Stop ignoring printer security: It’s time for CSOs to take control

Printers are an overlooked soft target in the enterprise that can make an attacker’s job much easier, despite extensive built-in security features that rarely get turned on, according to recent research by two unaffiliated security research teams at Symphion and NCC Group.

Most enterprises outsource their printers to managed print services (MPS) providers, and the intense competition on price among MPS providers has encouraged many of them to optimize for cost and efficiency, but not for security. That leaves gaping holes in many organizations’ defenses.

“[Printers] sit and are configured on sensitive parts of corporate networks,” NCC Group researchers Daniel Romero and Mario Rivas told 44CON in London in September. “[Printers are] great for pivoting and launch network attacks. They process all manner of information, [and] are often assumed to be low-risk targets and fairly dumb in capability. [Printers are] common office devices present in all organizations, [with a] very immature state of security, and largely ignored in most organizations.”

Straddling the line between shadow IT and “who’s responsible for those devices, exactly?”, security leaders often have poor visibility into printer deployments because such procurement is usually done outside of the IT purchasing cycle without the security team in the loop.

The irony is that most enterprise printers today ship with sophisticated security controls that can be configured to suit most users’ needs, but are typically turned off by default to ease remote management of thousands of devices by the MPS provider.

It would be difficult to overestimate the threat printers pose to both real security as well as compliance obligations, and the solution, like so many things in security, is organizational, not technical.

What is a printer, exactly?

In the same way that the word “phone” now means “a pocket supercomputer and tracking device that happens to also let you make voice calls,” the word “printer” today means “a fax machine, copier, web server, email server and ftp server with a gigabit Ethernet connection into the most sensitive parts of your office network that stores previously printed sensitive documents on an internal hard drive for basically forever, until your MPS junks the printer and someone finds HIPAA data from your hospital on the unencrypted hard drive and raises a scandal. Oh, and it prints stuff.”

Did we mention unpatched? Yeah, printers don’t often get patched. Did we mention that most security operations centers (SOCs) turn off network monitoring notifications regarding printer activity? “Replace toner” is not a message most SOC analysts want to see clog their alerts, so they whitelist those devices. Meanwhile, a Russian state hacking group (if Russia is doing it, so are other nation-states) is hacking printers to gain a beachhead on their targets of interest.

“Printers, unlike standalone servers,” a white paper from printer security company Symphion said, “are maintained outside of data centers without the physical and technical safeguards and controls that are common to data centers, are managed by non‐security, non‐IT professionals–not the heavily credentialed system administrators like in data centers, and are not being included in IT policies and procedures. Moreover, printers, like laptops, are mobile throughout the enterprise (they are, oftentimes, on wheels).”

Blocking and tackling. Raise the bar. Do the basics. Sound familiar? Like so much in security, the problem isn’t technical. It’s organizational. Someone has to actually do the work.

Who should manage printer security?

Enterprise security teams need to be involved in printer procurement early to include security requirements as part of any RFP. More importantly, though, the buck has to stop somewhere. Who is in charge of printer security? When half a dozen different roles might be in charge, that’s a recipe for a security disaster.

“We believe it should be the CSO,” Jim LaRoe, CEO of Symphion, says. Since security is a process, not a product, as the time-tested saying goes, ensuring continuous visibility into printer security states is a must. Security features should be turned on, and kept on, even after maintenance (when repair technicians might reset to factory defaults, for example).

Keep those unnecessary ports closed and unneeded services turned off. Monitor network traffic continuously for suspicious activity. Be sure to securely dispose of printer hard drives before they leave the building, as these drives are often ginormous and contain tons of sensitive documents that stay there after getting printed.

Printers are vulnerable to all the usual attacks

What are the consequences of failing to secure a printer fleet? When you put a bunch of insecure web apps on a printer, it shouldn’t come as a big surprise that many of those web apps fail to deal with the OWASP Top 10 most critical web application security risks. The NCC Group research uncovered critical risks to printer web applications, printer services and even the hardware itself.

“Tons of services exposed by default, with weak configurations,” they wrote. Printer web apps are vulnerable to–you guessed it–CSRF (cross-site request forgery), XSS (cross-site scripting), and even path traversal attacks. Did we mention buffer overflows? Yeah, all the oldies and goodies.

Printers use proprietary protocols

One major stumbling block to securing printers is that printer manufacturers use proprietary software in search of vendor lock-in, and different types of printers can’t talk to each other–or with a security administrator using standard protocols.

“Even though printers offer rich security settings to protect themselves,” the Symphion white paper said, “those settings are not accessible via the Simple Network Management Protocol (SNMP) scanning (the standard automation used by the print industry) and printer manufacturers’ printer management software, while able to access security settings, is brand limited and won’t cover the whole fleet or even the printer manufacturer’s own legacy devices.”

As so often seems to be the case these days, the market creates incentives that fail to select for strong cybersecurity. Enterprises need to acknowledge this and pressure their suppliers to offer greater interoperability. Failing that, either stick with a single vendor, or seek out (or develop in-house) a platform-neutral solution.

Healthcare worst hit by printer vulnerabilities

While many other verticals rely less on paper as time goes by, healthcare still requires a lot of paper. Print fleets in hospitals are the soft underbelly of an already soft underbelly, and numerous healthcare orgs have been fined substantial amounts by the OCR (Office for Civil Rights), the agency that enforces HIPAA compliance, for lax printer security.

To cite but one example, the US Department of Health and Human Services (HHS) fined Affinity Health Plan more than a million dollars. “OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.” That was almost ten years ago. How much has changed since then? Far too little.

Given the critical reliance on printers (which are often also photocopiers these days) in hospitals, healthcare organizations need to think about not just about maintaining HIPAA compliance, but also about the security risks those devices pose to the safety of their patients.

Healthcare organizations are not alone in this regard. Enterprises across all verticals would do well to give their printers the side eye they deserve.