Archive for January, 2010

h1

The six greatest security dangers that every IT professional should know about their Office “Copier”

January 30, 2010

First some history & background of the Office Technology Industry:
Xerox Corporation invented the copier in 1949, and led the office equipment industry until the 1970s when Japanese rivals entered the market. Companies like Canon & Minolta & others offered cost effective alternatives to Xerox.

The 70’s, 80’s and early 90’s saw the rise of Independent Copier Dealers in the US market place, providing their customers with great local service on a wide variety of office technology products. In the late 90’s we saw a large consolidation in the Industry. Holding companies like Ikon, Danka, and Global began to buy up a large number of independent Copier Dealerships around the country.

The 2000’s
In the next decade (2000s) two of these three national holding companies struggled financially, and by the end of the decade all three had been sold off to specific Copy Manufacturers (Ikon to Ricoh, Danka to Konica Minolta, and Global to Xerox). During this same time there were a number of large regional Independent Dealerships that not only survived but thrived by continuing to provide quality products and great service to their customers.

The Copier becomes an MFD (Multi Functional Device)
In the early 90’s the digital copier was introduced to the US market. Initially these were sold as standalone devices, but it wasn’t long before the Manufactures began to add functionality to them. The first breakthrough was the addition of printing & faxing to the “copier”, and scanning soon followed. Now manufacturers offer a plethora of software options that can be installed directly into the MFD further extending and enhancing the capabilities to integrate these devices into the network and with your back end servers.

Why should your IT Department care about the “Copier”?
For most of the life of the Copy Machine it was completely and totally in the domain of Purchasing. But when the Copier became an MFD and we put it on your company’s network it now involves the IT Department. Today the IT Department must be involved in the purchase and installation of the Multi functional devices (MFDs). These are not your father’s copy machines.

What type of support does your company need for a Multi Functional Device (MFD)?

Your Office Technology Dealer needs to have a proven track record in not only servicing the actual device, but also has the resources to install & support them on your network.  This support is most important to your companies IT Department. It is crucial that you make sure that your Office Technology Dealer has this type of support.

The 6 greatest security concerns your IT department should have regarding the MFD

To secure the Copier \ MFD we need to consider the following topics:

1) Securing the Data on the Copier \ MFDs Hard Drive
a. Real time (while the MFD is on your network)
b. End of life (before you decommission or repurpose your MFD)
2) Controlling Access to the Copier \ MFDs (Is your cleaning crew making copies at night?)
a. Security & convenience has arrived (integrating the Active Directory with the MFD)

3) Controlling Access to the functions of your MFD (who gets to scan to email, scan to a thumb drive,               print securely, or access the MFDs web page? And what ports are open?)

4) Securing the Data that is sent from your copier (email is not an inherently secure media)

5) Securing the MFD on your network (settings & protocols to harden your MFD)

6) Updating the Copier \ MFDs firmware (how to stay current with security patches, bug fixes, & firmware)

The following three security themes also need to be discussed to understand the organization’s culture & needs.

• Confidentiality: Prevent the disclosure of data to unauthorized users

• Integrity: Insure data is not altered either maliciously or accidentally

• Availability: Maintaining data availability to legitimate users

Let’s look at each of these topics and themes in more detail.

Multi Functional Devices (MFDs) = Copier or Network Node?
Modern day MFDs have Hard Drives, RAM Memory, Operating Systems, and Display monitors. They are more like Computer Nodes than old time Copiers. And as such the IT Department needs to be aware of how to secure the MFD while still making it functional for your end users.

Topic 1: Securing your company’s data on the hard drive of your MFD.
There are two separate concerns about data on the Hard Drive.

A.    The first is real time, while the MFD is currently in use and on your network. Whenever a document is copied, faxed, scanned, or printed an image of that document is written to the hard drive of the MFD. That’s the bad news. The good news is that on some MFDs (like Canon) even the basic hard drive with no options does not keep the image on the hard drive on contiguous blocks. And the data is compressed in a proprietary file format (not readable outside of MFD).
But if this is not enough Hard Drive security there are a few other options that make meet your needs. There are Encryption Kits, Disk Overwrite kits, and removable hard drives (that can be locked up when not in use). It is not likely that you will need all of these, or even any of these on all of your company’s Hard drives, but you may need one or more of them on specific MFD based on the type of data being placed on the MFDs hard drive daily (Legal Dept, or HR could be possibilities).  While no one particular security technology can make a company meet their security compliance regulations (like HIPPA or SOX) they can be a part of the company’s compliance strategy. Note: Canon has recently added a TPM (Trusted Platform Module) on the new line of Canon ImageRUNNER-Advance, once it is turned on the Hard Drive, as well as several other components will work in no other Canon Device.

B.    Each of the above technologies is designed to keep your data secure while the MFD is actively in use. The next concern is what you do with the Hard Drive when you are ready to decommission or repurpose the MFD (like moving it to a new department). Most companies have policies they enforce on the decommissioning of their PC’s hard drives, but these policies are not typically enforced on their MFD Hard Drives, they should be! At the very least service technician should be called before the MFD is turned off and removed so s/he can format the hard drive.

If you have a Disk Overwrite option or an encryption kit on your hard drive you will have less of a concern returning the hard drive than if it is simply the standard hard drive.  Some companies actually buy brand new hard drives and install them on the MFD before they decommission them. They then have the hard drives that have been removed and have them “chipped”, run through a chipping machine to physically destroy the hard drive. You may ask why not just destroy the hard drive and be done with it? If you own the MFD this is an option for you, but most companies lease their MFDs. And at the end of a fair market lease you need to return the MFD to the leasing company (who actually owns it) in working condition. If it shows up in non-working order they charge you a premium price to get it back to a working condition. This is not a cost effective decision.

Note: You could also consider “secure erase” technology where the hard drives are guaranteed to be wiped beyond forensic ability to recover any data off of them. But no matter which option you choose you will need an Authorized Service technician to reload a clean copy of the Operating System (OS) on to the hard drive that is being sent back to the Leasing company.

Topic Two: Controlling Access to your Copier \ MFD
For many companies the copier is wide open, available to anyone to walk up and make a copy. In other companies it is locked down completely. You cannot use any of the functions without first Identifying yourself in some manner (ID Code, Active Directory Login, Security Card, other). With some of the latest crop of MFDs you can lock down only certain features (like Scan & Email, Color Printing, or the ability to add an email address that is not already in the MFDs address book).


The biggest drawback to securing the copier \ MFD has always been the inconvenience to your end users.
Anyone who has to login to the copier 12 times a day to make a simple copy will likely lead an armed revolt against the person or people who secured the copier. In all but the most secure environments it has been extremely difficult to do. But that was before we were able to combine an Active Directory Login with a Security Card (Proximity, or Magnetic swipe typically). This allows us to bring together on the MFD two separate security technologies that are often already in use to give the end users and the company “security with convenience” (two words that have rarely used in the same sentence). The addition of real, physical keyboards to the MFDs have also added to the ease of use for the End Users when they need to log in to the MFD.

Authentication is the foundation of securing the MFD. If you don’t identify who wants to use a resource (like an MFD) you can’t make an informed decision as to what they should or should not have access to.


Topic Three: Controlling Access to the functions of your MFD

MFDs can either greatly enhance your company’s productivity or be a license to steal confidential company information. How you choose to configure it can make all the difference.
Once you have Authentication in place on your MFD you can set up policies as to who gets to access what functions (Color, Scan to email, Fax, Printing) on the MFD. For instance many companies want to make Color \ B&W MFDs available across their enterprise but they are afraid that the use of color printing will get out of control. Once you have defined who or what group(s) job description entitles them to print & copy in color they can be given the access where others can only print or copy in black & white. You may allow everyone to scan in color, since it does not cost the company anything more to scan in color.
Another simple example could be “guest” usage of your MFD. You may have visitors that you want to give the courtesy of using the MFD to print or copy in black & white, but you don’t want to give them the ability to fax or scan & email sensitive document outside of your company. Security on the new batch of MFDs is much more granular where the older ones were more all or nothing security. An added benefit of authentication is the ability to track & audit end users and what they are doing on the MFDs.
Some companies only lock down the functions that they want to control, like color or Scanning. And they leave the functions that they don’t need to control wide open. When an end user approaches the MFD they can copy, print, or Fax in B&W without any login, but if they want to do it in color or scan & email they must authenticate or enter a ID code.

Topic Four: Securing the Data that is sent from your copier
Compliance drives many companies to implement better security measures. If your company sends confidential information you will need to add security measures before you can implement Scan to Email.
Scan to eMail: Email is inherently an insecure media. The MFD can have added security measures to either encrypt the PDFs or even assign profiles (by tying it into Adobe LiveCycle), or simply limiting the email so that it can only scan to the companies email server but the MFDs cannot scan THROUGH the email server. This will allow the email to get to the internal users, but not out to the rest of the world unless resent by the company’s email client which may have encryption built in. You can also add an Adobe Digital Signature to certain MFDs to guarantee the integrity of the PDFs you send.
MFDs Address Book(s): A modern MFD can easily be set up to search the Companies Active Directory to find an email address or fax number. Making it less necessary to set up a local address book on the MFD. Leveraging the company’s LDAP or Active Directory will lighten the work load on the IT department as people join or leave the organization.
Adding Software Clients to your MFD: Modern MFDs can also be loaded with client software which can make them on ramps to company servers. Many companies have invested in Fax Server or Document Management systems that they would like to be able to easily access on an ad hoc basis. These MFD clients can make the same security policies and functionality available to the end users even when they are sending documents from the MFD.
Secure printing: Secure printing can be implemented in a number of ways. Print to a secure Mailbox on the MFD and then enter a pin code to release the job. It is also possible to secure the print stream (via encryption) so that it cannot be intercepted.

Topic 5: Securing the MFD on the network
At one prestigious university they told me that the average time it took for a new MFD to get hacked on their network was six minutes. Another Ivy League University set a security policy for their MFDs before any new MFDs were put on their network: Here is a sample of some of the things that can be done to harden your MFD.
•    DHCP must be turned on for all MFD (reservations by MAC address are common)
•    The firmware in use on any MFD must never be more than two revisions old
•    If remote configuration and support is to be utilized, utilize secure protocols (https over port 443)
•    Any unused ports must be disabled (FTP service must be disabled)
•    The SNMP community string must be changed from the factory default (public)
•    A PIN, password, or passphrase must be used to protect the configuration menu on the MFD
•    Access controls to the MFD should be IP filtered, MAC filtered, or through the use of network print servers

Topic 6: Updating the Copier \ MFDs firmware
All manufacturers release updated firmware, security patches, and bug fixes over the life of the device. These are only available to Authorized service providers. It is one of the main reasons that you want to make sure your Office equipment is serviced by an Authorized Service provider.
You wouldn’t consider putting or keeping a non-patched Server on your company’s network, neither should you have MFDs on your network that are not patched with the latest firmware or security updates.
Some MFD manufacturers have begun to make it significantly easier to update the firmware. In some cases the process can be automated like a Windows Update, or a technician can flash the MFD from a thumb drive.  Making it easier ensures that it will be done regularly.

In Closing: There are many security features, functions, configurations and options that can help your company better meet your security goals. A partnership with an Authorized Service Provider should be leveraged by the IT Department. With your IT Departments expertise regarding the company’s network environment and corporate policies and the Authorized Dealers expertise on the equipment and options a comprehensive security policy can be developed and implemented for your Multi Functional Devices.

That’s my $0.02

Vince McHugh

vince.mchugh@yahoo.com

Advertisements
h1

Updating your MFD’s firmware – Canon gets it right!

January 22, 2010

Canon’s Content Delivery System (CDS) is a quantum leap for updating the MFDs firmware. It makes it too flippin’ easy! Below is a screen shot of an actual Canon ImageRUNNER-Advance that I updated today.

I have done a firmware update on the ImageRUNNER-Advance with a USB Thumb drive and I thought that was easy. Do you remember that we use to have to burn and install ePROMS to update firmware. Then after that we needed a laptop and special software to update the firmware. Both of these required a trained service technician.

But being able to enter service mode and download the firmware right from the MFD touch screen was just too easy. There could come a time when a service technician may not be needed, but for now you still need the secret handshake to know how to get into service mode (and no I can’t tell you what that is).

The coolest part is you can schedule when to download the firmware (maybe in the middle of the night) and if you would like, even have it automatically update it. Or if you are more conservative you could have it stored on the hard drive of the Canon IR-Adv waiting for the service tech to install it on his\her next visit. Think about how much time that could save!

Canon has made the updating of firmware as easy as patching your PC or Server. But best of all is it can be configured to your comfort level as to how and when it should be installed. Canon’s new content distribution system is a break through and keeping your firmware and security patches up to date is just the beginning of good things to come! What’s next embedded (MFD) applications?

That’s my $0.02
Vince McHugh
vince.mchugh@yahoo.com

h1

Should you buy a copier (MFD) off of eBay?

January 11, 2010

There have been a number of times over my 20 years in this industry where I have come across someone who bought (or was going to buy) a copier (MFD) off of eBay or the Internet. Usually they tell me that they are being offered a great deal. They got an unbelievable price that they feel like they couldn’t pass it up. Honestly we all want to get a good price for what we buy. BUT, if all you consider is the purchase price you may not have considered what the true cost will be. So let’s consider honestly what the total cost will be.

For starters, what is it going to cost you to ship it to your office?  A dealership has relationships with professional moving companies that specialize in moving high tech equipment. If your equipment gets shipped by someone who has no idea of how to do it correctly there may be significant damage in route. I have seen it happen. One company gave a new meaning to the term “drop shipping”! If it is damaged who is responsible? Is it insured? By Who? Who do you call if it shows up damaged? These are all things that a dealership ensures are done correctly and your Account Manager resolves any of these issues so you don’t have to waste your valuable time and energy. How much is that worth to you? While this may be a soft cost, the headaches will be very real to you.

But let’s say that the Copier\MFD that you purchased off of eBay arrives without any noticeable damage. Now that you have it in your office who is going to set it up? You will need to call for Service from a local Dealer and pay to have it set up (this would be included if you bought it from the dealer). So a Service technician comes out and you pay to have it set up. Because you didn’t buy it from this dealer you have little to no leverage to negotiate price.

Much of the equipment offered on the internet is used. So, If you want to put your eBay Copier under a service agreement with this same Dealership that service technician will inspect the Copier\MFD and write up a list of what parts that this bargain copier\MFD will need to bring it up to spec BEFORE they will put it under a service contract. I have seen this run into several thousand dollars in parts and labor. This is the biggest single expense that you should consider and yet because you can’t inspect it before you buy it this cost is an unknown. Some customers have gotten really burned.

But let’s say that you get it to your office and you get it set up as a copier by a service technician, but you would like to set it up as a network printer, and a network scanner (scan to email or windows shared folder) or maybe you want to integrate it into a Document Management System that you have. So that you you can really get the most out of your multi functional device (MFD). You will need a Systems Engineer from that same dealership to come out and set all of this functionality up for you. And this again will cost you. This would be a service that would be included in the sale if you had purchased it from your local dealership.

But let’s say you paid out of pocket for each one of these services for your bargain ebay copier\MFD and now you or your staff need a little training on how to use this equipment. Who is going to train you? Your local dealership’s Sales person? No! You don’t have an Account Manager \ Sales Person because you bought it from eBay. Will the person you bought it from in Missouri or California come out to train you, not likely. So what happens now? You either figure it out yourself or you and your staff don’t really get to know how to use all the functionality of this Copier\MFD. I have been to customers that had equipment for years and yet they never knew that they could do PC faxing or some other function. Another soft cost.

When you add it all up you could possibly save a little money but not near as much as it would first appear. And if anything goes wrong there will be no one to turn to, to get help. It is at best a roll of the dice, and at worst a nightmare. It may turn out that your eBay bargain may not be much of a bargain after all.

That’s my $0.02
Vince McHugh
vince.mchugh@yahoo.com