite process (i.e. Completed or In-Process) with a simple display panel icon

Independent security standards and certifications

Common Criteria is used internationally for the evaluation of information technology security. It is used for measuring whether security functions are appropriately developed for IT products. The Common Criteria Certification is a standard recognized by more than 25 nations of the world. Domestic and overseas multifunction copier vendors are eager to obtain authentication for digital multifunction copiers.

The Common Criteria Certification process verifies protection provided by multiple security technologies against various security threats. The certification covers, for example, system validity verification at the start, access control, and logging, data protection by encryption, and data deletion at machine disposal. Therefore, it helps protect our products from various threats — such as software alteration, invalid access, and information leakage.

Protection Profile for Hardcopy Devices (PP_HCD_V10)

PP_HCD_V10 is a U.S. government-approved protection profile for hardcopy devices such as digital MFPs. It was developed by the Multifunction Printers Technical Community with representatives from industry (including Ricoh), U.S. and Japanese government agencies, Common Criteria Test Laboratories, and international Common Criteria schemes. The purpose of this Protection Profile (PP) is to facilitate efficient procurement of Commercial Off-The-Shelf (COTS) Hardcopy Devices (HCDs) using the Common Criteria (CC) methodology for information technology security evaluation.

The following areas — which have been identified as among the most important for security protections — have been validated in most Ricoh devices to the PP_HCD_V10 standard and can be enabled:

• User identification and authentication systems
• Data encryption technology available for multifunction printers
• Validation of the system’s firmware
• Separation of the analog fax line and the copy/print/scan controller
• Validation of data encryption algorithms
• Data protection

At Ricoh, our product line is constantly being enhanced to meet our customers’ and regulators’ changing requirements.

IEEE 2600.2

The IEEE 2600.2 security standard pertains to hardcopy devices operating in a commercial information processing environment — with required levels of document security, network security and security assurance. It establishes a common baseline of security expectations for MFPs. To ensure that a device demonstrates conformance with the established standard, independent third-party laboratory tests provide verification of the manufacturer’s security features. Ricoh offers a broad line of MFPs that have been certified as conforming to the IEEE 2600.2 security standard.

FIPS 140-2/3

The Federal Information Processing Standard (FIPS) 140-2/3 is a U.S. government security standard for validating cryptographic modules through the National Institute of Standards and Technology’s (NIST) Cryptographic Module Validation Program (CMVP). Many cryptographic modules in Ricoh devices use algorithms that are recommended or approved by NIST, including algorithms validated under NIST’s Cryptographic Algorithm Validation Program (CAVP). CAVP validation is a prerequisite for CMVP validation.

Customers can upgrade certain devices to a CMVP-validated drive* and a soon-to-be-released MFP firmware upgrade that will incorporate CMVP-validated modules elsewhere within the MFP**. Firmware-upgraded devices will implement certain device hardening measures — including turning off less secured ports, protocols, and limiting some application use.

Source:  RICOH USA