In an effort to make it easier to add network devices, many vendors’ network-enabled systems are routinely shipped to the customer with all ports set to “open” — but unused open ports on multifunction printers pose a security risk. Compromised ports can lead to various outside threats — including the destruction or falsification of stored data, Denial of Service (DoS) attacks and viruses or malware entering the network. Ricoh device administrators can easily disable unneeded network ports or protocols — helping make devices virtually “invisible” to hacking.
Accesses using TCP/IP can be controlled by designating a range of IP addresses from which accesses is allowed.
A multifunction printer with a fax feature is connected to the outside via a telephone line and it is necessary to block unauthorized access. Ricoh software is designed to only process appropriate types of data and send that data to appropriate functions in the device. Therefore, only fax data is received from the fax line and it is communicated only to the processes needed for fax operation. This mechanism prevents unauthorized access from the fax line to the network or to the programs inside the device.
Ricoh multifunction printers can use IPsec for encrypted communications. IPsec enables communications in units of secure packets at the IP protocol level. Even if no encryption is used by a high-order protocol or application, IPsec enhances security by preventing the communication content from being tapped into or altered.
Ricoh multifunction printers can use SSL/TLS fo7r encrypted communications. SSL/TLS prevents data from being tapped into, analyzed, or altered during communications. For instance, a customer using e-mail services and cloud services over the Internet may want to encrypt communications using the scan-to-e-mail function. This method greatly reduces the risk of information leaks or alterations when an external SMTP server is used. When using the "RICOH Smart Device Connector", communication between the smartphone application and the multifunction device is encrypted by SSL/TLS as well.
SNMP (Simple Network Management Protocol) is a protocol for collecting information on network devices so that they can be monitored and controlled. The information includes, for example, the total number of copies a device has printed and the errors it has encountered. SNMP is also used to operate the devices, such as monitoring the operating status of its services. These functions are based on information obtained from a management information base (MIB), which describes the configuration of the network devices. SNMPv3 incorporates user authentication and data encryption functions which protect user data and network device information.
To reduce the risk of information leaks, e-mail messages can be sent using public key cryptography and a certificate of user verification that has been registered in the address book of a multifunction printer. Spoofing and message alteration can be prevented by attaching an electronic signature using a secret key based on a device certificate in the the multifunction copier.
※Authentication card system is optional.
WPA2 is an encryption system for wireless networks. WPA2 provides greater security than WEP, a conventional encryption system. In addition to the SSID and security key used in WEP, WPA2 features a user authentication function and an encryption protocol.
Ricoh multifunction printers utilize 802.1x protocols, which provides an authentication mechanism when attaching to a LAN or WLAN. This helps safeguard against unauthorized access to resources located on the protected side of the network.
Authentication features enable authorized users to access a Ricoh multifunction printer, while preventing access for those without proper credentials. Ricoh also gives you the ability to control the level of capabilities granted to each user or group of users. This may include restricting the ability to change machine settings and view address book entries or granting access to particular scanning workflows, document servers and other functions. In addition, the User Lockout function — which triggers if it detects a high frequency of successful or failed login attempts — helps guard against a denial of service attack or brute force password crack.
Instead of entering a user name and password, a user can simply hold an authentication card over the card reader to login to the device. The Common Access Card (CAC) is a U.S. Department of Defense specialized ID card-based authentication system, designed for government users that must be compliant with Homeland Security Presidential Directive 12 (HSPD-12).
※Authentication card system is optional.
Logs stored in the multiufnction copier provide a variety of information such as how the functions have been used, what errors have occurred, how the device has been accessed, and who have accessed the device. These logs impose a disincentive to people intending to leak information, and allow tracking in the unlikely event of an unauthorized access.
With a user management tool, the system administrator can restrict the access privileges of users. For instance, the administrator can set up the privileges to allow only selected users to access the address book registered in the multifunction printer. This blocks unauthorized access to important information, such as the personal information recorded in the address book.
The User Lockout function triggers if it detects a high frequency of successful or failed login attempts. This helps guard against a denial of service attack or brute force password crack.
Even if the hard drive is physically removed from a Ricoh multifunction printer, the encrypted data cannot be read. The hard drive encryption function can help protect a multifunction printer’s hard drive against data theft while helping organizations comply with corporate security policies. Encryption includes data stored in a system’s address book — reducing the danger of an organization’s employees, customers or vendors having their information misappropriated and potentially targeted.
The following types of data — which are stored in the non-volatile memory or hard disk drive of multifunction printers — can be encrypted:
When a document is scanned or when data is received from a PC, some data may be stored temporarily on the hard disk drive or memory device. This can include scan/print/copy image data, user entered data and device configuration. This temporary — or “latent” — data represents a potential security vulnerability. The RICOH DataOverwriteSecurity System (DOSS) closes this vulnerability, destroying temporary data stored on the MFP’s hard drive by overwriting it with random sequences of “1’s” and “0’s.” Temporary data is actively overwritten and thereby erased each time a job is executed.
To increase security against unauthorized use, PDF files can be protected by encryption and password. A protected PDF file can be opened only by a person who knows the password. A password can also be set for changing the privileges, thus restricting the printing, modification, copying, and extraction of the content.
Printed documents sitting on the paper tray or left out in the open can be picked up by anyone. This puts the document’s information at risk, and the potential impact grows dramatically when printing confidential documents. Ricoh locked print capabilities can hold encrypted documents on the device’s hard drive until the document’s owner arrives and enters the correct PIN code. In addition to this driver-based locked print function, Ricoh also offers enhanced locked print — which is tied to user accounts and can be coupled with card authentication. For even more capability, software such as RICOH Streamline NX can provide full-featured secure document release — giving users options over their secure print queue while letting administrators maintain control.
Ricoh offers functions to thwart unauthorized copying of hardcopy documents — helping prevent possible information leaks. The copy guard function prints and copies documents with special invisible patterns embedded across the background. If the printed or copied document is photocopied again, the embedded patterns will become visible on the copies.
The unauthorized copy control function protects against unauthorized copying in two ways. Masked Type for Copying embeds a masking pattern and message within the original printout. If unauthorized copies are made, the embedded message appears on the copy. This might include the document author’s name or a warning message. Data Security for Copying helps safeguard the information itself. When the Ricoh device detects the masking pattern, the printed data is obscured by a gray box that covers all but a 4mm margin of the masking pattern.
Before sending a fax, the destination fax number and the number of pages can be easily viewed. This screen minimizes the risk of dialing the wrong number. The device can be set up so that this screen is always displayed before transmission.
People can easily make mistakes when entering a fax number directly on the keypad. Our customer engineers can set up the device so that the number needs to be entered twice or more for confirmation. If different numbers are entered, the transmission will not commence. This feature minimizes the risk of sending information to a wrong destination.
※Ricoh's multifunction printers comply with FASEC 1, a security guideline for facsimile
If a MFP or printer’s built-in software — also known as firmware — is altered or compromised, that device can then be used as a method of intrusion into the corporate network, as a means to damage the device or as a platform for other malicious purposes. Ricoh-designed devices are built using a Ricoh-only Trusted Platform Module (TPM) and are designed to not boot up if the firmware has been compromised. Ricoh’s TPM is a hardware security module that validates the controller core programs, Operating System, BIOS, boot loader and application firmware.
Ricoh MFPs and printers use a digital signature to judge firmware validity. The public key used for this verification is stored in an overwriteprotected, non-volatile region of the Ricoh Trusted Platform Module (TPM). A root encryption key and cryptographic functions are also contained within the TPM and cannot be altered from the outside. Ricoh uses a Trusted Boot procedure that employs two methods to verify the validity of programs/firmware:
1. Detection of alterations
2. Validation of digital signatures
A Ricoh device will not boot up unless its programs/firmware are verified to be authentic and safe for users.