The downside of ever-wider connectivity is, of course, that if everyone can reach you, anyone can reach you.
Scores of U.S.-based colleges and universities had a harsh reminder of this reality recently, when their networked-but-unsecured printers began to churn out flyers from a neo-Nazi organization that contained racist and anti-Semitic propaganda.
The hacker who claimed responsibility for the attack said he had used simple and widely available tools, including a search engine that identified some 30,000 printers whose port 9100 had been left exposed, and a five-line UNIX script that enabled him to feed the offending content to those devices.
Embarrassed university officials scrambled to condemn the attack, and to tighten controls on how external sources connect to university printers. Perhaps understandably, their focus was on closing the barn door after the proverbial horse had bolted.
But their experience is also a pointed reminder to every organization that has Internet-connected printers, scanners, or MFPs (multi-function printers), about the importance of striking the right balance between availability and security.
Public-facing is not always public-friendly
Printers, scanners, and MFPs are indispensable tools in today’s workplace. While there is often a compelling business reason to connect them to the wider world via the Internet, making these devices public-facing carries risks that should not be ignored.
According to David Escalante, Chief Information Security Officer at Boston College (which was not affected by the recent attack), Internet-exposed printers can cause “a surprising range of problems beyond unexpected print-outs from undesired parties,” especially as those devices add functionality.
“It is really important to secure ‘smart’ or ‘multi-function’ printers, as they can be used for a variety of purposes, including sending out faxes that appear to be from you, storing files, and caching documents scanned on the printer,” said Escalante.
The advanced functionality that printers, scanners, and MFPs now deliver – such as capturing documents and automatically routing them, or sending out alerts when they are in need of repair, or upgrading themselves with software patches delivered on the fly – increasingly mirrors the capabilities of a PC or mobile device. This is possible because these devices, like PCs, contain hard drives, embedded firmware, and – crucially – network connections.
As a result, it’s essential to apply to printers, scanners, and MFPs some of the same security practices you now apply to PCs and mobile devices, in order to assure the integrity of documents and document-based workflows. A recent What’s next post details these practices, which include:
- Require user authentication
- Centralize the auditing of network activity
- Encrypt data to and from MFPs
- Enforce the use of trusted network destinations
- Implement rules-based printing
More capable and more connected printers, scanners, and MFPs offer compelling advantages in productivity and convenience. All that is required to ensure they are used and not abused are some straightforward security practices, and a little common sense.