The following Q&A with Sharp on print device security complements Noel Ward’s article “Think Like a Hacker,” which appears in the March 2020 issue of The Cannata Report. The answers provided are a collaboration between Akisa Matsuda, associate director, software product management, Sharp Imaging and Information Company of America (SIICA) and George Grafanakis, associate director, hardware product management, SIICA. This is an edited excerpt of those responses.
CR: When it comes to networked, office-class printers and MFPs, what do you see as the greatest security risks?
Sharp: The leading security threats these days is that all network devices are vulnerable to phishing campaigns, social engineering campaigns, ransomware, and other malicious network intrusions. These attacks can penetrate an office-class MFP or printer much the same way as they would a computer or other network device. In these cases, endpoints are extremely vulnerable. The biggest challenge is when the end users or even network administrators are not following common sense IT practices. If unique login passwords and administrator passwords are not maintained and changed regularly, the risk of malicious attacks to a network MFP or printer becomes very high. Additionally, most office-class MFPs and printers today offer both wired and wireless network connections, which provides hackers with more than one way to access the networked device. In this case, malicious executable files can attack the machine file system, user data and more.
Also, many office-class MFPs and printers utilize inbound and outbound email accounts, which can be used as malware vehicles for hackers. Furthermore, the hard disk (or solid state) drive that processes and stores job data and user data on most office-class MFPs and printers can be a treasure trove of confidential information and intellectual property for hackers and malicious intruders if the data is not encrypted using modern AES (Advanced Encryption Standard) encryption technology. This risk is compounded when businesses trade in their MFP or printer for a new model without taking steps to destroy the existing data on the hard disk (or solid state) drive. Sharp MFPs and printer devices utilize 256-bit AES data encryption and include an End-of-Lease feature, which deletes and overwrites all hard drive data at time of trade-in.
CR: How do these risks translate to printing and sending data to these devices?
Sharp: Printing and sending data to office-class MFPs and printers has several of the same risks as I mentioned above, starting with the users and network administrators. Many users print confidential company information and leave it on the exit tray of the MFP or printer until they get around to getting it. This makes it easy for anyone with malicious intentions to pick up the information and use it for their own gain. Also, users can send these same confidential jobs to the wrong MFP or printer, allowing anyone that walks by the device to take it. If administrators don’t enforce strict counter measures, such as secure print release and user authentication in these situations, confidential information such as sales data, customer lists, human resource data and more can be stolen and used maliciously. Additionally, sending data to MFPs and printers from mobile devices and cloud services also creates a risk if similar counter measures are not deployed. When scanning documents on and MFP, a common security issue is when the user forgets to take their originals. Sharp MFP models offer a flashing original reminder light to help users avoid this.
CR: To what extent are people using these devices are aware of the risks?
Sharp: One of the biggest challenges businesses have is training users of MFPs, printers and other network devices about common sense IT practices. Although mindshare about IT security is growing, users are not necessarily aware of all the risks that are involved. Users need to be educated regularly about existing and emerging security risks and learn how to practice good IT hygiene.
CR: What should owners of these devices be doing to help ensure their machines and networks are adequately protected from outside intrusion?
Sharp: Properly managing endpoints and resources in the organization, which includes installing the latest patches and updates, are important steps in protecting network security. Also, having an up-to-date disaster recovery plan is paramount. This is something all businesses should have. All of these things are a daily routine process that needs to be maintained, and if you take your eye off the ball and one of these steps is not done, it can potentially cause a catastrophe. It is also difficult to find IT people that are versed in all IT areas of security. Businesses are looking to companies, such as Sharp, that can provide managed IT services and complement the IT staff of these companies by providing help where it is needed.
CR: What types of security or practices (such as encryption) does your company employ to address these challenges?
Sharp: Sharp’s latest multifunction printers are armed with leading-edge, multi-layered security features, designed to meet various security requirements needed at each organization. Sharp security features include user authentication (local/LDAP/AD) and access control, as well as data and communication encryption (256-bit AES encryption.
Sharp has always aimed to achieve a secure and productive office environment through the development of our digital MFPs. Meeting evolving security standards is important to ensure organizations confidently handle the most sensitive data on Sharp devices. All Sharp MFPs go through rigorous vulnerability and penetration testing to become Common Criteria certified. Also, Sharp MFPs conform to the new California IoT law that went into effect January 1st, 2020, requiring network office equipment to prompt the customer to set a strong, unique password upon first time installation.
CR: How should users be educated about the risks?
Sharp: IT departments need to communicate with all employees and train them on the do’s and don’ts of IT security with regards to MFPs, printers, computers and other network devices. Users of these devices need to understand the ramifications of careless IT practices, such as clicking on links, opening attachments, leaving confidential documents in the exit tray, etc. Here at Sharp, our IT department requires every employee to take an IT security seminar as often as six times per year.
To help businesses protect their machines and their network, Sharp has an easy-to-use security checklist that is posted to our website to guide customers in deploying the proper settings to protect their MFP from malware attacks. Sharp also provides dealers and customers with a comprehensive security guide for our products that covers everything from printing and scanning security to user authentication and audit trail security, all to help businesses deploy the right security features for their environment.
CR: And How can a printer/copier dealer be part of a solution?
Sharp: Dealers can be trusted security providers to their customers by working with them regularly to make sure they understand and properly deploy the appropriate security settings for their MFPs and printers.
Sharp MFP products are designed for the technology driven office, enabling IT administrators to manage them similarly to the way they manage PCs and servers on their network, and deploying the same level of security. Features such as Active Directory integration enables Sharp MFPs to join the domain as a PC, allowing their security settings to be centrally controlled. Sharp’s SRDM remote management utility centrally monitors security settings of Sharp MFPs on the network and can reset the security policy if changes are made locally at the machine.
Dealers should also practice due diligence and be aware of the latest vulnerabilities, phishing campaigns and malware attacks. Government websites, such as FBI.gov, banking websites and other on-line resources can help dealers learn about the latest IT threats. Additionally, making sure customers have an up-to-date disaster recovery plan is paramount. Also, make sure all employees are properly trained to follow good IT practices themselves.
Access Related Content
Visit the www.thecannatareport.com. To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.