Print Network Security
In a recent webcast, HP, Inc.’s Print Security Advisor, Lindsey Hearst, and ARC’s Kelly Mitchell, National Director of MPS, discussed 10 security vulnerabilities of most multifunction printers (MFP).
Given the increasing frequency and cost of cyber attacks, more organizations are focusing on network security, but—Hearst and Mitchell say—they’re often overlooking the security of their printers and their connections to the corporate network. Print device security is more complex than many companies expect, but Hearst narrowed it down to 10 primary risk points.
In this webcast recap, we’ll first review those 10 print device security risks. Then, we’ll wrap things up with Mitchell and Hearst’s key takeaways.
BIOS and Firmware
BIOS is the first set of code that runs on your computer or printer. This code presents a security risk because it lives below antivirus software. That means, if your printer gets a piece of malware at that level, antivirus software
won’t see it. Moreover, reinstalling programs or re-imaging the device will have no effect on that kind of malware.
Most PC’s check the BIOS for anomalies when the device starts up. If something is found, the device is shut down. HP is one of the few vendors applying this same check to printers. Hearst explained that HP goes a step further with a secondary “golden copy” of the BIOS that is electronically separated.
The golden copy can’t be edited or tampered with so if there’s a problem with the BIOS, the printer takes the golden copy and overwrites the problematic BIOS.
Hearst said that printer management is one of the most commonly overlooked security vulnerabilities. Often times, she said, people make sure they’re getting a secure printer when they first purchase it, but that’s not enough. One part of management that is often deprioritized is keeping firmware up to date.
Failing to do so means your printer may be running outdated firmware with known vulnerabilities making the devices an easy access point for hackers. This is why, she said, that partnering with ARC is valuable because they can take care of updating firmware.
Network, Capture, and Mobile Printing
Network, Capture, and Mobile Printing are all separate workflows but Hearst discussed them as a group because they’re all related. She explained that when devices communicate with each other, each connection point could be a potential access point for hackers.
For example, sending a print job from your PC or phone may be secure on the device itself, but for that print job to get to the printer, the device must do a “handshake” with the network. Then, the network must do a “handshake” with the printer. If, at any point during that communication between networks and devices, there’s an insecurity, a hacker could potentially grab a copy of that print job and steal the information.
Even worse, they can take the information while still allowing the print job to go through so the user doesn’t realize anything is happening.
The level of access users have at the printer introduces a big risk that can be managed while balancing user needs. It’s important to use the control panel to set permissions that helps protect printers from unauthorized use. For example, use permission settings to prevent temporary staff such as interns from using the Scan to Email function to scan documents and send them to external email addresses. Or, implement a separation of duties that allows admins to fax from a printer, but not doctors. Of course, how permissions are set depends on the needs of the company, but organizations should utilize the principle of least privilege (PoLP) to reduce risk.
Ports and Protocols
Most enterprise-class MFP printers and copiers have over 250 security settings like FTP, Telnet, Remote Firmware Upgrade, Novell, and the Embedded Web Server Password which in many situations, are open or unset by default. If there is no Embedded Web Server password, or it is left as default (which can be found online), anyone can access and change any setting on the device.
Without proper configuration, users could go in and install malware, move to other locations on the network or route print jobs to their external server, among other things.
Storage media, an example of which is a printer’s hard drive, is also vulnerable to exploitation. This is especially true if the encryption on a printer’s hard drive is out of date, as is often the case with older printers. In fact, even if your hard drive is encrypted, if it’s old encryption, someone can still decrypt that hard drive if they have enough time.
Output Tray and Input Tray
Another vulnerability is the output tray. Often, users forget about a document they printed or they print it to the wrong printer. In either case, without a secure pull print solution, that document is there for the taking for anyone that walks by. This is a huge violation for any data protection regulation like HIPAA, SOX, GDPR, etc. Secure pull print software eliminates this issue because it requires the user to verify the print job at the printer itself.
Hearst mentioned that Abacus, a solution provided by ARC, adds another layer of security to an output tray by helping you monitor what’s coming out of your printer.
The last risk that Hearst reviewed was the input tray. Though this is less of a threat to your network, it is an opportunity for loss if you load certain types of paper—for example, prescription paper—into the printer because people can easily steal it.
Print Network Security and 4 Vulnerabilities to Think About Today
At the end of the webcast, Hearst highlighted four vulnerabilities and how to address them.
Embedded Device Security: If you have devices older than seven years old, They are missing protection against many of today’s threats. When you’re purchasing new devices, make sure they have embedded security like BIOS checks, monitoring memory usage, and are compatible with security software like secure pull print.
Firmware Management: If you haven’t updated firmware within the last 6 to 12 months, it’s likely that your printer has a known vulnerability. This leaves vulnerable devices on your network and your company noncompliant with many data protection regulations. Hearst recommends you regularly update the firmware on your devices as well as sign up for security bulletins from your vendor to be alerted when vulnerabilities are found.
Ports and Protocol Management: Simple settings like having an EWS password, turning off FTP and Telnet access, enabling modern encryption standards, etc. will greatly reduce your risk. It’s easy to partner with ARC to make sure these are all taken care of.
Output Tray: Securing the output tray, according to Hearst, is a no-brainer. Secure pull print solutions allow users to send a job to a printer which is then held on the corporate network, cloud location, or on device. After that, when the user gets to the printer, they can authenticate themselves and choose which jobs to print.
Secure Pull Print doesn’t just improve security, it also prevents waste, leading to cost savings of up to 30 percent.
ARC and HP: The Only Print Security Solution to Support Local, Regional, and National Organizations
Anytime you add a new device to the network, there’s a potential vulnerability. As those printers age, more vulnerabilities pop up. Over time, finding all those weak points becomes an increasingly complicated task. It’s something that cannot be ignored or deferred to a more convenient time. As more time elapses, the gap in your company’s printer security will only continue to expand.
Fortunately, as Kelly Mitchell showed at the end of the webcast, ARC provides what’s called a “Security Manager Quick Assess.” Quick Assess looks at 15 security settings (like EWS PW, Telnet, FTP, Airprint, etc. that HP considers ‘Essential’.
For a Security Manager Quick Assess, contact ARC today.
Identify and Plug Security Leaks in Your Print and Imaging Network