An Overlooked Network Security Risk

Print Devices: An Overlooked Network Security Risk

Print devices are signiﬁcantly overlooked in most IT security strategies, despite clear evidence they are an easy target for cyber criminals.

START

STRATEGIC MARKETING SERVICES P rint devices are not getting enough “With the universe of connected devices attention in the enterprise’s IT security growing exponentially, so is the sophisti- strategy. Only 30% of IT professionals cation and volume of cyber attacks and recognize printers as a high security risk, data breaches; this includes an increase in according to a May 2018 Spiceworks focus on enterprise printers, which tend survey. to be the more sophisticated devices on the network comparable to PCs,” Shivaun And yet 59% of organizations have Albright, Chief Technologist of Print reported a print-related data loss in the Security at HP, told Forbes. past year, according to a 2019 Quocirca analysis and trend report. Cyber threats targeted Cyber threats targeted toward printer and toward printer and Internet Internet of Things (IoT) devices have increased more than 200%, according to of Things (IoT) devices have the 2019 SonicWall Cyber Threat Report. increased more than 200%

The writing is on the wall: As an endpoint device attached to the network, the print This paper examines why print devices device is a signiﬁcant security risk. Just make easy targets for cyber criminals, like IoT sensors, today’s modern, intelli- and how organizations can better address gent, programmable print devices are print device security to manage and help routinely connected to the internet and reduce risk. the corporate network—in turn expand- ing the enterprise cyber attack surface.

Only 30% of IT professionals recognize printers as a high security risk

2 STRATEGIC MARKETING SERVICES Printers Are a Target Physical attacks. The attacker physically plugs in a USB drive to Even more so than a PC, a print device can the print device. If this maneuver is be an easy target for cyber criminals to not discovered, the criminal can gain access to the network. Many enter- move through the network to prise printers are not hardened, have no exfiltrate sensitive data. access controls or authentication policies in place, don’t use encryption, and/or are A smartphone running outdated firmware, based on HP Wireless hacking. with stolen credentials can send Security Advisory Service risk assess- malware to local printers. Taking it ments. a step further, Singapore researchers attached a mobile phone to a Hackers look for these under-secured, drone, and then demonstrated how unmonitored endpoints to gain entry to the device could intercept data to the network. By infecting a print device, or from an open, wireless print hackers can then move laterally through a device. network and cause damage while they remain hidden. The use of hacking tools such as Metasploit or Mimicatz allow “We’ve compromised a number of hackers to scan the printer and companies using printers as our initial local subnets for data such as user foothold. We’ve moved laterally from the information and admin credentials printer, find the Active Directory, query it that can provide access to different with an account from the printer and networks. bingo, we hit gold,” writes Peter Kim in his book The Hacker Playbook 2: Practical or system Guide to Penetration Testing. Exploit old protocols services typically available on printers to run malware. How do hackers exploit vulnerabilities and gain entry to print devices? There are several methods: Take advantage of misconfigured devices, especially those set up with default accounts or Remote attacks. The hacker runs passwords. execution code via a multi-function print device’s telephone line. Or Once attackers are in, they can remain they send weaponized Postscript or hidden on the network, and cause serious Office files as a phishing attempt. damage (see Printer Exploits box below). These strategies bypass firewalls and can be used to then move across the network for further exploits.

3 STRATEGIC MARKETING SERVICES Sophisticated conﬁgured, patched, updated, and monitored. Like other providers of Technology—But Often software and proprietary systems such as Overlooked IoT devices, the print device manufacturer has the responsibility to patch and Today’s modern print devices are sophis- provide security features such as ticated, vulnerable pieces of network malware detection. technology. For example, printers are IoT manufacturers similar to IoT devices with built-in Also, IoT manufacturers often lag in often lag in proprietary software; they are intelligent, incorporating security features. As programmable, and internet-connected. described above, there are numerous incorporating In addition, multi-function print devices ways that attackers take advantage security features use powerful capabilities to process and vulnerabilities, especially in oﬀ-the-shelf transmit data, as well as scan to USB and devices, making it critical for enterprises email. to take printer security seriously.

In addition, today’s print devices are built So, why are these sophisticated pieces of with connectivity functionality such as technology overlooked? remote management and smart applica- tion access. They are often connected A signiﬁcant part of the issue is a general across multiple network subnets with lack of IT visibility and/or a lack of risk varying trust levels, making them a viable prioritization. For example, print devices source for hackers to move laterally are often installed, managed, and/or through a corporate network. connected to the network by individual business teams in a very decentralized Each print device comes with its own set manner; thus, the enterprise has zero of proprietary software that must be visibility. Or print devices are deployed by

4 STRATEGIC MARKETING SERVICES

facility and procurement departments as greater effect. That’s because it takes a continuation of legacy processes only one user to send a print file with a established originally for copiers and fax weaponized Postscript file to initiate a machines. Often, IT has no knowledge of stealth attack. these print devices, meaning their configuration management database of In addition, it’s common for the IT staff to devices on the network is outdated and neglect print devices due to the sheer incomplete. This is the case for 55% of volume of devices across the enterprise. companies1, according to HP security risk The typical organization has deployed assessments.2 multiple print device brands, each with its own set of proprietary software to Another reason print devices are configure, patch, update, and monitor. For overlooked: Companies think existing example, a multi-function print device can protections like firewalls are sufficient. have up to 250 security settings that However, in its threat investigations, must be configured. The Spiceworks SonicWall found cyber criminals are using survey found that many IT departments malicious PDF and Office files to get simply don’t have the time and knowl- around these security controls—to edge to keep up.

What’s more, in some scenarios IT professionals view security monitoring for print devices as a nuisance. These tasks are given low priority because print logs are complex to interpret; staff suffer threat-alert fatigue from false positives; or there is an inaccurate attitude that other intelligent, programmable, and connected devices such as PCs pose a greater security risk. Each of these reasons is evident from HP Security Advisory Service risk assessments2: Sophisticated configured, patched, updated, and monitored. Like other providers of Technology—But Often software and proprietary systems such as Overlooked IoT devices, the print device manufacturer has the responsibility to patch and Today’s modern print devices are sophis- provide security features such as ticated, vulnerable pieces of network malware detection. technology. For example, printers are similar to IoT devices with built-in Also, IoT manufacturers often lag in proprietary software; they are intelligent, incorporating security features. As programmable, and internet-connected. described above, there are numerous In addition, multi-function print devices ways that attackers take advantage use powerful capabilities to process and vulnerabilities, especially in off-the-shelf transmit data, as well as scan to USB and devices, making it critical for enterprises email. to take printer security seriously.

facility and procurement departments as greater effect. That’s because it takes a continuation of legacy processes only one user to send a print file with a established originally for copiers and fax weaponized Postscript file to initiate a machines. Often, IT has no knowledge of stealth attack. these print devices, meaning their configuration management database of In addition, it’s common for the IT staff to devices on the network is outdated and neglect print devices due to the sheer Cyber criminals are incomplete. This is the case for 55% of volume of devices across the enterprise. companies1, according to HP security risk The typical organization has deployed using malicious PDF assessments.2 multiple print device brands, each with its and Office files to get own set of proprietary software to Another reason print devices are configure, patch, update, and monitor. For around security overlooked: Companies think existing example, a multi-function print device can controls protections like firewalls are sufficient. have up to 250 security settings that However, in its threat investigations, must be configured. The Spiceworks SonicWall found cyber criminals are using survey found that many IT departments malicious PDF and Office files to get simply don’t have the time and knowl- around these security controls—to edge to keep up.

1 Based on data from 1.2 million printers, using the HP ﬁrmware tool. 2 Stats are calculated by HP using an internal HP database of results from assessments conducted by HP Print Security Advisors (78 assessments in the database, as of February 2019).

of companies do of companies’ print of companies’ of companies do 89% not periodically 88% and scan jobs are 85% printer logs are not 84% not produce or review logs not encrypted while enabled to identify regularly review in motion logon attempts or print security changes to access compliance control reports

of companies of companies do of companies have of companies use 69% have not enabled 68% not have security 68% insuﬃcient audit 50% generic accounts anti-malware on awareness event log storage for print ﬂeet print devices training around space needed management IoT and printers for security solutions and investigations servers

All of these examples make it clear that organizations need to address print device security

5 STRATEGIC MARKETING SERVICES 5 Steps Toward Print 3. Strengthen printer use and maintenance. Change default Device Security passwords for print devices to complex ones, as advised by the There’s a better way to ensure print device National Institute of Standards and security, including starting with an assess- Technology. Use encryption ment and looking to your managed print services and protocols to ensure services (MPS) provider to take on IT secure transfer of print jobs. Also, security tasks. consider automating the process of firmware updates for easier Print devices must become part of the management. organization’s overall IT security strategy. To that end, analyst firm Quocirca offers 4. Continuously monitor. some of the following recommendations: Network monitoring and alerting tools track devices to provide a secure view of the entire print 1. Assess security and risk. environment. Use the data generat- Organizations must treat print ed by multi-function printers, for devices like any other IT endpoint and example, to identify and respond to build them into the overall security security incidents. strategy. Start by evaluating the existing fleet to discover potential 5. Consult with experts. vulnerabilities and develop a founda- MPS providers offer a wide range of tion for ongoing device monitoring. services, including full assessments of the print environment and 2. Buy with security in mind. evaluation of potential vulnerabili- During the procurement process, ties. They can also take on a wide evaluate printers for built-in security variety of security tasks, such as features such as intrusion detection, training users on the need to white-listing, and syslog data protect sensitive information, thus collection with links to security reducing the burden on IT teams. information and event management (SIEM) tools.

5 Steps to Button Up Print Device Security

Assess security Buy with Strengthen Continuously Consult with and risk security in printer use and monitor experts mind maintenance

6 STRATEGIC MARKETING SERVICES The Bottom Line The Growing List of Print Exploits

At the end of the day, print devices must be included The seemingly innocuous printer has become a prime in any IT security strategy. Just like PCs, they carry target for hacks and attacks. Vulnerabilities and multiple vulnerabilities and risks. And just like IoT examples include: devices, they are an endpoint entry onto the network, where the potential for damage multiplies. A print device was the entry point for an India bank heist. Even IT administrators initially thought According to a 2019 report by Quocirca by analyst it was simply a device error, and rebooted the Louella Fernandes: “Print security is becoming a system. greater concern to businesses with 59% reporting a print-related data loss in the past year… It is impera- Print devices at the Norwegian Parliament had to tive that businesses become more print security be taken out of commission due to alleged conscious, particularly as they look to close the Russian espionage. paper-to-digital gap in their business processes.” Researchers discovered thousands of 3D printers Fernandes goes on to advise, “By using the had no password protection, leaving 3D model appropriate level of security for their business needs, plans and webcam feeds exposed. an organization can ensure that its most valuable asset—corporate and customer data—is protected. A vulnerability in a multi-function printer enabled Managed Print Service providers are well positioned a hacker to compromise the device—by sending to provide the support and guidance needed. There is a fax. no room for complacency, given the far-reaching repercussions—legal, ﬁnancial and reputational—of print related data losses.”

Get Print Security Help From the Experts

Commit to assessing your enterprise’s print situation. The HP Print Security Advisory Service helps companies develop a cohesive strategy to protect the business. The Service includes an in-depth security risk assessment, including a detailed security risk report down to the device level, security policy guidance, and solution recommendations. Download a brochure here.

4AA7-5851ENW, July 2019

7 STRATEGIC MARKETING SERVICES