There has been a lot of chatter about the security vulnerabilities in our printers, fax machines and multi-function printers (MFPs) in general. So much so that HP invited 34 security researchers to participate in its bug bounty program for printers, offering up to $10,000 per bug. Then recently, at the DEF CON 26 hacker conference Check Point security researchers showed how susceptible our networks are to hackers. With one malicious fax they were able to control an all-in-one-printer and ultimately the connected computer.
Why is there so much interest with printer security of late? Are their legitimate concerns? How can we better protect out printer networks? Security experts Dan Lohrmann, Chief Security Officer at Security Mentor, Inc, Shahid Shah, CTO at Citus Health, Inc., Scott Schober, Author of Hacked Again, Tyler Carbone, COO at Terbium Labs and Robert Stasio, Managing Director Dreamit Ventures shared their insight with us.
Why is print and document security so top of mind now?
Several recent security incidents highlight the reality that printer / scanner / fax machines are often a backdoor into networks. They are easy targets for hackers that can easily be found with hacker tools and not much effort. Even when vulnerabilities are detected and patched by manufacturers, firmware patches are often not applied by enterprise organizations in a timely manner. Dan Lohrmann, Chief Security Officer at Security Mentor, Inc
Printers and fax machines are, these days, just as complicated and feature packed as other servers: they have compute, network, hard drives, and workflow management applications built in. At a minimum, we must treat print and fax devices the same as other servers – but, on top of that we must add other tracking and security features because these devices can bypass all our other security controls once something is on paper or goes through a phone line.
Current firewalls, defense in depth, segmented LANs, and other modern techniques do a good job of protecting transactional records (e.g. database rows). However, once data makes it way on a printed documented or faxed, all the protections go (literally) “out the window”. Therefore, document security is also getting more attention. Shahid Shah, Chief Technology Officer at Citus Health, Inc.
I think it’s a combination of a few things: we’re seeing attacks continue to increase, we’re seeing increased regulatory pressure to disclosure breaches, and we’re seeing greater public and media interest and investigation. Taken together, there’s increasing pressure to follow best practices in a way that will stand up to scrutiny. Tyler Carbone, COO at Terbium Labs
There is a surge in protection in the field of IoT security. This includes things like printers, smart home devices, and control type equipment. Historically security has been an afterthought in these devices, but there have been a series of attacks leveraging IoT devices dies to their inherent vulnerabilities. Therefore, we are seeing a concentration with printer security. Robert Stasio, Managing Director Dreamit Ventures
How does human error factor in printer and document security?
Human error is in fact one of the biggest problems in keeping documents secure. Often too much emphasis is placed on hackers initiating malicious attacks through phishing scams or placing keylogger malware. One area of concern is that any sensitive documents left uncollected in the printer output tray for prying eyes to read or copy. By properly configuring the print management software, users can be required to authenticate before initiating a print job. If any job is not claimed and properly authenticated the job will be deleted after a short period of time. Security implementation such as this prevents the human error of accidentally and/or intentionally picking up the wrong document. Scott Schober, Cybersecurity Expert & Author of Hacked Again
Paper documents don’t come with passwords and security requirements – when people print, fax, or otherwise manage paper as digital artifacts they forget that the surface area increases. Even the most security conscious folk don’t get print and fax security right and no amount of training will eliminate all security issues. Security must be built into the systems directly and small amounts of machine learning or AI capabilities will remind users how to make things more secure if systems cannot handle it for them automatically. Shahid Shah, Chief Technology Officer at Citus Health, Inc.
One aspect is just laziness. People take devices out the boxes and plug them in using default settings. Also, firmware upgrades or other needed maintenance may be ignored when compared to patching PCs and laptops and network backbone equipment. Also, some people just do not know that there are steps that need to be followed to secure these attached devices. Dan Lohrmann, Chief Security Officer at Security Mentor, Inc
This comes back to why we always say that defense, while necessary, is not sufficient. At the end of the day, you need to protect yourself as well as possible from external threats and have in place risk management strategies for the inevitable instances when those defenses are not 100% effective. Tyler Carbone, COO Terbium Labs
What steps can businesses take to improve print and document security?
Hold printer and fax device manufacturers to the same level of scrutiny as computer servers. Print/fax have the same baseline security vulnerabilities but then they are more vulnerable because there are additional moving parts and capabilities which other servers don’t have. Shahid Shah, Chief Technology Officer at Citus Health, Inc.
It comes back to a focus on hygiene — updates, best practices, etc. Implement the best defensive technologies you can and set everything up within a risk management framework that (1) minimizes damage if a breach occurs, and (2) ensures that operations can continue after it does. Tyler Carbone, COO at Terbium Labs
The best prevention mechanism with connected devices is monitoring. There are multiple vendors in the IOT space which can look at a network tap and monitor threats across all connected devices, including IOT. Once a threat is detected it can cut off all internet traffic. Robert Stasio, Managing Director Dreamit Ventures
“Creating a clear written internal policy within an organization is essential when securing print and document security. When printed documents and print jobs are executed but not removed from the outbound print tray they need to have a short window before they are shredded. This is especially important for documents that contain financial information such as account numbers or employee social security numbers. The digital file that contains this secure information should be a password protected file.” Scott Schober, Cybersecurity Expert & Author of Hacked Again
Organizations must ensure that they do an assessment of current configurations and know what you have in place now. They must make use of and enable the security features that are available, including stronger Wifi security settings when available. Follow best practices. Dan Lohrmann, Chief Security Officer at Security Mentor, Inc
A cyberattack on printers is not just a theory but a reality. IT executives must take steps to protect their organizations from a printer breach.