Think Like a Hacker!

Focus on raising your customers’ awareness about security risks of printers and MFPs.

A few months after I had a call with a CIO acquaintance of mine about data security at his service bureau, I happened to meet up with him at a conference. Not much gets by this guy. He knows every detail of ensuring all the data coming into his company is secure from the moment it arrives until it is printed and mailed. So, I was surprised when he said he had not thought about how the average office or workgroup printer could be an on-ramp for intruders who may not have your best interests in mind. His company has firewalls and authentication processes for everything, so while all his internal machines are well protected, he realized that many companies—possibly some of his customers—might not be as secure as they could be.

Entry-Level 

David Levine, vice president for information security and CISO, Ricoh USA, brought this concern home to me.

“The greatest risk—one that’s at the root of the problem—is that too many people still aren’t treating MFPs and printers like other network/Internet-connected devices,” said Levine. “This has to change!”

Levine, along with security gurus at Canon, HP, Sharp, and Xerox, agrees that the lack of data security at the small- to mid-size printer level can be a potential entry point to a company’s servers and all kinds of proprietary information. And it gets worse: any device on a network can be an entry point. You see, once someone accesses a company’s network, they are as much inside the company as a burglar entering your house while you are on vacation. Want a company’s banking info? No problem. How about employees’ Social Security numbers? It’s coming to you. Watch your email!

“Bad actors will always take the path of least resistance when looking for vulnerable devices to exploit on your network,” said Levine. “You have to take the same precautions with printers and MFPs as for other devices. Configure the device appropriately for its environment, then monitor it, patch it, and maintain it.”

Anthony Leccese, product manager, prepress and output management solutions for Rochester Software Associates (RSA), says RSA software protects data and documents up to the print server and print engine vendors typically take over after that. This puts RSA software in the mix on a lot of networks and in many organizations, including in-plant print operations. Much of RSA’s software is Linux-based, making it harder to breach and less vulnerable to viruses. Still, Leccese notes, many users never think about security concerning workgroup and hallway printers. While awareness of these machine’s vulnerabilities is higher in bigger firms, it is typically less of a consideration in smaller companies.

How Bad Can It Get?  

Pretty bad. Some recent numbers from the Center for Internet Security speak volumes:

• 47% of small businesses are targeted by a cyberattack.
• 60% of small companies go out of business within six months of a cyberattack.
• 594 million people (worldwide) are impacted by cybercrime every year.

But Wait, It Gets Worse! 

• Canon’s Office of the Future study found that 25% of IT leaders believe employees have limited or no understanding of cyberthreats or how to prevent them.
• Even leaders who understand the dangers often underestimate the ramifications of a potential breach: nine out of ten IT professionals think a breach will equate to 50% or less annual revenue.
• Shivaun Albright, chief technologist of print cybersecurity at HP, Inc., told me for about every 100 lines of computer code, there is a minor defect that can be potentially used as an entry point by bad guys to access a network. Considering that a company network supporting internal and external email, printing and copying, basic security functions, internal and external file transfer, telephony, video conferencing, and more can easily have one million or more lines of code, there may be more than a couple of errors you or your customers are unaware of.

Data Vulnerabilities 

A network intrusion may seem inconsequential at first glance, but imagine some of the data that could be vulnerable in:

• A law firm occupying three floors of an office building
• An ad agency where clients’ marketing plans are housed
• City, county, and town offices containing property records
• Accounting firms where clients’ tax and business information are stored
• A company that keeps all its records internally
• Having ransomware take up residence on its network

Known Bad Guys 

As disheartening as it may be, there can even be a significant security risk from people you or your customers trust the most: employees. According to Mike Betsko, director of solutions sales and marketing at Canon USA, “The volume and access to confidential information in today’s workplace increase the potential of information leaks, both unintentional and intentional.”

Backing him up, the second iteration of Canon’s Office of the Future study found IT decision leaders rate malicious insiders (30%) and human error (25%) to be the top cyber threat sources, highlighting that organizations should not overlook internal sources of risk.

Think Like a Hacker! 

With all this in the mix, it should be clear that passwords are probably not enough, nor are many of the internal steps your IT guy recommends because he may not be thinking like a hacker—and you probably aren’t either. You should be, because that lone printer you installed across town at a new accounting firm, the 38-unit install at the big law firm, or the 52 machines you placed in eight county offices may all be open to anyone inclined to steal goodies like tax ID numbers, banking information, or legal documents. Or maybe the perps are just greedy guys who see a big payoff from placing ransomware on the city’s or county’s computer network.

You need to think truly nefarious thoughts to get an inkling of how bad guys can get into your network and those of your customers. Any device that connects to a network can be what HP’s Albright calls attack vectors, or access points in a system. If that isn’t enough to get your worry up, consider that as the dealer who sold and installed the digital print engines on a client’s network, your company could be viewed as partially culpable in an unauthorized intrusion—no matter what your Statement of Work may say. That could mean having to lawyer up to keep the wolves from the door.

Get Your Geek On 

I’m not a lawyer, so I can’t delve into how you may be able to protect your company legally, but I do have a few shades of geek in my genes, so I want to suggest some ways of insulating the systems you sell and the companies you serve from unwanted intrusions. The risks are not trivial, and any company with a network can be vulnerable. Hold this thought: The companies contacted for this story are major players in the printing industry, and all say the risks go beyond workgroup and hallway printers.

“The IoT, the internet of things, is something people don’t think about in terms of data and printing security in businesses, but even devices we think make us more secure, like camera and motion sensors, can be used as attack vectors from outside a company. Many of these are low-hanging fruit with little or no protection against external threats and can be easily bypassed or defeated,” said Albright.

For example, a set of consumer-grade surveillance cameras from a big-box store may be fine for your living room, but those wireless cameras can be (and often are) placed on a business or office network without the knowledge of an IT director and can be used by hackers to access a company’s computer network. Much to the glee of a hacker, the IoT toys and printers on a network can be easily bypassed and then allow access to employees’ computers, including the ones in departments like HR and accounting. It’s even possible to access private customer data, some of which may remain in the memories of office printers after people have left for the day. And all of this thanks to the $119 cameras from Amazon or Home Depot.

On the IoT front, the better strategy is to acquire commercial-grade cameras and intrusion sensors and have them professionally installed with appropriate measures of security such as complex passwords and layers of authentication so they are not the low-hanging fruit for hackers.

Hardened Printers 

Sure, you’re thinking, “but the cameras and IOT stuff are not in my wheelhouse.” Unfortunately, they sit on the same networks as the printers you may have installed, along with desktop computers, all identifiable by names like CanoxicaC480P, DellHR003, and have hard-to-crack passwords like “Admin” or “AccountingMFP” or “12345.” Any hacker worth a can of Red Bull can be pulling out confidential data in minutes. No one will know until it’s too late. None of this is limited to happening at night. Some hackers can gain access to networks during working hours when data is at its most accessible.

Stay Current 

The hardware OEMs emphasize the importance of making sure their devices have the latest software releases/patches. These are often part of a customer’s service or maintenance contract. Within these, security is a common upgrade that is based on the latest known threats. All OEMs have their ears to the ground and are actively looking for potential trouble spots because they don’t want to be faced with a breach any more than you do. If you’re a dealer, get every patch or upgrade as soon as it is available, learn what it does, and urge customers to install it. If you are managing the copiers and printers in your organization, get the upgrades to help prevent intrusions so you are better able to avoid unpleasant conversations with management should a security break take place. Yes, updates can and do cause some problems, but these are usually less dangerous than having your network and information compromised.

Human Error 

Simply forgetting a file on the printer or sending a document to the wrong device (or person) can pass confidential information to third parties. While seemingly harmless, such errors could put an organization at risk if confidential files or data reaches the wrong hands. Cloud- or network-based authentication keeps print jobs secure until users enter their password or authentication. Most MFP OEMs offer some sort of secure or pull-printing capability. These aren’t normally default settings, so be sure to educate your customers about how these capabilities can secure their print jobs.

While you’re at it, look to the print engine and its firmware for help. Albright says some HP systems can be configured to shut down and reboot to a “safe state” when an unauthorized attempt to print a document is made. As with other authentication measures, such features are not usually the default configuration, so learn what can and cannot be done on the systems for which you are responsible.

Zia Masoom, director of worldwide product and security marketing at Xerox, says many systems can be configured to prevent unauthorized users, including people inside a company, from accessing or printing certain documents. Such protection can often be extended to an entire network, so if someone is trying to access, say, personnel or accounting records at 3 a.m., they can be locked out. Such measures put the responsibility on the system to prevent internal and external attacks and intrusions while creating a record of every document accessed or printed on a system, including what was printed, who printed it, and when it was printed.

Opportunity Knocking 

This all means a couple of things for dealers. One, it is critically important to make sure your customers know—whether they have one machine or dozens—their networks can be vulnerable through their various devices and your company can provide solutions.

You can up your game by providing some diagnostic and preventative services, as well as technology, through your dealership, but don’t hesitate to bring in experts from your OEMs. They invariably have a deeper and more varied experience than your business and are eager to share that knowledge with you and your customers. Constant vigilance and ongoing adaptation are key to staying ahead of the bad guys. By using all the resources available, you can elevate your business and the skills your team provides. Providing security services adds value to what you offer and helps differentiate your dealership from your competitors. Make sure you stand out by helping your customers through the challenges of data and printer security.

# # #

Best Security Practices

Trying to stay a step ahead or at least keep up with the bad guys, software providers like RSA and OEMs of printers and MFPs can furnish much of the info you need to provide extra security for their devices, but there are several best practices to implement. Some of Xerox’s suggestions include:

• Change default passwords on accounts such as the system administrator and SNMP (simple network management protocol) Community Strings so unauthorized individuals cannot take control.
• Use passwords of at least eight characters in length with a combination of upper and lower case letters, numbers, and special characters. (I know one company that uses geographic coordinates of the CEO’s favorite ski lifts.)
• Never share an administrator’s password with anyone who does not have a legitimate need to know it—not many people do! (I know a system admin who changes his password monthly. Every one of them is complex.)
• Enable TLS (transport layer security) and validate any certificates used with the device.
• Disable services and ports if you are not using them. This includes those ubiquitous USB ports on every printer. While convenient for printing, these ports can be used for introducing malware, including ransomware, into a company’s network. (This goes back to the uncomfortable fact that employees can do damage, sometimes unwittingly.)
• Enable “image overwrite” to erase data as soon as it is printed. This wipes the printer’s memory so information can’t be retrieved.
• Configure your firewall or router so that only appropriate employees have access to it. This helps keep outsiders from accessing the machine and disrupting your business.

Access Related Content

Visit the www.thecannatareport.com. To become a subscriber, visit www.thecannatareport.com/register or contact cjcannata@cannatareport.com directly. Bulk subscription rates are also available.