Smart Technology In The Office Opens Back Doors

Aug 14, 2007 3:33 PM

           

Information is routed in huge amounts through networked printers, copiers and scanners every day, moving hard-copy data into information technology systems and putting digital data onto paper. And although most federal agencies have been working hard to secure their systems, little thought has been put into securing these devices, according to Government Computer News.

The potential problem of smart peripherals has developed gradually, as stand-alone scanners, faxes and copiers have been integrated into online printers. Not only are these peripherals privy to sensitive information, they often have their own IP addresses and can be vulnerable to network attacks.

Although access to a printer typically requires a user to already have network access, incoming devices such as scanners often have no access control. A malicious hacker, for instance, could serendipitously copy material as it crosses the memory of one of these devices or send forged documents from what might appear to be an official fax machine.

"In the past seven or eight years, the vast majority of these devices have become network-enabled," says Bill DeStefanis, director of product management at security appliance vendor eCopy. They went from being islands that presented little threat to the enterprise to being integral parts of the network. "It doesn't do just copying. In most organizations, it's a network printer device. Like any other technology, functionality was put forth first and the security was addressed later."

"The printers are becoming more capable in what they can do," Don Wright, director of standards at printer manufacturer Lexmark International, told Government Computer News. "They look like computers with the ability to spit out paper, and they are increasingly being linked to the network."

The good news is that the Institute of Electrical and Electronics Engineers (IEEE) is addressing the issue by creating security standards for printers, copiers and other hard-copy devices.

Wright, who also is chairman of the IEEE working group that is writing hard-copy device security standards, says the need for this work was highlighted by the National Institute of Standards and Technology (NIST).

"A couple of years ago, NIST put together a workshop to look at creating security checklists for off-the-shelf products," he says. "Most of it was about operating systems and PCs," but the need to address peripherals also was apparent. Out of this came the IEEE P2600 working group.

There had been some disjointed efforts to create security targets for these devices under the international Common Criteria scheme, but there were no broad industry standards for how they should be secured, according to Government Computer News.

"The printer industry came together to do that," Wright says. The working group is cooperating with the National Information Assurance Partnership, the U.S. government organization overseeing the Common Criteria standards, to develop protection profiles for the program in parallel with the industry standards. Both will define functionality and configuration requirements in four security environments. The IEEE standards will focus on commercial, nonmission-critical requirements.

While IEEE hammers outs the specifications, agencies can look to another standard to help secure devices -- the 2004 Homeland Security Presidential Directive 12 (HSPD-12).

HSPD-12 mandates the use of new smart identification cards "in gaining physical access to federally controlled facilities and logical access to federally controlled information systems," states the directive.

Using digital credentials to log on to a network through a PC equipped with a card reader is becoming common, especially in the military. The Defense Department already has issued more than 10 million of its Common Access Cards (CAC), and civilian agencies are beginning a long process of issuing personal identity verification cards to meet the requirements of HSPD-12.

The millions of standardized smart ID cards being put into the hands of military personnel, federal employees and contractors offer the opportunity to improve the security and accountability of multifunction hard-copy devices.

"We have been using CAC cards for computer log-in for about a year now," says Sgt. Collin Johnson, chief of information services for the Utah Army National Guard. When word came down from headquarters that they should begin thinking about using the cards for access to copiers and scanners, "we decided to implement that." The Guard is rolling out ScanStation from eCopy. The appliances not only provide authentication and access control to peripherals with a CAC reader but also integrate scanners and copiers with business applications.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue