Fact: Your endpoints are targetsAnalysts project that by 2020, there will be more than 25 billion connected devices powering businesses. This includes everything from smart lighting and printers to mobile devices, thermostats, and maybe even your break room fridge. While your organization might consider employee laptops and mobile devices as pieces of your endpoint strategy, way too many of us fail to recognize that connected "things," like printers and routers, are also endpoints. They may look innocent, but botnet armies—like the one used in the DDoS attack dubbed "Mirai Dyn"—are primarily comprised of connected "things." At least 70 percent of today's successful data breaches originate from endpoints. Hackers worm themselves into a company's network by manipulating human error, like sending a phishing email or convincing someone to release their password over the phone during a verbal phishing attack. But breaches may also originate from unsecured, connected endpoints, like a router or printer that's completely unsecured and susceptible to attacks.
Fact: Printer hacks are nothing newIf you build technology, the hackers will come. While print technology is rapidly evolving to incorporate super-cool factors, like the ability to self-heal, print pizza, or create new parts for the international space station, it's still been around for a long time. Howard reported that the earliest recorded incidence of a known printer or copier hack was during the 1960s, when cameras were hidden for the purpose of Cold War espionage. Today, the volume of printer hacks has grown drastically; recent targets include the US Chamber of Commerce and Integra.
Fact: IT pros know printers are riskyIn one of the more shocking revelations shared in Howard's presentation at Black Hat, it turns out that IT pros actually do know that printers are security risks. IT pros are aware printers can expose protected information and sensitive data in a number of ways, including unauthorized access, the exposure of printed materials left on the tray, the possibility of remote access to the printer, and difficulty identifying with certainty if printers have been breached or not. One recent study cited by Howard revealed that 64 percent of IT leaders reported when their printers were likely infected with malware. Despite the fact that today's IT pros know that printers are smart and that connected devices are potential points of entry to their networks, Howard's research uncovered that only 18 percent of IT pros are actively concerned about printer security—which is worrisome when you consider that 91 percent are worried that PCs pose security risks.
Fact: You aren't doomed to be a sheepIf you aren't aware of the risks associated with your printers, you're at risk of becoming a doomed sheep—easy prey for the hacking wolves of the world. That said, there's nothing inherently risky about print technology. Michael Howard shared a number of ways IT pros can secure their networks from wolves, including the following steps:
- 1. Know what you're working with. Today's average multifunction printer has more than 200 functions and an intuitive operating system. Even scarier, the average organization may have one printer for every 10 employees. Teen-hacker-turned-good-guy Michael Calce (aka MafiaBoy) says that IT tends to go wrong when it comes to printers by looking at them as output devices that strictly print documents. There are risks in leaving documents on the printer trays and your printer's firmware if it's not sufficiently secure, but Howard advises today's IT teams to think holistically about all 200-plus functions of multifunction printing processes—everything from storage, mobile printing, BIOS, and beyond. Each of these attributes can be an attractive target to your hacker foes.
- 2. Rethink secure printing. The goal of printer security shouldn't be meeting the bare minimum compliance and regulatory requirements. While strong policies and management practices are better-than-average, the ultimate objective should be proactive management via smarter, self-healing technology and more effective employee education and security awareness programs.