Hello, again – one of the reasons this blog is worth doing is that it can serve as a kind of virtual water cooler – generating all kinds of interesting comments and conversations.

So we’re going to jump-start the dialogue and try something new at Xerox’s annual Industry Analyst Briefing, September 6-8 in NYC. This is an event where industry gurus from leading research firms get together for an update on our strategy and progress to date. It’s always a valuable event, and a little humbling. The Xerox folks normally come armed with massive PowerPoint decks. And the analysts are ready with their toughest questions.

It occurred to me that some of the most interesting, honest discussions and exchanges happen during the coffee breaks and in the hallways between the formal sessions. So I thought it would be worth bringing some of these conversations onto this blog. And because we never have time for all the questions during the briefing, we can use this space to cover more ground. We’re inviting the industry analyst community who will be in attendance -- as well as followers of this blog -- to post questions and thoughts prior to the event, and live in a special forum during our presentations.

My colleague Tom Dolan and I will address as many of the postings as possible during the live Web cast on Thursday the 7th at 9 a.m. EDT and will then follow up with postings for all to read. I hope this will give an opportunity for everyone to participate in this event – as well as to start a compelling dialogue here.

Using this blog in this way will be another first for us. But listening to the industry and reacting to changes in real time is nothing new. So grab a virtual paper cup and gather around. Share your thoughts and questions related to our business, the industry, and anything else that’s on your mind. With any luck it will be an interesting chat.

Jim Firestone, President, Xerox North America

Posted by Big I, little t at 12:20 PM | Permalink | Comments (25) | TrackBacks (0)

I just returned on the red eye from the Black Hat conference in Las Vegas where researchers demonstrated security vulnerabilities in a variety of technologies from a variety of vendors. Being from Xerox, I was more interested than anybody to hear what Brendan O’Connor had to say about Xerox multifunction products. He did a great job of pointing out that MFPs, like all network peripherals, carry built-in risks. We’ve been trying to get this message out for a while. We’ll take all the help we can get. In the case of the specific exploit code that Brendan shared as part of the conference proceedings CD, the patch that we have put out there fixes that problem. We’ll keep working it with Brendan, our security experts and others. If there’s more to be done, we’ll do it asap

Arman Rahgozar
Xerox Office Group

Posted by at 12:47 PM | Permalink | Comments (1) | TrackBacks (0)

Since the inception of Sarbanes-Oxley, and even earlier as driven by HIPAA, protection of information assets has come into the forefront of IT concerns. The nightmare scenario is having key intellectual property leave the organization without detection until it is too late. Maybe it’s a key manufacturing process, or an integrated circuit design, or a proprietary search algorithm, or even a soft drink’s secret formula.

IT is increasingly taking the lead in making sure that the necessary controls are in place to protect both personally identifiable information, and core intellectual property assets. The emphasis has been on the desktop and network boundary, and increasingly as workers become more mobile, or portable devices and the virtually unlimited storage capacity in them.

However, only recently have the most proactive organizations begun to consider office equipment in their overall compliance plan. Am I talking about the copier, you ask? Well, the truth is what looks like just the innocuous office copier is today a sophisticated device with a powerful computer embedded in it. From the network point of view, the “copier”, or as we prefer to call it, the multifunction printer, is just another network node. MFPs copy of course, but they also print, fax, scan and email. The devices exist to increase productivity and reduce cost. However, they need to be managed in controlled in a way commensurate with their power and sophistication.

Putting one of these devices on your network does not immediately open you up to attack. But with any information technology, there needs to be defined policies for deployment and usage. Who is allowed to use the device, under what circumstances, and how can that usage be monitored to enforce compliance? This means that devices need to have robust access controls, including strong authentication and authorization mechanisms, preferably integrated with the network domain. It means devices should have the ability to control usage so that only properly authorized individuals can use the advanced features. And there has to be the tracking mechanisms in place, like an internal audit log, so that there is a reliable record of who did what and when. Just imagine the damage if someone were to send an inappropriate email from one of these devices, without having been required to log in and authenticate, or without the ability in the device to track who was sending the email and to whom.

One thing customers should be factoring into their purchasing decisions is whether the machine is Common Criteria, or ISO15408, certified. The Common Criteria is an international standard for evaluating information technology products. The value of the standard is that it is internationally recognized and therefore provides a basis of comparison of the security robustness of various products. Most MFP manufacturers have obtained a certification for components of their MFD system. Xerox is the only manufacturer to obtain certification for the entire device. One of the unique things about MFPs is the inclusion of page description language interpreters that allow them to print documents. Of particular concern is PostScript which can be manipulated to access proprietary areas of the internal disk outside of the intended operation, and then to either reprint that information when commanded by the attacker, or even send it back to the attacker over the network. It’s very important that the internal design of the MFP has the proper controls on PostScript so that it performs its intended function without the possibility of compromise. Many vendors usually ignore PostScript when they submit their devices for certification. They also tend to ignore the internal web server, which is another very popular avenue for attack. And finally, they ignore the fax interface and whether that presents any ability to dial into the devices and gain access to the network. The situation is exactly analogous to checking that the front door of your home is locked while ignoring all the other doors and windows. It doesn’t matter how many deadbolts you’ve got on the front door if the back door is wide open.

Finally customers should be looking at the vendor as whole. The vendor should have the necessary global coverage to support large multinational entities, and the quality of design that provides confidence that security controls are being implemented in products across the board. Then the customer can have confidence that not only is the behavior of the devices standardized across the fleet, but that also the vendor has the necessary support infrastructure to assist the customer in the protection and control of their important company information.

Larry Kovnat
Product Security Manager
Xerox Office Group
http://www.xerox.com/security

For more information: IT Security Webcast

Posted by Larry Kovnat at 09:58 AM | Permalink | Comments (0) | TrackBacks (0)