If you’re like most companies, you probably think your security is great—until you realize how many unmanaged print devices you really have.
Michael Howard, HP WW Chief Security Advisor, and Jason O’Keefe, HP Print Security Advisor, spend their days talking to companies about the security of their print environments. Here, they reflect on those conversations, share the a-ha moments, illustrate some use cases, and provide recommendations to remediate print security vulnerabilities.
Q: Is there a common theme or experience when you first meet with companies?
MH: Absolutely! Most of the time, our meeting is the first time that the print and security teams sit down together at the same table. So, right away, we know that there is a lack of understanding between the priorities and realities in those organizations. It’s important that the print team understands that if a device is going to touch the network, security must be involved. And the security team has to realize that print can create serious vulnerabilities if left unmanaged.
Q: What is the a-ha moment for most organizations?
JO: Most companies don’t think they need security for their print infrastructures, so print is very low on their priority list for security. We get a lot of, “our security is great,” “we do a great job,” and “why are we here?” We present our framework (based on recognized industry standards and regulations), which has up to 200 controls that we evaluate for vulnerabilities across the print infrastructure. All of a sudden, eyes widen, and the tune changes completely.
The initial skepticism becomes disbelief and shock, which then opens the floor for a very frank and lively discussion. If I was to pick one key concept, I would say that most companies underestimate how vulnerable they are through their print infrastructures. Security teams need to understand that print vendors are using operating systems like Windows, Android, and Java. Like all operating systems, they require a patching schedule. So, it’s important for print and security teams to subscribe to vendor notifications.
MH: Just to jump in here—because this next conversation point is very impactful with clients. On average, most organizations have approximately six users per printer. When we talk with security teams, we point out that PCs and laptops are completely locked down. Yet, by not following the same protocols for printers, there is a vulnerability for every six users. That’s alarming to most security pros. And even more shocking, many security teams could not tell you how many print devices exist in their environments. There could be 5,000 devices—all open! Print is a real blind spot in security, and we’re trying to both educate clients and help them remediate the vulnerabilities.
Q: Which factors are typically responsible for print-based security vulnerabilities?
MH: We narrow it down to four key factors:
- Aging technology
- Failure to implement security controls properly
- Heterogeneous vendor environments
- Unmanaged print environments
With PCs and desktops, IT and security teams have management and monitoring tools for proactive visibility. Until recently, those tools didn’t exist for print.
Q: Can you provide some real-world examples of how those factors came into play in specific organizations?
JO: There are so many. But a few stick out for me:
With one healthcare customer that manages more than 10 hospitals, we performed a three-day security assessment on its print environment. Old printers were the weakest links on its network (similar to keeping Windows 95 running on a corporate network). As a result of our findings, the client ended up replacing all of its printers with vulnerabilities. Moral of this story: Security is only as strong as your weakest link.
Michael’s team did a security engagement with another customer that had a mixed print infrastructure from various vendors. With different vendors, the company ended up having more than 100 vulnerable devices as a result of firmware issues. This risk was completely unknown to the client, and its security team was unaware that these printers were susceptible to attacks. Once the customer understood the risk, we identified mitigating controls to protect the printers from external attacks.
In one organization, there were several hundred people with full admin privileges across the print infrastructure. Every single one of those people was using a generic username and password to administrate the print infrastructure! In addition, the client’s security team had no visibility into any of that print infrastructure activity. With no monitoring, there was no individual accountability or traceability. And even worse, the security team had no knowledge of the risk because it was not engaged with the print team.
Another company had a staff of approximately 20 administrators managing the print infrastructure. These same 20 people had full administrative responsibilities across printers, databases, and servers. The client didn’t realize how big a risk it is to give one group the keys to the kingdom across multiple systems. Segregation and separation of duties are crucial to security controls. It would never happen with PCs on the network, so it should never happen with printers either.
Q: What are some of the strategies that you recommend to remediate print-based vulnerabilities?
MH: Some of the remediation strategies that we recommend include:
- Update firmware consistently
- Reduce administration across the print infrastructure
- Upgrade print databases from express to enterprise editions
- Implement processes and documentation to keep security consistent and measurable
- Provide security awareness training to print administrators
Print security, just like corporate security, is an ongoing process. As a result, it’s critical to pursue constant improvement through deeper assessment and expert advice.
Q: Any recommendations for companies wanting to improve their print security?
JO: Visibility is essential. That’s the one piece of positive feedback we hear most often from our three-day assessment clients. They get a baseline of where they are and how they can improve. I would also highlight collaboration as key to effective print security. To gain the rich intelligence required for robust security, companies have to break down the barriers between print administrators, security pros, and internal audit staff. These groups have to be willing to work together to secure a key part of the network that has been overlooked for years.
MH: We often ask clients about the governance, audits, and security assessments they have in place for the network. More often than not, the print infrastructure is left completely untouched. Governance and ongoing assessments are just as important for print as for any other part of the infrastructure. Who’s minding the store? Who is monitoring and ensuring compliance to standards and controls? For print, governance should include user account management (who is accessing the print infrastructure), compliance to corporate policies, risk management, security documentation, and event logging.
Q: Final thoughts?
JO: Printers need to be treated, from a security perspective, in the same way as any other device that touches the network. The Internet of Things is helping to drive this conversation, but print is still widely overlooked from a security perspective, which is creating significant risk for many organizations.
MH: I echo Jason’s thoughts—every device that touches the network needs to be treated like an equal citizen when it comes to security. When you think about how pervasive print is in most organizations, the lack of proactive security is shocking and scary. It’s important to remember that what you’re printing is what you’re working on in that moment. So it’s current, relevant, and important. And it’s exactly the kind of intellectual property that hackers covet. If they can find a way in through print, they’re coming in. It’s so much better to be proactive and implement the necessary controls in your print environment than to react to a breach that was perpetrated as a result of a vulnerability in your print environment.