by Dave Westlake, PrintCommand
Enterprises face staggering — and escalating — vulnerabilities. A 2013 study of the Global 2000 companies by Ponemon Institute projects an average loss of $450 million per U.S. organization due to network attacks. Globally, that’s $398 million.
Many of you are thinking two things. First, “What does this have to do with print?” and second, “I don’t work with (or I’m not one of) the Global 2000 companies, so why should I care?” That’s precisely what the bad guys are counting on.
The “Internet of Everything” radically transforms who can impact our lives simply by virtue of what we’re connected to in today’s hypernetworked world. While it may have been hip to be within 6 degrees of Kevin Bacon 30 years ago, today nearly everyone is within 2 or 3 degrees — willingly or not — of almost everyone else on the planet.
This can be cool or catastrophic, but prudence tells us to hope for the best while preparing for the worst. One major $450-million breach of a Global 2000 organization would send shock waves around the earth. If multiple organizations of this size were hit with any sort of sequential proximity, regional economies would be devastated. It’s a domino effect with real-life repercussions that wipe out real-life people.
In other words, the network innovations that make today’s world more convenient have, in many cases, exhausted the infrastructure designed to keep it safe. Never before have so many targets of hacker opportunity had so much impact on other organizations or, for that matter, so many network back doors to exploit. The closest of these is sitting at the end of your desk waiting for your next print job.
You see a printer; a hacker sees a flashing neon “Open for Business” sign
Printers have traditionally been viewed within organizations as little more than a source of periodic headaches (for IT and end users alike) when they fail. This is also what makes them the perfect attack vector. The bad guys know that most organizations are “printer heavy” and do a poor job maintaining device accountability on their networks. They also know that there is a human element to network exploits that manifests itself through printer performance issues. Furthermore, hackers have shown us through a range of activity that printers are their preferred target — ultimately the “crown jewel” in the $450-million threat exposure of U.S. enterprises.
When it comes to print devices, our collective ignorance has made business steady, reliable and all too easy for anyone who would like to do us harm. Combating this, although counter to conventional wisdom, starts with understanding three fundamental realities of printer exploits.
Reality 1: That which doesn’t kill you … eventually will
Knowing what’s on your network means more than just having a physical inventory of your devices. It means having a real-time, self-updating knowledge base of authorized, unauthorized and unattended devices — and the connectivity characteristics of each to every network node. While time-consuming and complex, knowing the terrain of the battlefield you’re fighting on is always crucially important, which is why it’s the first of 20 critical security controls (CSCs) outlined by the Center for Strategic and International Studies (CSIS), the SANS Institute and a consortium of security-focused organizations like the NSA, Departments of State and Homeland Security, and several bureaus from the U.K.
The importance of this step cannot be overstated. Think of hackers as a pack of wolves and your printers as a herd the wolves are hunting. The pack works together to move the herd, culling its ranks so that the young or old, weak or lame start to fall out of the protection of the group and become easy prey. If you don’t know with certainty which devices are where, how they interact, how they’re configured and with whom they’re talking, then you’ve already thinned your herd. The only thing the wolves have to do now is go in for the kill — and to them, that’s fun.
Reality 2: The human-printer relationship isn’t ‘love-hate’; it’s ‘hate-hate more’
When the best-case scenario that a technology asset can provide is “perform as expected,” failure and disappointment are imminent. Such is the case with printers. That is, you’re far more likely to hear end users complaining about jams, lost print jobs, low toner, spots on pages, etc., than you ever are to hear them rave about the blow-your-hair-back performance a printer delivered rendering a page of 12-point, Times New Roman text. End users want printers to do what they’re supposed to do: print well. Any exception to this creates what we affectionately call “grief,” and grief, like plutonium, must be carefully controlled because it’s radioactive and will cause organizational cancer with prolonged exposure.
The most obvious side effect of grief, naturally, is lost productivity. However, the impact of failing to implement good life cycle management practices and targeted inventory-refresh activity (which prevent grief) extends beyond the human element into the heart of cybersecurity. Intuitively, we know that end-user compliance with security policies rapidly degrades as workplace satisfaction deteriorates. We also know that one of the leading contributors to end-user complaints is poorly functioning print devices.
A healthy print environment, therefore, directly correlates to avoiding a number of human-initiated vulnerabilities (like phishing campaigns) that can bring networks — and networks of networks — to their knees. Considering that many of the destructive malware strains (viruses such as Stuxnet, Duqu and Flame) contained in these attacks propagate throughout networks via print-device processors or known vulnerabilities in OS print spoolers, it’s more than just good form for organizations to improve their “human-printer” dynamic. It may be, in a very real sense, a matter of survival.
Reality 3: It’s not a printer; it’s a hacker welcoming committee that prints
Network-based attacks on printers, although often misunderstood, have a long and sordid track record across both public and private domains. While these attacks typically present themselves as print-job-replicator or reverse-IP-proxy breaches (providing hackers with unauthorized copies of printed files or communication protocols that grant trusted access to network resources, respectively), new attacks on new victims using transported methodologies are now making headlines. Neglect-borne lack of awareness has given rise to an alarming number of printer-based SSH hijacks (which exploit Internet-based communication) and DDoS attacks (which completely stop and hold businesses hostage). Either of these make organizations in any industry targets, but they are of particular concern to the health care, financial services, insurance and public verticals.
Enabling these exploits is the print device architecture itself. Even while embedded in a network environment, printers are almost universally configured to communicate over the Internet with OEM servers, independent of firewalls and other perimeter security measures. This means that the very nature of their design makes them immune to the benefits of Intrusion Prevention Systems (IPS) and creates an exploitable back door for network hacking and malware injections.
If printers are digitally signed by the OEM prior to shipment from the factory, certificate validity typically terminates at the end of the assembly line. This means that a nonmanaged, permanent network trust relationship could give hackers unchallenged access to your data.
Think it can’t happen to you? Well, it’s happened to the Pentagon, a Department of Navy weapons lab, the U.S. Chamber of Commerce and — according to a Quocirca study — 63 percent of companies in Germany, France and the U.K.
‘There is no security on this earth; there is only opportunity.’
General Douglas MacArthur shared this insight as an unconventional war was developing in Korea. Now, in a separate (yet parallel) unconventional war — a cyberwar — the quote gains new applicability. It’s a timeless reminder that security requirements evolve with innovation and require constant vigilance and adaptability.
Whether considering the impact a breach of your network would have on you directly, quantifying your physical threat profile in cyberspace, mitigating the cultural conflicts printers cause within an organization or protecting print devices from cyberattacks, it’s irrefutable that printers play a key (though misunderstood) role in cybersecurity. The choice is yours: Take the opportunity to secure your print environment and potentially avoid devastation in the future … or take the chance that it won’t happen to you.
What’s at risk? Try $450 million. And remember — the bad guys already know what you’re thinking.
Contact Dave Westlake at email@example.com or visit www.print-command.com
For more information
CSIS: 20 Critical Security Controls Version 4.1