When looking at enterprise security, we commonly refer to
and consider firewalls, Intrusion Prevention Systems (IPS), Virtual Private
Networks (VPN), encryption and authentication.
When we think of securing our data, we think of securing critical
servers and databases. Rarely do we
think of printers. Billions of dollars are spent worldwide on security each
year, but how much did your organization spend on securing their printers this
last 12 months? If you answered zero,
you would be in the vast majority.
Printers have come a long way since their widespread
adoption in the late 1970's and early 1980's.
Back in the day, each printer was connected to an individual system and
could only process a single print job at a time. Today, printers have matured into
multi-functional devices that bare little resemblance to their distant
origins. Printers in the 21st century
perform dozens of tasks including, but not limited to, printing, scanning,
photocopying, faxing and even emailing documents. What most users, and even system, network and
security administrators do not realize is what really goes on inside a printer
and what functionality they truly have.
Most users still think of the printers of 30 years ago; unintelligent
devices that only possess the ability to print documents. This view is far removed from the truth.
When discussing printers in this article, we are not only
talking about the behemoths you see in most large enterprises, but also your
low-end multi-functional printers you now find common in regular
households.
Rare is it to find a
printer, no matter how small, that only performs the
single task of
printing.
Most, at a very minimum,
provide faxing or scanning and with these come increased memory
requirements.
Scanning a full document
in preparation to print, scanning a document to be saved as a PDF or similar
file, or scanning a document to allow faxing all require the ability to buffer
the data within the device.
A buffer is
basically a region of memory that allows the storing of temporary data.
Printers use this buffer to store a digital
version of the document you are printing, scanning or faxing.
Depending on the device, this buffer can
range from a small piece of Random Access Memory (RAM) to a Hard Disk Drive
like the type found in your desktop or laptop computer.
In larger enterprise printers, this buffer is
not the only memory store found within the printer.
A larger, non-volatile memory area is
provided to store semi-permanent or permanent information.
For example, some printers allow scanning of
a document and saving it within the
printer as a PDF.
The user may then connect to the printer as
if it were a network drive, or via a web page, and download their document.
So where are we going with all this? The leakage or theft of
sensitive and confidential corporate information. Large enterprises may have developed and
implemented data retention and destruction policies but rarely do these include,
or even mention, printers. Companies
look at hard copies of documents, CD's, DVD's and workstation, laptop and
server hard drives when developing their data destruction policies. While it is clear they identify hard drives
as a source of sensitive information, rarely do they consider the hard drives
contained within their printers, if they even know of their existence. Printers
are also commonly overlooked when security policies, procedures and guidelines
are developed and implemented. Little
time, if any, is spent looking at printer security or the implications of not
securing the corporate printers.
All the
more disturbing this becomes when you contemplate the common types of documents
that pass through printers in a corporate environment. Depending on the industry or the department
within the organization, documents can vary from sensitive financial records,
personal customer data or detailed network diagrams, to name a few.
To understand how sensitive data is leaked via a simple
printer to the outside world, it requires an understanding of the corporate
environment, security controls within that environment, and the general flow of
information between users, printers and file systems that house restricted
data.
In the ideal, secure corporate environment, a user has
restricted access to files that pertain to his or her job function. The files reside on a secure server within
the corporate network and are protected by strong access control policies
requiring a user to authenticate before being allowed access to files. In our
example, a user requires a sensitive financial document for a meeting he is
about to attend. The user authenticates
to the server, access to the file is authorized by the access control policies
set on the file and the user opens the file in Microsoft Word.
He clicks on the print icon and sends the
document as a print job to his nearest printer.
With this simple act, we have taken a secure document that very limited
users have access to, and have created two copies that are no longer protected
by any form of access control. The first
is the obvious; the paper copy our user requires for their meeting. The second is a copy housed in the buffer on
the printer. In the ideal world, our
user will keep the printed copy safe at all times and follow the organization's
data destruction policy and destroy the copy of the document when they no
longer require it. As for the virtual
copy created on the printer, the user has no real control over this, nor
probably knows it even exists. If we are
lucky, the document is overwritten when the next print job comes through, but
this is very dependent on the brand and model of printer and how the printer
was initially set up by the administrator.
Slightly different to the straight printing of documents,
scanning of documents or receiving faxes on a multi-functional printer writes
documents to non-volatile areas of memory, usually a hard disk drive. If documents are not manually removed, they
will remain there indefinitely, often long forgotten by the original user that
scanned the document or received the fax.
In either of these scenarios, improper disposal of a
decommissioned printer could have catastrophic consequences for a company. Leased printers may be returned to the
leasing company for resale. Purchased printers are discarded in the trash or
sold at auction or online via auction sites such as eBay. Either way, countless
sensitive documents could pass into the hands of nefarious individuals. While the leaking of some documents could financially
affect organizations, leaking personal information pertaining to hundreds or
thousands of customers or clients could have reputation ramifications that
could destroy a company.
Most organizations do not realize the full potential of
their printers or the functionality they have available. While much functionality is non-security
related, these functions have considerable impact on the security of the data
within an organization and need to be understood and addressed. These include, but are not limited to:
1. The ability to copy files to Windows or Unix SMB file
servers
2. The ability to email scanned files to a user
3. Functionality that allows printers to receive faxes and
then forward the fax onto predefined users via multiple methods, such as email
or as another fax, and
4. The ability to store files which have been scanned,
printed, emailed or uploaded locally on the printer.
While the previous data leakage scenarios have been
accidental in nature, data remaining on printers could be the target of an
educated attacker, one that understands the value of data residing on printers
and who has the ability to compromise that data. While organizations invest hundreds of
thousands of dollars to secure their network, dividing networks and systems
into zones of trust with firewalls, Intrusion Prevention Systems and other
network access control points, have they rarely considered where printers are
logically placed within the network. In
most cases, they are located among the users, or in some organizations, even on
the server networks. Some organizations
do not even have zones of trust and the printers exist among users, servers and
even Internet accessible systems. In the
worst case scenarios, the printers may even be Internet accessible themselves. Printers are not seen as critical devices,
and as such, are not secured in their own zone of trust where access to
management interfaces is not accessible except to trusted printer
administrators.
By limiting access to
these interfaces, compromise of the data housed on these printers becomes exceedingly
difficult.
While most printers have the capability to authenticate both
printer administrators or normal printer users, the majority of the time, this
functionality is disabled or left in its default state; disabled. Five minutes on Google and an attacker will
be able to find the default password to almost any printer. Once administrator access is gained to a
printer, it takes little time and even less ability to make changes to settings
that could be catastrophic to an organization.
While it would be little but annoying to find yourself locked out of
your printer, or the interface changed to another language, so no-one could
control the printer, if the attacker was to redirect your printing or copy
documents to a location outside the internal network, depending on the contents
of the file, it could ruin an organization.
So how does an organization protect itself against attacks
against printers and leakage of sensitive data?
A few simple steps:
1. Disable unnecessary functionality. If any function within the printer is not
required within your business, disable it.
The less services or functions a printer has running, the less avenues
of attack or leakage the printer has.
2. Add printers to your data retention and disposal
policies. Make sure all memory inside
printers is disposed of via secure destruction or secure wiping when printers
are decommissioned.
3. Ensure data is overwritten immediately after
printing. This requires the printer in
use to support this functionality, but if your data is highly sensitive, this
should be a priority when looking at new printers.
4. Print from memory rather than hard disk drive if
available.
5. Use the secure printing option, if available, so
printouts do not start before you reach the printer and enter your
password. How often have you hit print,
walked to the printer and your printout is no-where to be seen, only to turn up
lying on a table days or even weeks later?
6. Examine where printers are logically located within the
network. Printer management interfaces
should be restricted and only accessible from defined management IP's. Ensure printers are never accessible from the
Internet. Assess whether some or all
printers should be located within their own zone of trust.
7. Use the inbuilt security within the printer to restrict
who has access, what access they have and where they may access from.
Securing printers should be an integral part of securing
your data. Security policies should
exist that address the risks and define how printers should be secured. Develop printer security guidelines and
procedures for implementation of new printers and follow these standards to
ensure all printers are secured and do not become a high risk to your
organization. By securing your printers,
you are contributing to your overall layered security model and protecting your
organization's critical data along with its reputation.
