Did you know that people you don’t know could use your printer to harm others, and most likely, you would never know? That’s like participating in a crime without knowing about it or doing anything. Using specialized search engines like Shodan, hackers can gain access to your multi-function printer/copier (MFP), hijack it, and use it to attack websites and other internet-connected devices.
A recent survey revealed some staggering facts and figures. Sales and human resources departments were the most vulnerable to security breaches. 93 percent and 76 percent of sales and HR respondents, respectively, are associated with the highest number of printer-related vulnerabilities. Adding credence to the statements that printers are so vulnerable, only 30 percent of companies in the survey have a process in place for identifying high-risk printers. Most companies don’t have any idea what to do with their printer endpoints in the event of an attack.
Most printers implemented in an organization by default have no security enabled. A network administrator must reconfigure the network settings to keep it secure. The usage of MFPs is prominent across small to large organizations because of how easy it makes day-to-day operations. Features like scanning, photocopying, emailing, and faxing have proven fruitful in cutting down time and costs. However, the problem with that is that it opens the company up to a multitude of security vulnerabilities. In addition, many businesses will elect to not monitor and secure printers when they deploy tools such as Cisco ISE, Aruba ClearPass, CyberArk PAS, etc. This saves the business licensing costs because they often assume that the printer is a known and trusted device and that it is secure behind their firewall. The threat from Shodan and many other hacker tools wouldn’t exist, and you wouldn’t have to worry about a cybercriminal hacking your devices provided the most simple and basic measure is taken: Change the default login credentials for all your internet-connected devices!
However, even if you have perimeter controls in place, it has been the case since the advent of information security management as a discipline that insider threats are an ongoing and top danger for companies. When it comes to mitigation efforts, incident-response teams face an array of challenges. Discussions with various incident-response teams revealed that between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization.
There are various methods of detection when it comes to insider threats, including monitoring the activities of systems and employees via logging to track if they transfer substantial amounts of data to external drives and printers or attempt to bypass security controls or access confidential data that is irrelevant to their function or role. Tracking employees who access data outside of normal working hours also provides good visibility into activities that are not part of the normal course of business. In addition, the act of emailing sensitive data to a personal account or excessive direct use of printers and scanners are also indicators of insider threat actions. Securing your network and all the endpoints – including the seemingly innocent printer by the water cooler that has USB ports and network/email access – is critical to the overall security posture of your company. Here are some best practices to consider:
- Do not expose printers to the public internet; configure its ACL to restrict by subnet or device
- Change the default password to the administration panel and/or webpage
- Use encrypted connections when accessing the admin functions
- As with any critical system, don’t run unnecessary services or insecure protocols (Telnet, HTTP, FTP, etc.)
- Stay on top of patches and updates
Be sure there is a policy in place for the handling of physical documents and that users are aware; the printer areas should have “clean desk” policies in place even if that is not a requirement for your end users