HP continues to shine a spotlight on print security with last years announcement of embedded print security features that aim to mitigate the threat of malware. So how vulnerable are printers to external attacks, and how can businesses limit their risks?
While the prevalence of connected printers and MFPs bring convenience and productivity, they also pose security risks. Along with the capabilities to capture, process, store and output information, most print devices also run embedded software. Information is therefore susceptible at a device, document and network level. Not only can confidential or sensitive data be accessed by unauthorised users – whether maliciously or accidentally – but network connectivity makes vulnerable print devices potential entry points to the corporate network.
Any data breach can be disastrous – leading to internal consequences such as the loss of IP or productivity, as well as external repercussions including brand and reputational damage, legal penalties and loss of customers.
In today’s evolving Internet of Things (IoT) threat landscape, hackers that target printers with lax security can wreak havoc on a company’s network. Data stored on print devices can be used for fraud and identity theft and once hackers have a foothold, the unsecured print device provides an open door to the network. Compromised devices can be harnessed as botnets and used as launch pads for malware propagation, DDoS attacks and devastating ransomware attacks.
It is unsurprising to see that external hacking and DDoS attacks are top print security concerns amongst businesses. And although 95% of businesses indicate that print security was an important element of their overall information security strategy (55% say it was very important, and 40% fairly important) – just 25% reported that they are completely confident that their print infrastructure is protected from threats.
To address these threats, print devices need to include robust security protection. Fortunately, more manufacturers are embedding security in new generation devices. HP’s enterprise printers for instance, can detect and self-heal from malware attacks through run-time intrusion detection and whitelisting. The newly announced HP Connection Inspector stops malware from “calling home” to malicious servers, stopping suspicious requests and automatically triggering a self-healing reboot. Meanwhile Xerox’s ConnectKey Technology enabled family of printers incorporates McAfee whitelisting technology which constantly monitors for malicious malware and automatically prevents it from running.
However, it only takes one rogue, unsecured device to weaken security. Whilst progress is being made on embedding security technology in the new generation of printers, the reality is that most organisations have a mixed fleet of devices – old and new, from different manufacturers.
Organisations should therefore undertake a print security threat assessment. Such assessments are commonly offered under a managed print/document service (MPS/MDS) contract, and seek to uncover security vulnerabilities.
Quocirca’s MDS study revealed that 31% of organisations have completed such an assessment with another 57% indicating that their assessment is underway. Organisations report that the top goal (65%) for a security assessment is to protect against new, advanced threats.
The most sophisticated security assessments such as that from MPP, not only make recommendations for device replacement and optimisation, but also offer ongoing and proactive monitoring of devices to identify potential malicious behaviour. Ultimately this requires that print devices are monitored as part of a broader security platform – MPP for instance, offers integration with security and information and event management (SIEM) tools.
As both internal and external threats continue to evolve, a multi-layered approach to print security is essential to combat the security vulnerabilities that are inherent in today’s networked printers. Unless an organisation regularly tests its defences, it will be at risk of leaving a part of the print infrastructure exposed – enabling a skilled hacker to penetrate the network.
A business can be targeted no matter how big or small, so a comprehensive print security strategy that encompasses threat detection, preventative measures, threat monitoring and analytics alongside incident response and recovery is vital in today’s IoT era.
To succeed in the digital age, organisations need lean, integrated and most of all digital processes to support their business
As we move towards a cashless environment, the initial frenzy and confusion has given way to a paper-free work environment. With global-tech firms like Google and Amazon paving the way for digital payments, this has reduced the dependency on cash and pushed us towards the use of digital solutions. These initiatives have captured the imagination of a cashless economy thereby reducing our dependency on paper. In the corporate world, this could signal the beginning of a paperless culture. Let’s start by looking at some trends which show how imperative it is to build a paper-free work environment:
The amount of paper used in organisations towards printing documents in a single day is astounding. According to the paperlessproject.com, globally, an average office worker uses 10,000 sheets of copy paper annually. These numbers can be changed drastically by integrating paperless solutions to avoid the needless printing of documents. One way for organisations to reduce costs and better manage discretionary spending is to automate invoice processing and disbursements.
Automation delivers an average of 29 per cent reduction in invoice processing costs. Also, manual expense reporting involving paper receipts and tedious expense report assembly are a burden on business travellers. Employees find collecting receipts and filling reimbursement forms very cumbersome. At the office, the finance department cringes at the thought of deciphering receipts copied manically onto sheets of paper, and everyone, especially CFOs keeping their eyes on cash flow, don’t like waiting to be paid. Further, if data is scattered across the business in paper form, it is impossible to get the full picture, let alone insights that are accurate and timely.
The massive paper piles, tedious tasks, and inefficiency of paper-based processes are some of the things that employees detest. One key solution is digital payments. Compared to manual payment systems, it’s faster, more accurate, and rich in data that can improve decision-making and reporting.
CFOs look for a more integrated and automated payments approach with several benefits— most importantly, less manual labour and lower costs, freeing up resources for more strategic uses. Many of them also expect more accurate reporting, improved payment processing speed, visibility, control, data security, and compliance.
Companies that have adopted electronic expense reporting have experienced a whopping 58% reduction in processing costs and greater ROI. The automated system enables employees to book travel plans that are compliant and cost-efficient, manage expenses without having to keep track of paper receipts or fill out spreadsheets and gain approvals more quickly. No more collecting paper receipts, filling out paper expense forms and trying to get reimbursed.
In a study by the Aberdeen Group, 48% of businesses indicate they want to improve their travel and expense processes and thereby, their visibility on spending. This enables them to see monthly spending and to be able to close the business’s books.
With an automated system, there is more benefit in terms of heightened productivity, minimal need for manual input of T&E spend data, and optimal use of data mining and insight to flag out-of-policy spend. Plus, the benefits to the environment are immense – forgoing 55,000 receipts can spare as much as an entire tree!
To succeed in the digital age, organisations need lean, integrated — and most of all digital processes to support their business. Finance and procurement decision makers who prioritise fast, connected, and insight-led payment processes will surpass those who continue to rely on inflexible, disconnected, paper-based systems. Solutions that integrate systems with automated payment tools can generate important operational efficiencies, such as reduced manual labour and costs as well as greater visibility and control over payments.
The far-reaching financial, legal and repetitional implications of a data loss mean that information security is a business imperative. Safeguarding the ever-increasing volumes of valuable corporate data against unauthorised access has become integral to maintaining business operations and adhering to increasingly vigorous data privacy compliance requirements.
For many organisations, their cyber-attack surface area is increasing as connected Internet of Things (IoT) endpoints proliferate. These include both legacy and the new breed of smart printers and multifunction printers (MFPs). Consequently, businesses must take a proactive approach to print security as these print devices can provide an open door to corporate networks. By taking steps to analyse the potential vulnerabilities of print environments, businesses can mitigate risks without compromising productivity.
October 2016 saw one of the worst distributed denial-of-service (DDoS) attacks in history, when a strike on DNS provider Dyn took a major part of the internet’s DNS infrastructure offline – including Amazon, Twitter, Spotify, Netflix and Reddit. This attack is representative of the increasing complexity of the data security threat, and the rising number of high-profile breaches that are affecting hundreds of millions of users worldwide. Its nature also signals the evolving shape of the threat: the attackers targeted the rapidly growing network of connected devices known as the Internet of Things (IoT).
The number of IoT devices – think vending machines, thermostats, video cameras and networked printers – is estimated to reach anywhere between 20 and 50 billion by 2020. These devices are smart and connected, but they are also vulnerable. IoT devices can be remotely managed, and are able to generate, store and retrieve a wealth of data as well as initiate service or maintenance requests. For hackers and malware looking for a way into a corporate network, unsecured IoT deployments provide the perfect entry point.
The consequences of any networked device being compromised are far reaching, whether the outcome is downtime or data loss. A data breach can leave a company open to huge fines and legal penalties and damage its reputation and customer confidence. According to PwC1 90% of large and 74% of small UK organisations reported suffering a data breach in 2015, while a 2016 study from the Ponemon Institute2 reveals the average total cost of a breach to be $3 million, with the average cost per stolen record $158.
In Europe, the penalties for a data breach will become even higher when the new General Data Protection Regulation (GDPR) comes into force in 2018. Companies that handle EU citizens’ data will have new obligations in a number of areas – including data subject consent, data anonymisation and breach notification – requiring major operational reform. Regulators will be authorised to issue penalties equal to €10m or 2% of a business’s global gross revenue, whichever is greater, for breaches. The UK will be required to comply with the GDPR, whatever the agreed terms of its exit from the EU, as member countries will remain key trading partners.
Implementing strategies to ensure that data on endpoints is protected from theft, loss, digital intrusion or prying eyes is therefore critical to any organisation.
With its advanced connectivity and capacity to store large volumes of data, the multifunction printer (MFP) has long been a ‘weak link’ in the IT infrastructure – one that businesses can no longer afford to be complacent about.
The MFP has brought increased convenience and improved productivity to the office environment. A smart, sophisticated device which runs its own software and services, it has evolved to become an integral document processing hub capable of handling print, copy, fax, scan and email. However, its ability to monitor usage and collect data, as well as network connectivity only increases the potential for exploitation by hackers.
With MFPs often situated in easily accessible locations, if the proper controls are not in place it is all too easy for unauthorised users to get their hands on confidential or sensitive information left in output trays – either intentionally or by accident. In a recent survey by Quocirca, 61% of large enterprises admitted suffering at least one data breach through insecure printing.
This security gap must be closed. Organisations need to take steps to include effective print security as part of their overall information security strategy. This should encompass a full evaluation of security risks associated with the existing print infrastructure at a hardware, user and document level, the implementation of the technology, and user engagement.
Despite the move to digital communications, many businesses still rely on printing to support key business processes. MFPs are prevalent across businesses of all sizes and as such they are a critical network endpoint that must also be secured. Even behind a firewall, an MFP can be a front door to the network leading to the potential for compromising corporate or customer data.
The potential risks are illustrated in Figure 1. These include:
Data loss through printing is prevalent, even amongst organisations that operate a managed print service. Overall 61% reported at least one data loss in the past year, 51% in organisations with more than 3,000 employees and 68% in organisations with 1,000 – 3,000 employees. For those organisations not using an MDS it is likely that the proportion of breaches is even higher (Figure 4). In fact, in many cases organisations may not be aware of all data loss incidents, meaning that potential data loss could be even higher than what is reported.
Figure 2. Data loss by organisation size (organisations using a managed print service)
Those organisations that are operating a centralised model based on shared MFPs are less likely to have experienced data loss – 38% indicated no data losses compared to 18% of those operating a distributed model of workgroup printers (Figure 2).
Figure 3. Data loss by print infrastructure model
While 67% of those operating a multivendor fleet reported at least one data loss, this dropped to 41% for those that were operating a standardised fleet (Figure 3).
A standardised environment is always going to be easier to control given that security functionality and tools can be applied consistently to all equipment. And normally, these organisations are further along in their MDS engagements and will have benefited from security assessments. This reflects the benefits – from an IT management and user perspective – of a consistent approach to security that is possible with a single hardware brand.
However, in many organisations, it is typical to find a patchwork of devices from different vendors which in turn require different tools and software platforms. Although a best of breed tool can be used across a mixed fleet to enable secure printing (such as pull printing), there remains a challenge in protecting the vulnerabilities of older or legacy devices which may be more exposed than newer devices with built-in security features against today’s threats.
Figure 4. Data loss by fleet type
So, what is the nature of the data loss from a print perspective?
Notably although access to the network was a top concern amongst the majority of respondents, these concerns may be unfounded. Only 18% reported that an unsecured MFP has led to unauthorised access to the network. However, almost half reported that network interception, hard disk theft and unauthorised access of unclaimed output were factors (Figure 5).
Figure 5. Reasons for data loss
Closing the gap in print security clearly requires a range of measures. Most manufacturers offer a combination of built-in security features – both hardware and proprietary and third-party software tools.
Given the multiple points of vulnerability in the print infrastructure, businesses must employ a layered approach to print security. This requires a combination of activating built-in hardware security features, implementing software tools such as pull printing and educating users on responsible and secure printing practices.
MPP recommends that the following measures are taken:
Today we live in an enveloping world of technology where businesses can access numerous tools in assisting with the day to day operational functions and making of important decisions.
But, as technology becomes more advanced we create a brand-new set of problems. CYBER SECURITY - Data breaches, data theft, phishing, ransomware, and malware are perfect examples. Almost all of these vulnerabilities come from every-day usage of peripherals like printers, and businesses most definitely need to consider protecting the confidentiality of their documents.
The white-hat hacker known as Stackoverflowin hacked over 150,000 business and receipt print devices in 2017 to try and raise awareness around the importance of security on printing devices. Well known OEM’s such as HP, Canon, Epson and Brother were susceptible to the attack. Stackoverflowin advised that the script that he wrote “targets printing devices that have IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon Ports) and port 9100 exposed to external connections”. Devices that are Printers set up by default have zero security, the in-house network administrator would need to reconfigure the network to keep it secure.
SMB’s are prominent in the usage of MFP’s or multi-purpose printers, purely because of the ease of use in day to day operations. Features like faxing, scanning, photocopying and emailing have proven productive in cutting down time and costs. However, the problem with that is that it opens a multitude of security vulnerabilities.
How do the attacks take place? There are multiple ways hackers can perform malicious activities.
One of the most common attacks is when MFPs use an authentication mechanism that gives access to an employee via RFID, swipe-card, fingerprint, or manual entry of credentials (username and password). Hackers could evade the MFPs access to the network giving them the ability to print any documents and steal sensitive information.
Another popular attack is a denial of service or DOS for short. This is when a printer is flooded with traffic from a botnet or an application that would render the printer useless, sometimes going as far as destroying it. Obtaining free or cheap software for conducting a DOS attack is not hard. Searching for results on Google or the “dark-web” is enough.
BYOD and printing has made businesses even more vulnerable to cyber attacks with many personal devices connected to a printer, or an array of printers. A hacker can inject your personal device with malware that can gain direct access to the corporate network, and thus its printers.
There are many security measures that your business can use to avoid attacks on printers. For example:
Although hiding your businesses printers will certainly keep the attention away, it does not necessarily mean your printers are secured. If an inquisitive hacker manages to penetrate the network, he or she will be able to see the printer. If there are no security measures on the printers, then it will be easy for a hacker to intercept documents, steal sensitive information or sabotage its operations.
As digital grows to solve every-day business tasks in the lives of millions, so does the need of cyber-security.
It is increasingly becoming easier to breach devices and steal sensitive information. In today’s global space, businesses have an obligation to deploy printer related security measures.
A recent survey of 200 enterprises with over 1,000 employees in the UK, France, Germany and the US by business and IT analyst firm Quocirca revealed that 61% admitted suffering at least one data breach through insecure printers. Modern multi-function printers come with a host of features to print, copy, fax, scan and e-mail documents, making them, in effect, computers themselves and therefore potentially vulnerable to cyber-attack.
Multi-function printers are vulnerable to four main security weaknesses: printed documents left unclaimed in print trays, images stored on local printer hard drives, unauthorised access to the printer and several network vulnerabilities such as those using the fax functionality.
Examples of cyber-attacks have included: disabling printers for ransom, accessing insecure printers for vandalism and pausing print queues while data is extracted. Open network ports leave the printer vulnerable to unauthorised remote access which in turn could lead to data theft or their use in denial of service attacks.
Improperly decommissioned printers have the potential to be exploited for business records still in the printer’s memory.
Recent research also identified 3,800 3D printers that were left exposed online without a security password, leaving them vulnerable to interference. Users had failed to set up this fundamental security precaution through convenience or ignorance meaning hackers could either steal the 3D model plans or alter key parts of the plan to make the printer produce defective items.
The vulnerabilities outlined above show that cyber security for printers should receive as much attention from organisations as other parts of their IT estate when establishing security controls.
Read the full article here.