Steve Zurier | Darkreading.com »
Following the PrintNightmare case, printer security has become a hot issue for security teams. Here are seven ways to keep printers secure on enterprise networks.
Enterprise printers have long been an afterthought in IT security, but all that changed earlier this year with PrintNightmare, a flaw in Microsoft’s Windows Print Spooler Service that could be exploited in remote code execution attacks.
As a result, Microsoft has issued a series of patches – and enterprise security teams are beginning to assess the security of printers on their networks. This is especially critical given most companies will continue to operate as a hybrid workplace, with workers using their personal printers at home in addition to remotely connecting to the printers at work.
Nasser Fattah, North American steering committee chair for Shared Assessments, says printers have not been viewed as a security concern in the past, despite the fact they print some of our most sensitive data and are connected to our networks all day, every day. He points out that printers come with many applications, including Web servers – which, like any other application, can have default passwords and vulnerabilities – and considerable storage size to hold a significant amount of sensitive information.
“Also, office printers are connected to a company’s identity repository so that users authenticate to print and the email system provides print status to users,” Fattah says. “Consequently, printers introduce serious security problems that can enable adversaries to access a company network, sensitive information, and resources. For example, adversaries, via the print default password, can redirect prints to an unauthorized location. Also, a vulnerable printer on a network presents an entry point for adversaries.”
Given these realities, we asked industry experts for tips on how to help security teams lock down printers on enterprise networks. After this year’s experience, security pros can’t say they weren’t warned about printer vulnerabilities.
Think of Printers as Network-Exposed IoT Devices
Shivaun Albright, chief technologist of print cybersecurity at HP, says security teams need to consider printer security the same way they do with PCs, servers and Internet of Things (IoT) devices. That means they need to change default passwords and update the firmware regularly.
“Too many organizations don’t consider printer security as part of the overall IT governance standard,” Albright says. It’s often not considered as part of the security process, so it doesn’t get budgeted and staffed properly, she adds.
The general mistake enterprises make is not treating printers like any other entry and exit point for data, particularly, in the case of large, multipurpose devices, says Andrew Barratt, vice president, technology and enterprise at Coalfire. Printers are essentially complex embedded computing devices with a similar security footprint to many other IoT devices, but with access to even more data, he points out.
“Many printers have sizeable storage devices that can contain many of the print jobs or scan copies and often without any encryption or other access control,” Barratt says. “They’re network-connected, often with minimal exposure to security testing and very regularly are the forgotten parts of a large organization’s attack surface. They are also a popular pivot point for intruders in enterprise networks where there are perhaps Wi-Fi-connected printers that also have access to corporate networks, with lower restrictions being applied to allow more users access to the device.”
Enable Print-Service Logging
Logging is a necessary part of knowing what is happening on a network. Print services logs can provide security teams with a lot of valuable information about all the printers that are connected to the network – an area enterprise security teams did not pay much attention before PrintNightmare, says Jake Williams, co-founder and CTO at BreachQuest.
“As work-from-home kicked off, I did recommend to enable print services logging on enterprise endpoints [disabled by default] to ensure that security teams see print jobs sent to USB-connected printers in WFH situations that bypass the print server, where logging normally occurs, he says. “As it turns out, this logging also catches the installation of a new printer – even the attempt – and provides reliable detection for PrintNightmare.”
Put Printers on a Separate VLAN
Doug Britton, CEO at Haystack Solutions, says security teams should put printers on their own VLAN with a virtual firewall between the rest of the network. The printer VLAN should be treated as an untrusted network, he says.
“This will let printers function normally while limiting their ability to do damage, assuming that they have been compromised,” Britton says. “In the case that printers are hacked and start ‘listening’ or trying to exfiltrate data, they will have to do it through the firewall, which will be observable. Any ‘out-of-protocol’ probing from the printers will be instantly detected.”
HP’s Albright also points out that more than half (56%) of printers are accessible via often-used open printer ports that could be hacked. Security teams should close off any unused printer ports, disable unused internet connection, and also close off telnet ports, which are often unused today, she advises.
Another tip from Saryu Nayyar, CEO of Gurucul: “Often printers aren’t standardized across an organization. IT staffs may have to check multiple models regularly for security updates. Standardizing on printers as much as possible can reduce the IT staff workload and reduce the possibility of error.”
Offer Better Training and Security Awareness
Some 69% of office workers have used their personal laptop or personal printer/scanner for work activities since the start of the pandemic, exposing their companies to attacks, according to recent HP research.
Rick Holland, vice president of strategy and CISO at Digital Shadows, says security teams have to train staff on the risks of using printers from home. These printers should be hardened by their IT departments. Holland adds that printers aren’t expensive: Companies should standardize on a printer with strong security and privacy capabilities and offer it to employees who must print remotely.
“A $300 printer maintained by IT with appropriate security controls is nothing compared to the cost of a potential intrusion,” Holland says. “Companies should also consider eliminating the need to print legal documents and leverage [electronic signature] services. If employees need to print from home, the companies should consider providing cross-cut shredders for sensitive documents.”
Gain Network Visibility With the Right Tools
Enterprise security teams don’t always realize just how much of their networks the attackers can see. HP’s Albright says security teams can start by using a publicly available tool like Shodan to discover how many IoT devices (including printers) are exposed to the Internet.
It’s also difficult to protect devices if defenders don’t know about them. Security pros should also integrate printer log information into security information and event management (SIEM) tools, she says.
However, SIEMs are only as good as the information being fed to them, Albright says, so security teams should look for printer management tools that provide credible data. That way security analysts can truly tell whether a printer has been used as an entry point to launching an attack or has granted access to lateral movement.
Perform Printer Reconnaissance and Asset Management
According to Archie Agarwal, founder and CEO of ThreatModeler, attacking printers has traditionally been treated as the more humorous side of hacking: They were fairly innocuous, such as printing out funny or provocative messages. But that’s no longer the case, he says, given these same printers are attached to private internal corporate networks, always listening for connections from the outside world. And often, these potential doorways are forgotten or ignored by organizations.
“As we have seen recently, criminals have not forgotten, and when services on these printers have powerful privileges that can be commandeered through remote code execution, we have a heady and dangerous mix,” Agarwal says.
That’s why he says security teams need to perform rigorous reconnaissance on their own environments. They need to inventory all the assets connected to their internal networks that are listening for inbound connections and take necessary action to secure them. That may mean locking the devices down or patching them regularly.
“If they don’t do this reconnaissance, criminals will do it for them, and the end result may not be innocuous,” Agarwal says.
Make Use of Vulnerability Scanners
Printers are often viewed as benign devices without any credentials or serious confidential data to expose, but that may not necessarily be the case, says Mark Kedgley, CTO of New Net Technologies (part of Netwrix). Granted, vulnerabilities for printers reported and given a Common Vulnerability Enumeration (CVE) by the National Vulnerability Database (NVD) aren’t as common as the vulnerabilities reported for other computing platforms and devices, but there are still issues that can cause problems, especially in today’s environment.
The most significant vulnerabilities, Kedgley says, are those that would potentially give an attacker access to printed documents. A number of vulnerabilities reported in March affected Canon Oce ColorWave 500 printers, primarily used for CAD or GIS output, he points out. Enterprise security teams can test these vulnerabilities just like any others, he says, by using a network-based vulnerability scanner with patching or configuration hardening needed to mitigate or remediate the threats.
External Link: 7 Ways to Lock Down Enterprise Printers