When looking at enterprise security, we commonly refer toand consider firewalls, Intrusion Prevention Systems (IPS), Virtual PrivateNetworks (VPN), encryption and authentication. When we think of securing our data, we think of securing criticalservers and databases. Rarely do wethink of printers. Billions of dollars are spent worldwide on security eachyear, but how much did your organization spend on securing their printers thislast 12 months? If you answered zero,you would be in the vast majority.
Printers have come a long way since their widespreadadoption in the late 1970's and early 1980's. Back in the day, each printer was connected to an individual system andcould only process a single print job at a time. Today, printers have matured intomulti-functional devices that bare little resemblance to their distantorigins. Printers in the 21st centuryperform dozens of tasks including, but not limited to, printing, scanning,photocopying, faxing and even emailing documents. What most users, and even system, network andsecurity administrators do not realize is what really goes on inside a printerand what functionality they truly have. Most users still think of the printers of 30 years ago; unintelligentdevices that only possess the ability to print documents. This view is far removed from the truth.
When discussing printers in this article, we are not onlytalking about the behemoths you see in most large enterprises, but also yourlow-end multi-functional printers you now find common in regularhouseholds.
Rare is it to find aprinter, no matter how small, that only performs the
single task ofprinting.
Most, at a very minimum,provide faxing or scanning and with these come increased memoryrequirements.
Scanning a full documentin preparation to print, scanning a document to be saved as a PDF or similarfile, or scanning a document to allow faxing all require the ability to bufferthe data within the device.
A buffer isbasically a region of memory that allows the storing of temporary data.
Printers use this buffer to store a digitalversion of the document you are printing, scanning or faxing.
Depending on the device, this buffer canrange from a small piece of Random Access Memory (RAM) to a Hard Disk Drivelike the type found in your desktop or laptop computer.
In larger enterprise printers, this buffer isnot the only memory store found within the printer.
A larger, non-volatile memory area isprovided to store semi-permanent or permanent information.
For example, some printers allow scanning ofa document and saving it within the
printer as a PDF.
The user may then connect to the printer asif it were a network drive, or via a web page, and download their document.
So where are we going with all this? The leakage or theft ofsensitive and confidential corporate information. Large enterprises may have developed andimplemented data retention and destruction policies but rarely do these include,or even mention, printers. Companieslook at hard copies of documents, CD's, DVD's and workstation, laptop andserver hard drives when developing their data destruction policies. While it is clear they identify hard drivesas a source of sensitive information, rarely do they consider the hard drivescontained within their printers, if they even know of their existence. Printersare also commonly overlooked when security policies, procedures and guidelinesare developed and implemented. Littletime, if any, is spent looking at printer security or the implications of notsecuring the corporate printers.
All themore disturbing this becomes when you contemplate the common types of documentsthat pass through printers in a corporate environment. Depending on the industry or the departmentwithin the organization, documents can vary from sensitive financial records,personal customer data or detailed network diagrams, to name a few.
To understand how sensitive data is leaked via a simpleprinter to the outside world, it requires an understanding of the corporateenvironment, security controls within that environment, and the general flow ofinformation between users, printers and file systems that house restricteddata.
In the ideal, secure corporate environment, a user hasrestricted access to files that pertain to his or her job function. The files reside on a secure server withinthe corporate network and are protected by strong access control policiesrequiring a user to authenticate before being allowed access to files. In ourexample, a user requires a sensitive financial document for a meeting he isabout to attend. The user authenticatesto the server, access to the file is authorized by the access control policiesset on the file and the user opens the file in Microsoft Word.
He clicks on the print icon and sends thedocument as a print job to his nearest printer. With this simple act, we have taken a secure document that very limitedusers have access to, and have created two copies that are no longer protectedby any form of access control. The firstis the obvious; the paper copy our user requires for their meeting. The second is a copy housed in the buffer onthe printer. In the ideal world, ouruser will keep the printed copy safe at all times and follow the organization'sdata destruction policy and destroy the copy of the document when they nolonger require it. As for the virtualcopy created on the printer, the user has no real control over this, norprobably knows it even exists. If we arelucky, the document is overwritten when the next print job comes through, butthis is very dependent on the brand and model of printer and how the printerwas initially set up by the administrator.
Slightly different to the straight printing of documents,scanning of documents or receiving faxes on a multi-functional printer writesdocuments to non-volatile areas of memory, usually a hard disk drive. If documents are not manually removed, theywill remain there indefinitely, often long forgotten by the original user thatscanned the document or received the fax.
In either of these scenarios, improper disposal of adecommissioned printer could have catastrophic consequences for a company. Leased printers may be returned to theleasing company for resale. Purchased printers are discarded in the trash orsold at auction or online via auction sites such as eBay. Either way, countlesssensitive documents could pass into the hands of nefarious individuals. While the leaking of some documents could financiallyaffect organizations, leaking personal information pertaining to hundreds orthousands of customers or clients could have reputation ramifications thatcould destroy a company.
Most organizations do not realize the full potential oftheir printers or the functionality they have available. While much functionality is non-securityrelated, these functions have considerable impact on the security of the datawithin an organization and need to be understood and addressed. These include, but are not limited to:
1. The ability to copy files to Windows or Unix SMB fileservers
2. The ability to email scanned files to a user
3. Functionality that allows printers to receive faxes andthen forward the fax onto predefined users via multiple methods, such as emailor as another fax, and
4. The ability to store files which have been scanned,printed, emailed or uploaded locally on the printer.
While the previous data leakage scenarios have beenaccidental in nature, data remaining on printers could be the target of aneducated attacker, one that understands the value of data residing on printersand who has the ability to compromise that data. While organizations invest hundreds ofthousands of dollars to secure their network, dividing networks and systemsinto zones of trust with firewalls, Intrusion Prevention Systems and othernetwork access control points, have they rarely considered where printers arelogically placed within the network. Inmost cases, they are located among the users, or in some organizations, even onthe server networks. Some organizationsdo not even have zones of trust and the printers exist among users, servers andeven Internet accessible systems. In theworst case scenarios, the printers may even be Internet accessible themselves. Printers are not seen as critical devices,and as such, are not secured in their own zone of trust where access tomanagement interfaces is not accessible except to trusted printeradministrators.
By limiting access tothese interfaces, compromise of the data housed on these printers becomes exceedinglydifficult.
While most printers have the capability to authenticate bothprinter administrators or normal printer users, the majority of the time, thisfunctionality is disabled or left in its default state; disabled. Five minutes on Google and an attacker willbe able to find the default password to almost any printer. Once administrator access is gained to aprinter, it takes little time and even less ability to make changes to settingsthat could be catastrophic to an organization. While it would be little but annoying to find yourself locked out ofyour printer, or the interface changed to another language, so no-one couldcontrol the printer, if the attacker was to redirect your printing or copydocuments to a location outside the internal network, depending on the contentsof the file, it could ruin an organization.
So how does an organization protect itself against attacksagainst printers and leakage of sensitive data?
A few simple steps:
1. Disable unnecessary functionality. If any function within the printer is notrequired within your business, disable it. The less services or functions a printer has running, the less avenuesof attack or leakage the printer has.
2. Add printers to your data retention and disposalpolicies. Make sure all memory insideprinters is disposed of via secure destruction or secure wiping when printersare decommissioned.
3. Ensure data is overwritten immediately afterprinting. This requires the printer inuse to support this functionality, but if your data is highly sensitive, thisshould be a priority when looking at new printers.
4. Print from memory rather than hard disk drive ifavailable.
5. Use the secure printing option, if available, soprintouts do not start before you reach the printer and enter yourpassword. How often have you hit print,walked to the printer and your printout is no-where to be seen, only to turn uplying on a table days or even weeks later?
6. Examine where printers are logically located within thenetwork. Printer management interfacesshould be restricted and only accessible from defined management IP's. Ensure printers are never accessible from theInternet. Assess whether some or allprinters should be located within their own zone of trust.
7. Use the inbuilt security within the printer to restrictwho has access, what access they have and where they may access from.
Securing printers should be an integral part of securingyour data. Security policies shouldexist that address the risks and define how printers should be secured. Develop printer security guidelines andprocedures for implementation of new printers and follow these standards toensure all printers are secured and do not become a high risk to yourorganization. By securing your printers,you are contributing to your overall layered security model and protecting yourorganization's critical data along with its reputation.
