Security Think Tank: What must a secure print strategy take into account?
Though rarely discussed in a cyber context, the prevalence of connected printers and MFPs poses security risks both technological and physical. What does a print security strategy need to take into account?
This article was first published in Computer Weekly
Printing is perhaps rarely discussed in a cyber context, but while the prevalence of connected printers and multi-function printers (MFPs) enhances convenience and productivity, it also poses security risks, both technological and physical. From managing and securing paper in digital processes to securing the devices themselves, businesses need to ensure they have a print security strategy in place.
As printers evolved and their feature sets expanded, it became commonplace to encounter printing devices in the workplace that are either connected to the internet, to sensitive networks or to both.
Printer devices are commonly overlooked within the scope of security audits as they are often not perceived as the complex computers they are. In addition, many printers are prone to crashing when scanned, and thus the risk of disruption typically leads to only a cursory review being conducted even when these devices are within the scope of an assessment.
This approach may give the impression that printers do not pose a risk to an organisation, a false sense of security, as year on year we see security research presented that identifies severe vulnerabilities and gaping holes in the security of these systems.
Before looking at how we can reduce the risk printers and printing may pose to an organisation, we must look at the common risks:
- A compromised, internet-connected printer could provide an entry point to an attacker into internal networks.
- A compromised network-connected printer could allow an attacker to persist within a network, most likely unnoticed.
- A compromised printer may divulge sensitive data to an attacker, such as the documents being printed.
- Printed documents may be sensitive and stolen if not physically secured or destroyed.
- A physically and technically insecure printer may allow malicious software updates to be installed, for example via exposed USB ports.
While non-exhaustive, these are some of the key risks a potentially vulnerable printer or printing process could present to an organisation. A secure print strategy should consider points that reduce the risks noted above, as well as the risk posed by those using the printer and managing the documents printed.
Considering the above risks, there are a number of ways where mitigation can help to reduce the possibility of successful attacks.
Inventory and monitoring
Security monitoring and inventory is the first step to understanding the baseline security posture of printers within an organisation. It is crucial to know what firmware version is in use, whether a default configuration (and thus default password) is set up or whether any anomalies are present.
Ensure the printer’s firmware is up to date and the configuration hardened
While you cannot protect against unknown vulnerabilities, organisations can reduce the risk of being exploited by ensuring a hardened configuration and the most up-to-date firmware is in use. In order of priority, organisations should ensure:
- Authentication is enabled with a unique, strong and non-default password.
- The device’s firmware is the most recent and regularly updated.
- Any unnecessary services and features are disabled.
- Document caching settings as disabled where possible.
- Features such as sending documents via email, or uploading to sharing portals are appropriately restricted to only allow sending to trusted domains and authorised providers.
These steps can help to prevent attacks such as credential theft in the case a device has credentials stored, where, for example, previous attacks have seen LDAP credentials extracted via coercing the printer to authenticate with rogue, attacker-controlled devices.
Isolate your printers where possible
While it may not be practical to fully isolate your printers at the network level, care should be taken to ensure all printers can only access user workstations and in addition, that printer management interfaces can only be accessed from management designated systems.
This helps to prevent lateral movement to sensitive systems in the case a connected printer is compromised, as well as preventing access to printer management interfaces from unauthorised users.
Regularly monitor your printer’s paper output and printing area
Regular review of the printer’s location should be conducted to ensure no sensitive documents are left unattended. Where possible, clearly labelled bins and shredding devices should be present close to the printing station, and employees should be encouraged to use them for the disposal of secure documents.
Implement secure pull/FollowMe printing
Secure pull and FollowMe printing are a means of ensuring documents are only released and printed once the authorised user has authenticated with the device. This is a safe way of ensuring printed documents don’t end up in the wrong hands before the user reaches the printer.
Ensure printers are included within the scope of penetration tests
Printers tend to be excluded from penetration test scopes, as they are either overlooked by the organisation or considered to be fragile by the vendor – for example, security scanning can cause them to crash and, as a result, they are often implicitly not robustly assessed.
Printers should be included within the scope of penetration tests with explicit checks for common misconfiguration and a plan of action in the case these devices are disrupted (such as testing outside of busy periods and having someone present to reboot the devices if required).
Educate users to ensure documents remain secure
Educating users is an important part of security and steps should be taken to ensure users of the printers understand data confidentiality, protective markings and good practice around the handling of sensitive materials.
Ensure secure decommissioning takes place
Where possible, printer hard-drives should be encrypted where supported as well as securely wiped prior to the disposal of a device. This can help to prevent data recovery efforts in the case a printer is stolen or obtained by a malicious individual.
Implementing these measures can significantly reduce the likelihood of successful attacks and may also help to detect any potential attacks or points of entry before they are exploited by attackers.
Josh Foote is a cyber security expert at PA Consulting.