Hackers may be using your office printer as a conduit for criminal activity. Think about it: A printer in today's office environment often saves on its hard drive all images of documents that are printed, scanned or faxed. Therefore, hackers who know anything about accessing files on a network might easily gain access to that sensitive data (Read about some of the security features on modern printers in Joe's Office: Secure Printer).
This kind of threat is too frequently overlooked, according to ICSA Labs, a security products testing and certifications firm. ICSA said Monday it is introducing new certification and assessment programs that will address security threats posed by networked devices such as printers, fax machines and security cameras (See also: How Will We Secure the Internet of Devices?). The programs, known as Network Attached Peripheral Security (NAPS), will include a vendor certification program. The class of network-connected devices addressed by the program will include printers, faxes, point-of-sale systems, copiers, ATM machines, digital signs, proximity readers, security cameras, and facility management systems for power, lighting and HVAC systems, said George Japak, managing director, ICSA Labs.
"You have UPS systems, you have power strips, I could go on an on about the different devices that are being connected with this functionality"
Network-connected devices, according to Japak, can pose as much risk as an unsecured server on the network but are often ignored and are typically not securely installed or configured by end-users, he said. Network-attached devices, like network servers, are at risk for unauthorized access and data breach, denial of service attacks and can even propagate worms like Code Red Nimda. However, specific statistical data to back up the severity of the security issues posed by network-connected devices is scant. ICSA referred to figures from the Verizon Business 2009 Data Breach Investigations Report which finds many breaches occur through what is called "unknown, unknowns," which can involve systems such as printers and faxes. No further data about specific attacks or incidents was available from ICSA.
"Based on the feedback from current and prospective customers, this is going to be or have the potential to be a significant issue and problem with enterprises as they continue to deploy these devices," said Japak.
Networked-device security is certainly not a new issue and the potential for security problems with devices has been talked about for several years now (See: When Everything's Networked). Printer security has also received attention from other organizations. Earlier this year, the IEEE released new security standards for networked printers that include specifications and a checklist for printer security requirements. The standards, known as the 2600 Profile requirements, were created by IEEE in a joint effort with Xerox and were created to give printer vendors basic security requirements when developing devices. Japak said ICSA is still reviewing the IEEE standards to determine who they will fit in with the NAPS program.
The NAPS certification will target device manufacturers and will include rigorous testing that examines several different aspects of a device and how each impacts its overall security. ICSA is also hoping to gain attention from enterprise clients concerned about device security with a NAPS assessment program that offers an evaluation and report with results of testing and recommended configuration instructions.