Printer Security and Compliance: MPS Obstacle or Opportunity?

by Greer Deneen

Security and compliance is a high-stakes topic in virtually any company today. Get it wrong, and — depending on the nature of the business — consequences can range from loss of critical data to customer identity theft or the always-invigorating litigation stemming from HIPAA and privacy violations. And that’s only half the story.

Right now, a veritable perfect storm of factors are pushing oft-neglected security issues up higher on the priority list of savvy business operators. Consider …

Privacy regulations are tight and getting tighter, and the penalties have real teeth.

Technology advances continue to race ahead of the measures necessary to secure them. (Anybody waking up in a cold sweat over the implications of cloud computing and mobile printing?)

Hackers are growing ever more creative.

Economic constraints and staffing limitations prevent many firms (a few of which are Fortune 1000 companies that’d astonish you) from establishing and maintaining even the basic yet essential security and compliance measures.

Duck out or cash in?

What does all this mean to the enterprising MPS dealer? Well, that depends on your viewpoint, your expertise and who your partners are. Some of the dealers we’ve talked to consider security and compliance a serious threat to their business. They’ve got their hands full servicing printer and copier fleets and don’t know how they’ll take on a whole new array of headaches. Others consider it a chance to cash in as they provide a valuable service that differentiates them at a time when managed print services are becoming ever more generic.

“Security is a great door-opener or way to introduce the conversation about MPS. It’s something customers are often salivating for,” says Robin Wessel, Xerox’s director for product marketing. “From the dealer perspective, it’s an opportunity to demonstrate value and accrue financial rewards, because the discussion is no longer centered on who’s got the cheapest program.”

Regardless of whether you’re looking to dive into security and compliance services or steer clear, any involvement in MPS means you’ll have to deal with these issues at some level. In fact, if you’ve already walked a fair distance down the MPS path and have a number of printers under contract, you’ve successfully navigated the first security-related hurdle: accessing your customers’ networks.

Dealers using some form of OEM or independent remote monitoring software typically supply prospective customers with a security document provided by their software vendor. In addition, appropriate assurances about data center security and redundancy help assuage concerns about Web portal vulnerability, and the door — or rather, network access — opens. But you’re not off the hook yet.

You’re in. Now what?

The next challenge, depending on the nature of the prospect’s business, is compliance issues. The most important compliance laws deal with privacy (the Health Insurance Portability and Accountability Act for medical records, the Gramm-Leach-Bliley Act for financial information, and the Payment Card Industry Data Security Standard for credit card information).

The good news for MPS dealers is that, since basic print monitoring typically stores information such as page count, device description and device status, it presents no threat to a prospective customer’s privacy compliance. But there are exceptions, and remote monitoring software continues to evolve, so what’s true today may change tomorrow. The situation becomes more complex — and the opportunities are proportionally greater — when an MPS offering involves document management services or capabilities like rules-based printing that track user activity.

The bottom line: Be certain you know precisely what data is captured by any software you install on a client’s network and whether it could contain potentially sensitive information such as document content, document titles or user names. Your software vendor should be able to provide you with written documentation detailing any captured data.

Just another node

You’re certainly aware that most modern MFPs and mid- to high-end printers can incorporate a fairly large hard drive, many upwards of 40 GB. These hard drives temporarily store potentially sensitive information that’s been scanned, copied or printed — posing a security risk during the printers’ useful life and even after devices are retired. (Who could forget that rude awakening in 2010, when a CBS news team purchased three random used printers, pulled the hard drives and scanned them using free software downloaded from the Internet. Their findings: a police department list of wanted sex offenders and targets of a major drug raid, design plans for a building near Ground Zero in Manhattan, and 95 pages of pay stubs with names, addresses and employee Social Security numbers.)

What’s more, MFP and printer hard drives often house operating systems capable of running multiple software applications. In many ways, such devices are “just another node,” says Larry Kovnat, Xerox’s product security manager, requiring protective measures every bit as rigorous as those applied to any networked PC.

But your clients’ beleaguered and overworked IT team may not — in fact, probably will not — shoulder the responsibility of securing printers. “It’s kind of a standing joke,” Kovnat says, “that we can walk into almost any company, enter the default password on any machine, and we’re in. Even that most basic level of security is often overlooked.”

Hackers have noticed …

It was a little ironic that on ITEX’s closing day last March, hackers from across the country were converging on Washington, D.C., to discuss — among other nefarious activities — the best ways to weasel around printer security measures.

The gathering, ShmooCon 2011, was promoted as “an East Coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues.” And right at the top of the agenda — amidst enthralling topics like “Malicious USB Devices” and “Attacking 3G and 4G Mobile Telecommunications Networks” — were two that no MPS provider can afford to ignore: “Leveraging Multifunction Printers During Penetration Testing” and “Printers Gone Wild!”

The first presentation demonstrated how a hacking program called Praeda (Latin for “plunder”) exploits common security flaws and configuration issues, such as unchanged default passwords, to gain access to printers from outside a company’s network. Once inside the network, Praeda can be deployed to steal passwords and files or to take control of other devices connected to the network.

In an interview with MSNBC, Praeda developer Deral Heiland said that printers are ideal targets for cyberattacks because they’re seldom secured as stringently as computers. “These devices have gone from being standard, simple printers that got on the network to the point where they are totally integrated in the business environment,” Heiland told MSNBC. “That heavy integration is what makes them a premium target.”

In a second demonstration of printer vulnerability, an independent researcher demonstrated a protocol that uses the Internet to seek out and exploit vulnerable printers for the purposes of printer information gathering, control panel lockout, disk lockout, file uploads, file downloads and mass LCD changing. According to MIT Technology Review, the tester also found that printers could be used as “a large storage receptacle for data ex-filtration, covert storage, and browser exploitation tactics.”

A portal for mischief

If you’re unconvinced about the risks networked printers and MFPs pose, Steve Stasiukonis will convince you. A managing partner of Syracuse, N.Y.-based penetration testing firm Secure Network Technologies, Stasiukonis is hired by banks, hospitals and even hush-hush government agencies to conduct “penetration tests” against their firms, hacking in under controlled circumstances to identify vulnerabilities in their security defenses. Wondering what one of his favorite portals for breaching security might be? You guessed it: networked printers and MFPs.

“Today, copiers and printers are computers that let you print, scan, manage information, create mailboxes, you name it,” he says. “All that information resides in the device — there for the taking if it’s not properly secured.”

The key to a hacker’s success, Stasiukonis cautions, is how networked printers and MFPs are managed — starting with stringent password policies. “We’ve been known to compromise printers to figure out what the administrator password and user name is,” he notes. “Not long ago, we scored credentials off a large multifunction peripheral that gave us access to the entire domain.”

Plug the holes, lock the doors

Although today’s printers and MFPs are desirable potential targets for IT criminals, OEMs are focusing on building devices that offer better security right out of the box.

“We’re shipping a number of devices with disk encryption on by default,” says Kovnat, referring to the latest generation of Xerox output devices. “Many have overwrite capability on by default, which electronically shreds information stored on the hard disk of devices as part of routine job processing.

“We’re working to make our security configurations more uniform across the portfolio. Whether we’re choosing those settings or the customer is, the key is proper configuring and monitoring that configuration over time,” he said.

To that end, OEMs like Xerox, HP, OKI Data Americas and others offer checklists, technical manuals, webinars and numerous online resources to help MPS providers understand the essential elements of printer security. While a portion of this information is brand-centric, much of it is broadly applicable to any device from any manufacturer. For instance, Xerox’s security portal (www.xerox.com/security) includes links to security news, white papers and common criteria for certified products protection as well as a detailed list of definitions and FAQs. HP offers self-assessment tools and a downloadable security action plan for enterprise printing and imaging that leads the reader through the process of evaluating and mitigating risk.

The enemy within

Although most attention and publicity is focused on external security attacks, the majority of breaches involve internal employees — with some estimates as high as 85 percent, according to Forrester Research. Even worse, Forrester says that “trusted” insiders and business partners — intentionally or otherwise — are responsible for 43 percent of security breaches. And no small amount of those leaks and goofs are printer-related.

Whether it’s an honest mistake like forgetting a P & L on the printer or as criminal as stealing critical documents via a scan-to-e-mail software, printers and MPFs are an often-overlooked weak link in the security chain. Fortunately, MPS providers can offer their clients a number of software options that limit access, minimize unclaimed copies, track output and identify users — providing an unprecedented level of control.

User authentication — a years-old practice for copier users — is rapidly gaining popularity in the printer/MFP universe. Secure-print queue or “pull” printing, for instance, holds print jobs on a protected server, releasing them to the printer only when the user punches in a code or waves an ID card before a card reader at the printer. Such tactics not only create a more secure environment, but reduce paper waste by deleting jobs from the secure server if they’re not retrieved within a predetermined time frame.

In addition, many MPS software vendors now layer enterprise rights management (ERM) and data loss prevention (DLP) capabilities onto traditional MPS monitoring capabilities. ERM can prevent unauthorized parties from printing, scanning or faxing sensitive documents as well as send alerts to security personnel anytime a sensitive document is output. DLP software tracks information being sent beyond the firewall and either applies policies that prevent select data from leaving the company or requires encryption before the data is released.

MPS = Manage Printing Securely

As the market matures and basic MPS increasingly becomes a commodity, security and compliance solutions set you apart from — and ahead of — the crowd. Equally important, these services add tangible value that helps shift the conversation away from pure cost reduction (and the resultant margin erosion) toward revenue-generating opportunities. Better service. More profit. Now that’s security.

5 Questions to Spark a Security Conversation

According to Robin Wessel, Xerox’s director for product marketing, print-related security is a pain point that customers are eager to cure. Posing a few thought-provoking questions like these is often all it takes to get the conversation going:

1. Who is authorized to print your company’s most sensitive documents?

2. What systems do you have in place to prevent confidential documents from being left on printer trays?

3. What alerts do you receive when a sensitive document is printed? Can you tell who did the printing?

4. Are your printer hard drives being wiped of all sensitive data at the end of their useful lives?

5. Are your networked printers correctly configured to prevent cyber-attacks?

Basic Security for MFPs

All MFPs are different, but generally speaking, there’s a constellation of settings that can go a long way toward assuring the security of these devices. Some best practices include:

• Configuring all passwords, PINs and access codes using a different password for each setting

• Ensuring that incoming and outgoing encryption is enabled and running

• Enabling automatic overwrite

• Encrypting all Web communication

• Preventing nonessential remote access (i.e., closing down all unused ports and protocols)

• Regularly checking your printer manufacturer’s and software vendor’s websites for current security patches and updates

• Following the manufacturer’s instructions for degaussing printer hard drives at the end of the device’s useful life.