Hardcopy Security: An Open Door

1. Hardcopy Security:An Open Door Don Wright Director, Alliances & Standards Lexmark International don@lexmark.com

2. Agenda • Thoughts on Security • What is Hardcopy Security? • Components of Hardcopy Security • Who needs Hardcopy Security and Why? • The existing Hardcopy Security Landscape • P2600 • Questions

3. What, me worry? • “Valuable information must be protected no matter what form it takes or where it is located. An organization’s customer list has the same value whether in hardcopy form or an electronic file…” • Kevin Mitnick, “The Art of Deception” • “Information never stays in computers; it moves onto paper all the time. Information is information and, for an attacker, information in paper files is just as good as information in computer files.” • Bruce Schneier, “Secrets & Lies"

4. What is “Hardcopy Security” ?? For the purposes of this discussion, “Hardcopy Security” is The measures, methods and procedures taken to guard against an attack on, theft of, espionage against, or the sabotage of sensitive information and the devices, components or systems used to print, scan, copy, transmit, receive or store documents on (or intended to be on) paper or other human readable media.

5. Components of Hardcopy Security • Physical • Theft prevention (Memory Cards, Hard disk drives, etc.) • Disposal of integrated flash memory and/or hard disk drives • Authentication • Who are you and how do you prove it? Userids? Passwords? SmartCards? Biometrics? • Federated Identity Systems such as Liberty Alliance or Passport • Authentication of the device itself • Authorization • Are you authorized to print? Copy? Scan? • Is that your print job being held for you in the printer? • How are authorization levels maintained, managed, transmitted? • Privacy • Protection/Encryption of data transmitted to or from device • Protection/Encryption of data residing on device • HIPAA, Gramm-Leach-Bliley Act, Sarbanes-Oxley (Protection of Nonpublic Personal Information) • Protection of the physical output, e.g. the paper • Integrity • Maintain and enforce the trustworthiness of the system • Non-repudiation

6. Components of Hardcopy Security • Monitoring / Auditing • Tracking who printed, scanned or copied what? • Knowledge of printing/scanning usage, timing, volumes can be insightful. • Who is attempting unauthorized activities? • Device Management • Unauthorized configuration changes (disabling safeguards) • Unauthorized “firmware” updates (re-enabling or bypassing disabled functions) • Document Security • Confidentiality, Integrity, Authenticity • Non-repudiation, Authentication, Access Control • Customer perceptions (correct or incorrect) • Use of fax modem connection to break into corporate networks • Use of device as source of denial of service, e-mail relays (spam), etc. • Utilization of device programmability to compromise security

7. Why Worry about Hardcopy Security? • Isn’t it just good business practice? Do you want your competitors, either internal or external, “sniffing” your PowerPoint charts on the way to the printer? Do you want your confidential personnel output sitting in the output hopper of your printer while you’re stuck in a sudden 2 hour emergency meeting? Do you want your scanned financial statements sitting on a server as an easily readable .pdf file when the next security breach is found that gives “root” access to everyone? .pdf

8. Hardcopy Security and the Law HIPAA The Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to protect the privacy and security of confidential health information and calls for standard formats for electronic transactions. These standardized national requirements apply to the electronic transmission of patient history and health records such as health insurance enrollment detail and claims. The need to maintain confidentiality and privacy of medical information and rules for medical document security, including standards related to data integrity and encryption, are also outlined in HIPAA. GLB The Gramm-Leach-Bliley Act (GLB) contains a Safeguards Rule which requires financial institutions to have in place a comprehensive security program to ensure the security and confidentiality of customer information. This includes the identification of employee coordinators, the identification of foreseeable internal and external risks, the implementation of safeguards to address the risks, and the regular adjustment of the programs in light of developments that may materially affect the program. SARBANES-OXLEY Sarbanes-Oxley contains provisions requiring certain levels of security for the financial records which are used to create the CEO-signed reports submitted annually. How these provisions relate to Hardcopy Device and System Security is being investigated.

9. doesn’t Who needs Hardcopy Security? X ^ People on a deserted island without internet access and with their printers connected to their PCs with a parallel cable. Your kids printing out their art projects at home. Anyone else?

10. Existing Standards for Hardcopy Security • No comprehensive standards specific to hardcopy device security currently exist. • Components of some existing standards could be applied to the hardcopy environment, for example: • Common Criteria’s “Residual information protection (FDP_RIP)” for the contents of an integrated hard disk. • Common Criteria’s “Cryptographic operation (FCS_COP)” for sending an encrypted print job. • Many others • Some information security policies deal lightly with hardcopy security but then only from the perspective of information classification. • However, while these basic functions may be useful, they do not address the aggregation of functions for a printer or similar device such as what is contained in ISO/IEC 17799 “Information technology – Code of practice for information security management” for computers and workstations in general.

11. What is needed? • Standards for hardcopy security covering all aspects of printers and other multifunction hardcopy devices and their usage, including: • Applications • Operating system • Transmission of the print job or scan job • Copying • Job hold for user • Physical Security (Output bins, etc.) • Device management • User authentication • Etc. • Checklists, guidelines and best practices documents to assist IT organizations in planning and implementing a hardcopy security plan will follow the standard. • Assessment and Certification standards to measure compliance with the above standards will also follow.

12. P2600: Getting Started • Lexmark has taken the initiative now to put together an effort to develop the necessary standards to address hardcopy security. • A number of the leaders from the hardcopy industry recently met at a NIST workshop held in September and then at the CS BoG Meeting Series in Tampa. This group included Lexmark, HP, IBM, Canon and Xerox. Microsoft has expressed its intention to participate but has been unable to attend. • A PAR for this work has been submitted and will be reviewed and hopefully approved at next week’s Standards Board meeting.

13. P2600: Hardcopy Device and System Security • Scope This standard defines security requirements (including all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, installation, configuration and usage of hardcopy devices and systems including printers, copiers, and multifunction devices and the computer systems that support these devices. This standard identifies security exposures for these hardcopy devices and systems and instructs manufacturers and software developers on appropriate security capabilities to include in their devices and systems and instructs users on appropriate ways to use these security capabilities. • Purpose In today's Information Technology environment, significant time and effort are being spent on security for workstations and servers. However, today's hardcopy devices (printers, copiers, multifunction devices, etc.) are connected to the same local area networks and contain communications, processing and storage components just as subject to security problems as workstations and servers. At this time, there are no standards to guide manufacturers or users of hardcopy devices or the computer systems that support them in the secure installation, configuration or usage of these devices and systems.

14. P2600: Expected Content of Standard • Description of the security environments (multiple levels) including threats and risks. • Description of the threats, risks and attack techniques including both Internal and External Threat Agents including illustrative scenarios. • Description of the security objectives for each of the identified security environments. • Development of technical requirements based on the security objectives. • Development of multiple profiles using the Common Criteria and potentially other evaluation and measurement criteria and techniques. • Expect to include content useful to both the product and systems developers/manufacturers as well as end users.

15. P2600: Next Steps • Upon approval of the PAR, a general call for participation will be made to the hardcopy industry through a number of industry trade groups. • Next meeting is expected to be the first week of February 2004 in California.

16. P2600: Mailing List and Web Site • Web Site: http://grouper.ieee.org/groups/2600 • Mailing list: • Majordomo run by the IEEE • An archive is available via the web site • Subscribe via a note to majordomo@ieee.org containing the line:subscribe stds-2600 • Only subscribers may send e-mail to the mailing liststds-2600@ieee.org

17. Questions? Thanks for your attention!!