NIST outlines guidance for security of copiers, scanners

The National Institute of Standards and Technology announced its internal report 8023: Risk Management for Replication Devices is now available.

The guidance covers protecting the information processed, stored or transmitted on replication devices (RDs), which are devices that copy, print or scan documents, images or objects. Because today’s RDs have the characteristics of computing devices (storage, operating systems, CPUs and networking) they are vulnerable to a number of exploits, NIST said.

Among the threats to RDs are:

  • Default passwords that can be can be used to control the device.
  • Data that is transmitted or stored unencrypted making it subject to unauthorized exposure and modification.
  • Service interruptions from user interfaces, power outages and internal mechanical or software operations.
  • Unauthorized use that wastes ink, paper and toner while denying service for legitimate users.
  • Alteration/corruption of passwords or configuration settings.
  • Outdated and/or unpatched operating systems and firmware.

In order to protect RDs and the networks they’re attached to, NIST recommends IT managers limit or restrict access to RDs by either placing the devices in secured areas or requiring identification and authentication for use. IT managers should also make sure that event logging is enabled so they can troubleshoot problems and investigate suspicious activity. Likewise monitoring and error handling capabilities should be configured.

According to NIST, not all compromises are easy to detect. The warning signs that may indicate misuse or a compromise include:

  • Display malfunctions or shows incorrect information.
  • Consumables (ink, paper, or other supplies) run out faster than usual.
  • Increased number of failed or timed-out jobs or device completes processes slower than expected.
  • Unexplained/unauthorized changes in configuration settings.
  • Device uses more network time/bandwidth than usual.
  • Time stamps do not align or make logical sense.
  • Communications with unknown IP or email addresses increase.

Just as with any networked device, outdated or unpatched software and firmware is a common vulnerability. IT managers should regularly review vendor security bulletins and install patches and upgrades as needed.

When RDs are no longer needed by an organization, they should be wiped or purged, and all nonvolatile storage media should be destroyed. Passwords and user PINS should be changed, and the device configurations should be reset to the factory default settings.

The NIST document also includes a security risk assessment template in table and flowchart format to help organizations determine the risk associated with replication devices.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Mon, Jan 25, 2016 brain

These machines continued to be useful in the printing business right up until the computer publishing revolution of the eighties. They were used to create the screened images of photographs for printing.

Tue, Jul 28, 2015 Victoria Runda

In the digital age we really have to be careful. If sufficient security protocols and programs aren't in place than we may be making it very easy for identity thieves to get access to our client's personal information. The cost of figuring these things ourselves is far less than having to pay reparations to those who have been harmed by our negligence on this topic.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group