IEEE P/D 26b, April IEEE P™/D 26b Draft Standard for Information Technology: Hardcopy System and Device Security Prepared by the IEEE P2600 Standard Working Group of the Information Assurance Committee Copyright © by the Institute of Electrical and Electronics Engineers, Inc. Three Park Avenue New York, New York 10016-5997, USA All rights reserved. This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject to change. USE AT YOUR OWN RISK! Because this is an unapproved draft, this document must not be utilized for any conformance/compliance purposes. Permission is hereby granted for IEEE Standards Committee participants to reproduce this document for purposes of IEEE standardization activities only. Prior to submitting this document to another standards development organization for standardization activities, permission must first be obtained from the Manager, Standards Licensing and Contracts, IEEE Standards Activities Department. Other entities seeking permission to reproduce this document, in whole or in part, must obtain permission from the Manager, Standards Licensing and Contracts, IEEE Standards Activities Department. IEEE Standards Activities Department Standards Licensing and Contracts 445 Hoes Lane, P.O. Box 1331 Piscataway, NJ 08855-1331, USA Abstract: This standard defines security requirements (all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, installation, configuration and usage of hardcopy devices and systems including printers, copiers, and multifunction devices and the computer systems that support these devices. This standard identifies security exposures for these hardcopy devices and systems and instructs manufacturers and software developers on appropriate security capabilities to include in their devices and systems and instructs users on appropriate ways to use these security capabilities. Keywords: Introduction (This introduction is not part of IEEE P/D 26b, Draft Standard for Information Technology: Hardcopy System and Device Security.) Patents Attention is called to the possibility that implementation of this Standard may require use of subject matter covered by patent rights. By publication of this Standard, no position is taken with respect to the existence or validity of any patent rights in connection therewith. The IEEE shall not be responsible for identifying patents or patent applications for which a license may be required to implement an IEEE standard or for conducting inquiries into the legal validity or scope of those patents that are brought to its attention. Participants At the time this draft Standard was completed, the IEEE P2600 Standard Working Group had the following membership: Don Wright, Lexmark, Chair , Lee Farrell, Canon Vice-chair Brian Smithson, Ricoh , Secretary and Editor; Jerry Thrasher, Lexmark , Editor Carmen Aubry, Océ Ron Bergman, Ricoh Nancy Chen, Okidata Peter Cybuck, Sharp Nick Del Re, Canon David Freas, DAPS Satoshi Fujitani, Ricoh Tom Haapanen, Equitrac Kazutaka Higo, Fuji-Xerox Harry Lewis, IBM Jean-Claude Longo, Océ Daniel Manchala, Xerox Takanori Masui, Fuji-Xerox Ron Nevo, Sharp Wanda Nuckolls, Canon Yusuke Ohta, Ricoh Stuart Rowley, Kyocera-Mita Amir Shahindoost, Toshiba Alan, Sukert, Xerox Yasuji Takeuchi, Konica-Minolta Brian Volkoff, HP Bill Wagner, individual Craig Whittle, Sharp Sameer Yami, Toshiba Liang Zhao, Epson
The following members of the balloting committee voted on this
. Balloters may have voted for approval, disapproval, or abstention.
(to be supplied by IEEE)
1.Overview 2 1.1Scope 2 1.2Purpose 2 1.3Document structure 2 2.Normative references 4 3.Definitions, acronyms, and abbreviations 5 3.1Definitions 5 3.2Acronyms and abbreviations 11 4.Introduction to Hardcopy Devices 16 4.1Scope 16 4.2Generic architecture 16 4.3Similarities and differences between HCDs and other IT devices 19 4.4Determining the appropriate security strategy for an HCD 21 5.Operational Environments 23 5.1Background 23 5.2Operational Environment A 23 5.3Operational Environment B 27 5.4Operational Environment C 31 5.5Operational Environment D 33 5.6Choosing the most applicable operational environment 36 6.Hardcopy Device Assets 37 6.1Overview 37 6.2Asset Categories 37 6.3Asset Values in the Operational Environments 38 7.Hardcopy Device Threats 39 7.1Overview 39 7.2Threat Summaries 39 7.3Threat Vectors and Descriptions 41 7.4Threat Risk Levels 63 7.5Other Threat Cross-References 65 8. Threat Mitigation Techniques 69 8.1Mitigating Threats to HCD Availability (Denial of Service) 69 8.2Mitigating Threats to HCD Resources 78 8.3Mitigating Threats to HCD User Document Data 82 8.4Mitigating Threats to HCD Management Data 94 8.5Mitigating Threats to HCD Software 102 8.6Mitigating Threats to the HCD External Environment 104 9. Best Practices (informative) 107 9.1Overview 107 9.2Best Practices for HCD Architecture, Design, Deployment and Usage 107 9.3Best Practices for Physical Security 116 9.4Best Practices for Network Data Confidentiality, Integrity and Non-Repudiation 120 9.5Best Practices for Configuration Management 121 9.6Best Practices for Identification, Authentication, and Authorization 123 9.7Best Practices for Data Security 132 9.8Best Practices for Logging and Auditability 134 9.9Best Practices for Availability of Service 136 10.Compliance Clause 137 10.1Compliance Security Objectives for HCD Manufacturers 137 10.2Compliance Security Objectives for IT Professionals 143 Annex A (informative) Threat Methodology 147 A.1Threat risk in each operational environment 147 A.2Adaptation of the STRIDE classification scheme for P2600 154 A.3Adaptation of the DREAD classification scheme for P2600 154 Annex B (informative) Asset Valuation Methodology (placeholder) 156 Annex C (informative) Bibliography 157 Draft Standard for Information Technology: Hardcopy System and Device Security Overview Scope This standard defines security requirements (all aspects of security including but not limited to authentication, authorization, privacy, integrity, device management, physical security and information security) for manufacturers, users and others on the selection, installation, configuration and usage of hardcopy devices and systems; including printers, copiers, and multifunction devices. This standard identifies security exposures for these hardcopy devices and systems and instructs manufacturers and software developers on appropriate security capabilities to include in their devices and systems and instructs users on appropriate ways to use these security capabilities. Purpose In today's Information Technology environment, significant time, and effort are being spent on security for workstations and servers. However, today's hardcopy devices (printers, copiers, multifunction devices, etc.) are connected to the same local area networks and contain many of the same communications, processing and storage components, and are subject to many of the same security problems as workstations and servers. At this time, there are no standards to guide manufacturers or users of hardcopy devices in the secure installation, configuration, or usage of these devices and systems. The purpose of this document is to serve as such a standard and its goals are: To provide guidance in the secure architecture, design, and out-of-box configuration of hardcopy devices for manufacturers; To provide guidance in the secure installation, configuration, and use of hardcopy devices for end users and their supporting organizations; and, Document structure General Clause 1, Overview, provides the scope and purpose of the standard and an overview of the standard’s structure. References and definitions Clause 2, Normative Reference, and Clause 3, Definitions, acronyms and abbreviations, provide the normative references and definitions used in this standard. Introduction to Hardcopy Devices Clause 4, Introduction to Hardcopy Devices, describes the structure, architecture, and functions of a hardcopy device. Operational environments Clause 5, Operational Environments, describes the various security environments of hardcopy devices considered by this standard. Hardcopy device assets Clause 6, Hardcopy Device Assets, describes the various assets of a hardcopy device. Hardcopy device threats Clause 7, Hardcopy Device Threats, describes the threats against hardcopy devices that are considered by this standard. Hardcopy device mitigation techniques Clause 8, Threat Mitigation Techniques, describes the mitigation techniques used to address each threat described in Clause 7. Mitigation techniques are provided for manufacturers, IT administrators, and users. Hardcopy device best practices Clause 9, Best Practices (informative), describes the best practices for various general security measures for Hardcopy Devices. Best practices are provided for manufacturers, IT administrators, and users of HCDs. Compliance Clause Clause 10, Compliance Clause, indicates specific security objectives that are mandatory for compliance with this standard and provides example mitigation techniques to accomplish these objectives. Other Informative Annexes Annex A and Annex B discuss the methodologies used for hardcopy device threat and asset determination and classification. Bibliography Annex C provides additional references which may add to the understanding of other parts of this document. Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments or corrigenda) applies. ISO/IEC 15408:1999 Information technology -- Security techniques -- Evaluation criteria for IT security , available from http://www.iso.org NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products, available from http://csrc.nist.gov/checklists/download_sp800-70.html Swiderski, F., and Snyder, W., Threat Modeling, Microsoft Press 2004. Definitions, acronyms, and abbreviations Definitions Terms used in this standard are defined as follows: access: Interaction between an entity and an object that results in the flow or modification of data. access control: Security service that controls the use of hardware and software resources and the disclosure and modification of stored or communicated data. accountability: Property that allows activities in an IT system to be traced to the entity responsible for the activity. actor: A role that a user plays with respect to a hardcopy device. administrator: A user who has been specifically granted the authority to manage some portion or all of the HCD and whose actions may affect the security policy. Administrators may possess special privileges that provide capabilities to override portions of the security policy. applet: A program designed to be executed from within another application. Unlike an application, applets cannot be executed directly from the operating system. application: A major function that an HCD performs, e.g., copying, printing, scanning, and facsimile. asset: An entity upon which the owner, user, or manager of the device places value. assurance: A measure of confidence that the security features of an Information Technology system are sufficient to enforce its’ security policy. attack: An intentional act attempting to violate the security policy of an Information Technology system. atomicity: The property of a process having multiple steps where either all the steps complete or, if not, any completed steps are undone. auditor: A user who reviews and maintains the audit trail recorded by the HCD.. authentication: Security measure that verifies a claimed identity. authentication data: Information used to verify a claimed identity. authorization: Permission, granted by an entity authorized to do so, to perform functions and access data. authorized administrator: A user who has been specifically granted permission by an entity authorized to do so to manage some portion or all of the HCD and whose actions may affect the security policy. authorized user: An authenticated user who may, in accordance with the HCD’s security policy, perform an operation. availability: (A) A condition in which authorized users have access to information, functionality and associated assets when requested. (B) Timely (according to a defined metric), reliable access to IT resources. back-channel: Typically a low-speed or less-than-optimal transmission channel flowing opposite to the forward-channel's direction. In many cases, the back-channel is used mostly for acknowledgements of the validity of the forward-channel's data (i.e. that the forward-channel's data passes validity tests of some sort). Contrast: forward-channel. black list: A list of specific user credential values (e.g., login ID, E-mail addresses, phone numbers, URLs) that are explicitly prohibited from accessing all or specified functions of a hardcopy device. Contrast: white list. Bluetooth: A short-range radio technology used to provide personal area networking capabilities. compromise: Violation of a security policy. confidentiality: (A) A condition in which information is accessible only to those authorized to have access. (B) A security policy pertaining to disclosure of data. copy control device: An entity external to the HCD, comprising hardware or software, that enables and tracks copying. copy control interface: An interface for connecting a copy control device to a hardcopy device. credential: A form of authentication data that specifies basic identifying information about a user or application. Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization. customer engineer: A person authorized to maintain an HCD at a customer site. data interface: Any interface that transports print or scan data into or out of the HCD. demilitarized zone (DMZ): A computer or small subnetwork that sits between a trusted internal network, such as a corporate private local area network, and an untrusted external network, such as the public internet. defense in depth: A security design strategy whereby layers of protection are utilized to establish an adequate security posture for an IT system. denial of service (DoS): The prevention of authorized access to a system resource or the delaying of system operations and functions. device administrator: A user who controls administrative operations of the HCD other than its network configuration (e.g., management of users and resources of the HCD). device interface: An electrical interface for connecting a device to control access to local operation of the HCD. Depending on the device and its purpose, access may be granted as a result of identifying the user or as a result of a payment. See also: copy control interface. dictionary attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. document: Data processed by the hardcopy device, including but not limited to: original paper to be copied, electronic files to be printed, image data sent by scanning or with facsimile and printed paper output. entity: A subject, object, user or another IT device, which interacts with HCD objects, data, or resources. external device interface : See: device interface. firewall: A gateway that limits access between networks in accordance with local security policy. firmware: Persistent computer instructions and data embedded in the HCD that control the inherent operation of that device. Firmware is only replaced during a specialized update process. forward-channel: Communications channel used for the delivery of document data. Contrast: back-channel. hardcopy device (HCD): A system producing or utilizing a physical embodiment of an electronic document or image. These systems include laser, ink jet, and thermal transfer printers, scanners, fax machines, digital copiers, MFPs (multifunction peripherals), MFDs (multifunction devices), “all-in-ones” and other similar products. See also: multifunction device. HCD Availability: The asset described as the ability to use the functions and services of the hardcopy device. This is generally the asset that is the targret of denial of service attacks. homePNA: A home networking specification developed by the Home Phoneline Networking Alliance. This technology, built on Ethernet, allows all the components of a home network to interact over the home's existing telephone wiring without disturbing the existing voice or fax services. identity: A representation (e.g., a string) uniquely identifying an authorized user, which can either be the full or abbreviated name of that user or a pseudonym. Information assurance: Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. information technology (IT): The hardware, firmware and software used as part of a system to collect, create, communicate, compute, disseminate, process, store or control data or information. integrity: (A) A condition in which data has not been changed or destroyed in an unauthorized way. (B) A security policy pertaining to the corruption of data and security function mechanisms. local interface: An electrical, optical, or electromagnetic interface intended for use with close physical proximity (typically no more than 10 meters) to the HCD. Examples include USB [B1], FireWire (IEEE Std. 1394-1995 [B8]), IrDA, parallel port (IEEE Std-1284-2000 [B7]), serial port, memory card, diskette, and Bluetooth (IEEE Std.802.15.1-2005 [B6]). maintenance port: An electrical interface used for machine maintenance, service troubleshooting, or firmware updates. management data: Data that controls the configuration of and access to the device, including: user and administrator authentication data (e.g. passwords); device management data such as audit data, log data, and paper configuration; and network management data such as IP addresses. man-in-the-middle attack: An active attack whereby a third party attempts to surreptitiously intercept, read or alter information moving between two computing devices or users. media: Objects on which data are or can be imaged. These include paper, transparencies, t-shirt transfers, etc. multifunction device: A hardcopy device that fulfills multiple purposes by using multiple functions in different combinations to replace several, single function devices. network administrator: A user who manages the network configuration of the HCD. network interface: An interface used to connect the HCD to a network. Examples include IEEE Stds 802.3 [B2], 802.5 [B4], and 802.11 [B5] interfaces. non-repudiation: (A) The prevention of false denial of involvement in sending or receiving information. (B) A security policy pertaining to providing one or more of the following: to the sender of data, proof of delivery to the intended recipient; to the recipient of data, proof of the identity of the user who sent the data. non-volatile storage: Computer storage that is not cleared when the power is turned off. operator panel: A local human interface used to operate the HCD. It typically consists of a keypad, keyboard, or other controls, and a display device. operational environment: The total environment in which an HCD operates. It includes the physical facility and any physical, procedural, administrative and personnel controls. page description language (PDL): A data format for describing a page of information, including commands for positioning text, lines, images and graphics on a page. password cracking: The process of attempting to ascertain secret passwords, often through algorithmic, dictionary or automated procedures. Protection Profile (PP): An implementation-independent statement of security needs for a product type. (hardcopy device) resources: Components that comprise the HCD (e.g., electronic, electrical, and mechanical items); resident digital components (e.g., fonts); and consumable supplies for the HCD (e.g., paper, toner). risk assessment: Assessment of threats to, impacts on and vulnerabilities of information and information processing facilities and equipment including consideration of the likelihood of occurrence. Robustness: A characterization of the strength of a security function, mechanism, service or solution, and the assurance (or confidence) that it is implemented and functioning correctly. DoD has three levels of robustness: Basic: Security services and mechanisms that equate to good commercial practices. Medium: Security services and mechanisms that provide for layering of additional safeguards above good commercial practices. High: Security services and mechanisms that provide the most stringent protection and rigorous security countermeasures. security objective: A statement of intent to counter identified threats or satisfy identified organization security policies or assumptions. security policy: A set of documented rules and practices that specify or regulate how a system or organization will protect its sensitive and critical system resources. sniffing: Network wiretapping; passively monitoring and recording data that is flowing between two or more points in a communication system. social engineering: Non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems. spam: Unsolicited and unwanted electronic mail, instant messages or other electronic communications. stored data: Fonts, forms and document data. telephone line: An electrical interface used to connect the HCD to the public switch telephone network for transmitting and receiving facsimiles. temporary data: The image data that is temporarily buffered in memory before the HCD performs application operations. threat: Capabilities, intentions and attack methods of adversaries, or any circumstance or event, with the potential to violate the HCD’s security policy. threat agent: Any human user or Information Technology (IT) product or system, which may attempt to violate the HCD’s security policy and perform an unauthorized operation with the HCD. unauthorized user: A user who is not permitted to access or use an HCD for a defined purpose. user: An entity (human user or external IT entity) outside the hardcopy device that interacts with the HCD. user document data: The asset that consists of the information contained in a user’s document. This includes the original document itself in either hardcopy or electronic form, image data, or residually-stored data created by the hardcopy device while processing an original document and printed hardcopy output. user function data: The asset that consists of the information about users that the HCD applications use, excluding authentication data (e.g. passwords), but including user identifiers for access control, destination lists for scanning and address books for facsimile delivery. volatile storage: Computer storage that is cleared when the power is turned off. vulnerability: A weakness that can be exploited to violate the HCD’s security policy. white list: A list of specific user credential values (e.g., login ID, E-mail addresses, phone numbers, URLs) that are explicitly allowed access to all or specified functions of a hardcopy device. Contrast: black list. wireless fidelity (Wi-Fi®): A term used generically when referring to an IEEE Std. 802.11 network. Acronyms and abbreviations Abbreviations and acronyms used in this document are defined as follows:
3DES “Triple DES” data encryption standard used three times ACL access control list ADPU Active directory password utility AES advanced encryption standard ANSI American National Standards Institute APOP authenticated post office protocol ASIS American Society for Industrial Security ATM automated teller machine CBEFF common biometric exchange file format CBC cipher block chaining CEN European Committee for Standardization CENELEC European Committee for Electrotechnical Standardization CF compact flash CIFS common internet file system CM configuration management COTS commercial, off the shelf CPU central processing unit CRC cyclic redundancy check C-SET card secured electronic transactions CSMA/CD carrier sense multiple access / collision detection CSN card serial number (for compact flash) DES data encryption standard DHS U.S. Department of Homeland Security DMZ demilitarized zone DoD U.S. Department of Defense DOE U.S. Department of Energy DoS denial of service DRAM dynamic random access memory DSA directory service agent DSL digital subscriber loop DSS digital signature standard EEPROM electrically erasable programmable read-only memory EIA Electronic Industries Association EM electromagnetic EMI electromagnetic interference EMSEC emission security EMV Europay-Mastercard-Visa EN ISO language code for English, all dialects EPROM erasable programmable read-only memory ESMTP extended simple mail transfer protocol ESP encapsulating security payload ETSI European Telecommunications Standards Institute EU European Union fax facsimile FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act of 2002 [B34] FX foreign exchange GSM global system for mobile communications GOST GOsudarstvennyi STandard (Russian for “Government Standard”) HCD hardcopy device HDD hard disk drive HIPAA Health Insurance Portability and Accountability Act HMAC keyed-hash message authentication code HMG her/his majesty’s government HPNA Home Phoneline Networking Alliance HTTPS hypertext transfer protocol (secure) IBIA International Biometric Industry Association ICC integrated circuit card ICMP Internet control message protocol ID Identification IEC International Electrotechnical Committee IFD interface device IKE internet key exchange INCITS InterNational Committee for Information Technology Standards (US TAG to JTC1) I/O input/output IP Internet protocol version 4 IPP internet printing protocol IPSEC IP security IPv6 Internet protocol version 6 IrDA Infrared Data Association ISAKMP Internet security association and key management protocol ISO International Organization for Standardization IT information technology ITL information technology laboratory Kb/s kilobits per second KDC key distribution center LAN local area network LCD liquid crystal display LDAPS lightweight directory access protocol (secure) MAC media access control MD5 message-digest algorithm 5 METI Japanese Ministry of Economy, Trade and Industry MFD multifunctional device MFM modified frequency modulation MFP multifunctional product / peripheral / printer MIC message integrity code MICR magnetic ink character recognition NATO North Atlantic Treaty Organization NAVSO Navy Staff Office NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCR optical character recognition OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation OS operating system OTS off-the-shelf PC personal computer PC/SC proximity card/smart card PDA personal digital assistant PDL page description language PHIPA Personal Health Information Protection Act PIN personal identification number PNA Phoneline Networking Alliance PSTN public switched telephone network RADIUS remote authentication dial in user service RAM random access memory RFC request for comment RIP raster image processor RLL run length limited ROM read-only memory SANS sysadmin, audit, network, security SCADA supervisory control and data acquisition SCQL structured card query language SCSI small computer system interface SEIS secure electronic information in society SET secure electronic transactions SHA secure hash algorithm SIM subscriber identity module S/MIME secure/multipurpose Internet mail extensions SMTP simple mail transport protocol SNMP simple network management protocol SOHO small office / home office SRAM static random access memory SSH secure shell SSL secure sockets layer STANAG standardization agreement TACACS terminal access controller access control system TCP transmission control protocol TE terminal equipment TEMPEST Transient Electromagnetic Pulse Emanation Standard TLS transport layer security TWIC transportation worker identification credential UDP user datagram protocol USB universal serial bus USENIX Advanced Computing Systems Association USM user-based security model VLAN virtual local area network VSITR Verschluss-sachen-IT-Richlinien WAN wide area network WEP wired equivalent privacy Wi-Fi® wireless fidelity WPA Wi-Fi® protected access WPA2 Wi-Fi® protected access 2 (an enhanced version of WPA)