In terms of security risks, printers are often given a relatively low priority. In the corporate world, they tend to reside in an office, inside the firewall, and they are only used to print documents. Unfortunately, these assumptions are inaccurate. Printers connect directly to the internet, they can send data such as faxes, hard copies can be picked up and read by anyone at the printer, and they offer hackers a backdoor into the corporate network.
Sharing a relatively expensive printer connected via a local area network (LAN) was one of the drivers that propelled PC connectivity within businesses. Mike Lloyd, chief technology officer of RedSeal, says this east-west traffic inside local area networks is the bane of security professionals.
“It makes the network harder to manage as it sprawls outwards, often in the uncontrolled IT equivalent of a shantytown. This, in turn, created the ecosystem in which security threats evolved, moving from viruses spread by floppy disks to those that spread directly over the network, and their descendants we see to this day, such as ransomware spreaders that can take over oil pipelines,” he says.
While corporate IT has evolved to provide LAN-based business applications, Lloyd says the move to mobile devices and cloud computing has seen that tide flow out again. “The current wave of internet of things [IoT] is the latest shift that security professionals need to track, and the humble printer still stands as a barrier that has to be overcome,” he warns.
Don’t overlook printer security
As Paddy Francis, chief technology officer (CTO) at Airbus CyberSecurity, points out, printers often sit disregarded in the corner of the office. But a printer is a computing device, with storage and a network connection like any other endpoint. Furthermore, multifunction devices (MFDs) – which have replaced fax machines – also have a modem connected to the phone system to support fax capabilities.
This means they need to be protected as much as any user terminal, server or network-connected device. “There have been many examples of printers being exploited in cyber attacks over the internet,” warns Francis.
Given that office printers are shared and tend to be centrally located, away from desks, Francis points out that there are also physical risks. These include sensitive printouts being left unattended on the printer or the potential for other users’ print jobs stored on the device to be reprinted. There is also the risk that a printer maintenance engineer could inject malware into the printer or change a hard disk, taking away the old one with recoverable print jobs from the previous weeks or months. He says printers should be addressed in any security strategy.
The use of pull printing – where a print job is held on a server or workstation until it is released by the user at the printer – can bring security benefits as well as convenience if implemented well, says Francis. By requiring users to authenticate each print job reduces the risk of printouts that contain sensitive personal or business information being left on the printer or taken by someone else.
“Using a print server rather than printing directly from a user host to the printer also means the printer and hosts can be placed on separate subnets as part of a zoning strategy, making it more difficult for an attacker with a foothold on a printer to move to a user host without being detected, and vice versa,” he says.
Francis recommends that internet connectivity to the printer should be blocked, except where necessary for software updates, to prevent internet-based malware being injected into the printer by an external attacker. “For smaller organisations, this may seem like a lot of additional hardware, but such zoning can often be achieved using VLANs [virtual LANs] and a containerised print server on an existing platform,” he says.
Put use policies in place
The Covid-19 pandemic has led to most office-based workers working remotely, usually from home.
In a recent Computer Weekly Think Tank article, Isaca members Kimberley Ann Brannock, a senior security adviser at HP, and Michael Howard, HP’s chief security adviser, described the need to support long-term remote working and the implications on printer security.
They recommend IT departments set up business use policies for devices – including printers. At a high level, they recommend that all devices should be centrally procured and accounted for. IT departments should collate information such as details of the business purpose for any device being purchased, who has access to that device and what work will run on it.
From a security perspective, they say it is important to ascertain what kind of data is being transmitted and processed on the devices: “We have to know what is in our environments and what is occurring in our environments to be able to adequately manage them.”
The pair recommend that after vetting and procuring the hardware, IT departments need to ensure the devices are included in the overall cyber security framework and that cyber security best practices and standards are applied.
Brannock and Howard urge IT departments to apply IT asset management (ITAM) procedures and ensure printers are recorded in the organisation’s configuration management database (CMDB) or similar system of record. In their article, the pair urge IT departments to ensure ownership is noted, including location and purpose. From an IT management perspective, this means identifying every device in an organisation’s IT environment.
Apply cyber security best practices and standards
Since a printer may have 250-plus security settings, Brannock and Howard recommend that IT departments make sure devices are configured to meet cyber security best practices and standards. “Apply data and document security best practices and standards to the print devices. This is routinely overlooked, and if an organisation has to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR), for example, print is often in scope, though not adequately addressed and managed with those requirements,” they note.
Above all, Brannock and Howard say IT departments need to adopt practices such as zero-trust, cyber hygiene, device identification and device certificates to secure printers.
Since an MFD has the ability to send data outside of the company’s internal network, Airbus’s Francis suggests printers should be configured to only send emails to the logged-on user doing the scanning. “This can prevent accidentally sending sensitive documents to the wrong email address, as well as bring files within the data loss prevention regime on users’ workstations,” he says.
“Many companies still use faxes as a means of communication, particularly in the health and legal sectors, with one reason being that they can provide proof of receipt,” he adds. “However, using a network-connected device which also has a built-in modem and phone line can provide a backdoor into the network. Moreover, one of the most common breaches with faxes is unguarded documents left on the fax after transmission or receipt. Where only a few people need access to a fax, a cloud-based fax service may be an alternative, dispensing with the paper.”
As Brannock, Howard and Francis note, IT departments need to assess the risk posed by printers as unmonitored network endpoints. A recent White House executive order calling for endpoint detection and response (EDR) as a critical component of IT infrastructure, has implications for all endpoint devices, including printers.
While this is focused on the US administration, Brannock and Howard believe the executive order will mean that device manufacturers, including those that make printers, will need to ensure they have technologies that make the devices readily detectable and identifiable and produce actionable intelligence to enable the ability to respond to anomalous behaviour, vulnerabilities and cyber security events.
While the printer may well have been the device that paved the way to the roll-out of corporate LANs, today it should be regarded as a fully fledged IoT edge device. The best practices IT departments put in place now to manage and secure printing can be applied to many edge-of-network applications and IoT device management.
