Data Security

Cyber security awareness month is almost over, but before it ends we’ve got some advice from infosec pros to pass on that hopefully will be useful in your work.

Today’s tip comes from Jason Carney, print security advisor at HP Inc., who warns many infosec pros underestimate the risk posed by a common device on internal networks: Internet-connected printers.

These devices, particularly enterprise multi-function printers, are akin to PCs – they have a BIOS and a hard drive – and have to be made secure.

“Printers are shared devices,” he points out. “Important data flows through them, and people don’t consider that data the way they think of (protecting) a laptop … Therefore they should be equal network citizens with regard to security.”

For proof, look at recent distributed denial of service (DDoS) attacks, which can leverage printers as easily as Internet-connected routers and surveillance cameras.

The second piece of evidence is the work of a hacker called Weev, who earlier this year claimed responsibility for twice forcing tens of thousands of printers in the U.S. to pump out racist pamphlets.

The number one thing infosec pros should do to secure a printer is inventory how many are connected to the network or are directly connected to PCs that are on the network. Then ensure the default passwords are changed to combinations of letters and numbers that aren’t easily guessed or are on common password lists.

Look for printers that can encrypt traffic or refuses to release a print job unless an employee enters a PIN number, says Carney.

He also advises turning off unused services – for example, Apple Bonjour or wireless printing– which can be a way in for attackers

Among the resources infosec pros can consult is a checklist published by the U.S. National Institute of Standards and Technology (NIST) for securing multi-function devices and network printers.

Among its recommendations is to put these devices on a dedicated network segment or virtual local area network (VLAN) with a discretionary access list to limit access to IPs of the print spoolers and system administrators.

Other tips include:

–ensure the firmware is updated;

— prevent unauthorized physical access to the hard drive using either a locking mechanism or other physical access control measure.

–implement authenticated access to management controls, allowing access to authorized administrators based on privilege assignments.

-enable and configure audit logging (Syslog capability preferred).

If a device does not allow disabling services, resetting passwords and updating firmware the vulnerability will be mitigated by replacing the print server with another internal or external print server that allows a compliant configuration, or placing the device behind a switch, router or firewall allowing a discretionary access list to block all traffic to the device except the traffic coming from the print spooler and the system administrator’s IP.