Colleges and universities have been targeted in the last several weeks with a series of bomb threats received via campus printers and fax machines. Targeted institutions included Vanderbilt University, the University of Southern California, the University of Virginia and the University of Detroit Mercy, among others.
Businesses were also among the targets. Around 100 organisations in all received print-outs, faxes or emails demanding that a $25,000 ransom be paid to a Brazilian citizen to avoid detonation of explosives allegedly planted on the sites. The police determined that the “form letter” threats were part of a hoax and not credible.
The situation highlights the need to proactively secure access to printers in today’s networked world. SourceSecurity.com asked Ashish Malpani, Director, Embedded Solutions Product Marketing at HID Global, for insights from a technology perspective.
SourceSecurity.com: What are the best practices for securing access to a printer? How widely employed are such practices (i.e., how vulnerable are most printers today?)
Ashish Malpani: Most network printers in university environments are secured using several best practices. They include:
- Set a strong administrator password. Modern MFPs (multi-function printers) have a web interface for configuration and control. By default no password is set so it is important to set a strong admin password.
- Restrict network access to campus. Ensure that only campus IP addresses are able to access the printer.
- Disable unnecessary services. Disable services like FTP, Telnet, other network (and discovery) protocols, etc.
- Implement firmware updates.
- Securely dispose of MFPs.
A recent scan at University of Nebraska at Lincoln found that, in spite of all security practices, 12 percent of printers still have open port and password issues.
SourceSecurity.com: How can systems be set up to accommodate students who need access to printers from off campus (or outside the firewall)?
Malpani: In the university environment, the need for off-campus print access is prevalent. One of the ways to enable this capability is to force students to connect to the university network using a virtual private network (VPN). However, this is inconvenient and doesn’t usually support printing on demand or printing from handheld devices and cloud storage.
An effective way to address this issue is to deploy a secure printing solution, where the users are required to authenticate themselves before the print job is released to the printer from a centralised pool. The benefits of this approach are increased convenience and ability to print at any printer on the campus. However, most printer manufacturers support entering a PIN for authentication, and it is not necessarily secure or convenient when you want faster access. However, new innovations in secure printing have made the printers more identity-aware and rely on everyday devices such as mobile phones and wearables for authentication, resulting in secure and convenient access.
SourceSecurity.com: Whose responsibility is the security of a printer? Should manufacturers be doing more to prevent unauthorised access to printers? What is the customer's role?
Malpani: IT security staff is responsible for the security of the printer. Something as simple as a printer is expected to work right away after deployment. Manufacturers can do more to enforce security policies on the printer or provide modes that enforce stricter control by default. As a customer, it is critical to have print data security as part of security policy, to review the manufacturer’s recommendations for securely configuring a printer, and to find solutions that not only enhance the security but also provide convenience to end users.
 |
| A compromised printer can be used to attack other applications, execute arbitrary malicious code or attack other systems |
SourceSecurity.com: What are some other ramifications of unsecured printers, beyond the printing of threatening materials as we have seen recently on college and university campuses?
Malpani: Today’s MFPs are more than just printers. They are file servers, they can email, act as DHCP (Dynamic Host Configuration Protocol) servers, and have the capacity to hold large data sets. Unsecured printers risk misuse and data disclosure. In January of this year, a team of researchers from Ruhr-Universität Bochum in Germany exposed vulnerabilities of major MFPs, such as exploiting the PostScript and Printer Job Language (PJL) vulnerabilities to get access to the data on the printer’s files system and memory.
SourceSecurity.com: How does the problem of unsecured printers relate to wider issues of network security (given that most printers are now networked)? What is the risk that printers might be vulnerable as an entry point to the larger network?
Malpani: In addition, a compromised printer can be used to attack other applications, execute arbitrary malicious code or attack other systems (e.g., to launch a denial of service attack on the network).
SourceSecurity.com: How does the risk of unsecured printers impact the business world or other markets (in addition to college campuses)? How are the security measures different in various environments?
Malpani: The security challenges are the same in business environments but, other than the financial industry, most other businesses do not pay close attention to threat vectors emerging out of print data security. IT security departments are also concerned about network security, and the facilities worry about building security, paying little attention to the security of business systems like printers, elevators, HVAC systems etc. Businesses are increasingly turning to managed print service (MPS) providers to ensure compliance, data security as well as management of accessories like print cartridges.
SourceSecurity.com: What's your best advice for customers in terms of what they should do to secure their printers?
Malpani: First of all, know your customer, understand their needs and what capabilities they desire from the printing systems today. The next generation of students value convenience over privacy and security. So the IT departments across universities need to think about how to meet the needs of their customer while ensuring best practices for security and compliance.
It is critical to develop a comprehensive security policy, a regular audit schedule, to secure printers according to manufacturer’s recommendation, and to invest in solutions like secure print that not only provide convenience but also enhance security. Identity-aware systems definitely handle the challenges more effectively than traditional practices going forward. So it is important that the solutions we invest in also take into account the future trends in authentication and printing.
