Common Fails

There are really four (4) options available to protect your printer fleet, valuable information and network. The first 3 fail as effective protection. The fourth option is Symphion.

Option 1: Do-Nothing until something bad happens.

Disadvantages
Leaves printers, valuable information and corporate network exposed.
Leaves printers unpatched.
Fails audit.
Not in compliance with any cyber security standards.
Leave business exposed to litigation for not taking reasonable measures to protect.
Associated costs after the hack.

Examples of Published Hacks of Unprotected Printers.

Unprotected printers are the favorite entry point and lateral movement pivot point for criminals. The details of how the criminals gained entry are typically not published. However, the following notable printer hacks highlight how easily criminals can exploit unprotected printers:

Stackoverflowin Hack. In 2017, a hacker named Stackoverflowin launched a massive printer attack compromising over 150,000 printers globally, including well known universities, businesses, and government offices to “raise everyone’s awareness towards the dangers of leaving printers exposed”. He executed his hack running an open script that sent rogue print jobs to the target printers and printed messages. His attack covered varied makes, models and ages of printers. His “scripts targeted printing devices that had IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections (” A Hacker Just Pwned Over 150,000 Printers Left Exposed on Line”, Bleeping Computer, Catalin Cimpanu, February 4, 2017).

PewDieDie Hack. In 2018, a teenager attacker, used the website Shodan.com (a favorite of cyber criminals) and hacked 50,000 printers to print messages promoting his YouTube channel. (“Hacker hijacks 50,000 printers to tell people to subscribe to PewDieDie”, Endgadget.com, November 30, 2018).

CyberNews 2020 Hack. In 2020, CyberNews, a research group, leveraging Shodan.com reported more than 800,000 unprotected printers in their first search, hijacked 28,000 of them and printed a PDF guide on print security to highlight how easily the printers can be discovered and hijacked. (“Nearly A Million Printers At Risk of Attack, Thousands Hacked to Prove it”, Forbes, August 31, 2020, Lee Mathews). TheHacker Giraffe, a hacker quoted in the article, reported that with such unprotected printers “hackers can upload backdoors and recruit them into botnets”. The article continues “The hacker added that attackers could also access recently printed or scanned files that are stored on printers or even brick the devices by causing repeated writes to their onboard chip.” CyberNews wrote “While we were deliberately careful to only target the printing processes of the unsecured printers during the experiment, IoT hijacking attacks – when performed by bad actors without ethical limitations – can cause serious damage to organizations and individuals who neglect printer security”. (“We hijacked 28,000 unsecured printers to raise awareness of printer security”, CyberNews, October 7, 2022).

Anonymous Hacks Kremlin. In 2022, in Russia, the hacking group Anonymous compromised printers in the Kremlin and over 40,000 printers across Russia to print anti-government messages, ransom and create cyberwarfare on Russia, highlighting vulnerabilities in even the most secure institutions (“Anonymous uses printers to disrupt Russia”, The Recycler March 22, 2022; “Anonymous Hacks Into Russian Printers to Deliver Resistance Information”, Newsweek, Thomas Kika, Mar 21, 2022).

Option 2: Micro-segment, harden passwords.

A response that we sometimes hear when asking “How are you securing your printers?” is “We’ll just micro segment them and harden their passwords.” The key part of that response is “we’ll just”. When we hear about a planned response, we know we have more education to do because they have chosen the Do-Nothing Option and are not being audited. Even if properly executed, this approach fails audits due to lack of configuration of the printers, lack of patching and lack process to address change. Most importantly, it is extremely difficult (if not impossible) to execute and maintain in larger print fleets without vendor agnostic automation. It also completely ignores all other vulnerabilities of each printer including “phone home by itself” capabilities that are enabled.

Disadvantages
Leaves printers, valuable information and corporate network exposed.
Leaves printers unpatched.
Fails audit.
Not in compliance with any cyber security standards.
Leaves business exposed to litigation for not taking reasonable measures to protect.

While micro-segmentation and password management are foundational elements of network security, designed to limit access and reduce the attack surface, these measures alone fall short as a total printer security solution.

Challenges of Micro-Segmentation: Achieving effective micro-segmentation for printers is fraught with difficulties. Printers are frequently moved, undergo end-of-life and beginning-of-life transitions, and require swaps and repairs, all requiring automation to monitor and track inventory. Managing the network configurations for a diverse and constantly changing print fleet, along with coordinating with various support personnel, complicates the implementation of true micro-segmentation. Ensuring each device remains correctly segmented throughout its lifecycle is a logistical nightmare. Also, effective micro segmentation requires monitoring of all non-printer network segments with automation for printers, having the staffing and skills (and technology) to accomplish the effort and processes to identify changes in the print fleet, all also made extremely challenging by blind spots such as non-centralized printer purchasing and management (eg, department level purchasing).

Password Management Hurdles: Hardening passwords is a crucial step, but it is not foolproof. The transient nature of printer deployments and the involvement of multiple support teams often lead to inconsistent application of strong password policies without automation and monitoring to address changes. Default, weak, or reused passwords can easily become a vulnerability, undermining the security framework. Passwords to be hardened, monitored and maintained include multiple same machine administrator passwords and communications passwords.

Non-Compliance with Standards and Best Practices: Without basic cyber hygiene such as hardening, monitoring, remediation and reporting, segmentation alone fail to meet the requirements of standards like NIST, HIPAA, and DISA STIG or Zero Trust principles. Critical security aspects like hard drive encryption and data-in-transit protection via certificates are often overlooked in printer security, leaving sensitive information vulnerable. Without hardening, monitoring and remediation of controls, printers are highly vulnerable to cyber-attacks such as “Man in the Middle” attacks in which printers are used to compromise credentials servers and gain access to other corporate systems and servers.

Unsecured External Communications not addressed: Modern printers come equipped with “phone home” features that automatically communicate with their manufacturers for updates and support and are factory defaults. These remote communications capabilities pose significant risks, because they and other manufacturer service access capabilities, if unhardened, create potential backdoors for cyber attackers. If not properly managed, these connections can bypass network security measures, compromising the entire network and business.

Physical Access Vulnerabilities: Printers are unique, not like other endpoints. They are typically located in accessible areas, making them susceptible to physical tampering. For example, attackers can use USB ports to inject malware. Also, if not disabled, an employee can unknowingly insert an infected memory stick from home. This physical access threat is often neglected but represents a significant risk to security.

Insurance Implications: The inability to fully protect printers, which account for 20% of endpoints, can have serious repercussions for an organization’s ability to obtain and maintain cybersecurity insurance. Insurers may refuse coverage or impose higher premiums if they determine that the organization’s endpoint security is inadequate, particularly for a sizable print fleet or deny coverage for wholly neglecting printer hardening and patching.

Option 3: Cobble Together, Set and Forget.

Commonly recommended by the printer industry when security is requested, the “cobble” approach (including “DIY”, “Rip and Replace” and “MPS” options) includes the costs to license and operate the various brand-limited OEM device management software products required to manage the printers that comprise the fleet, to cobble together a solution. This option typically involves a one time (often only upon initial set up or, at most, once a year) hardening of the printers that we call a “set and forget” approach, with no visibility to or monitoring or automated remediation of changes in settings and no patching.

Common Disadvantages
Leaves gaps, printers not addressed.
Includes a costly operational lift.
Fails audit.
Is not a cyber security program that adapts to changes.
Results in costly breakages and business disruptions.

Option 3a: Attempt to Do it Themselves (DIY). While DIY may seem attractive, it’s complicated, if not impossible, to execute for this niche of cyber security. It’s more likely to disrupt business operations than secure the printers and includes a very high hidden labor cost. Each OEM’s device management software can be used to manage its own brand and devices, however the software only works with that OEM’s latest models, but often not even all of the latest models. The tendency has been for businesses to assign an employee or employees to obtain, learn, operate, update and vigilantly try to cobble each software product together to operate all the makes, models and ages of printers that comprise the fleet. This approach has always been destined to fail. Even the brightest IT or IS employees are not familiar with the intricacies of printer configuration or patch management – especially across the diversity presented by even a small fleet. This effort is guaranteed to disrupt print service delivery and interrupt business, not be comprehensive to fill the gap and to distract otherwise productive employees from important core business efforts. The substantial hidden labor cost includes not only the manual effort associated with operating the involved software products, but also the cost of training and managing cross-device printer and cyber security expertise and the high cost of guaranteed human error. Additionally, DIY does not address the security risk created by resetting to factory default after servicing printers, which eliminates even the best-intentioned security configurations.

Option 3b: DIY but Buy All New Printers & Standardize on One Brand. This is the most common recommendation from printer OEMs – as you can imagine, printer OEMs want customers to buy and standardize on their newest printers. They tout advanced cyber security hardware features managed by their own proprietary, brand and latest model-limited proprietary device management software. Some offer professional services teams to help customers “get started.” However, the reality is that budgets are tight and printer fleets are inherently comprised of many different makes, models and ages of printers. Printers are already working (legacy) in production and changing them out, without visibility and control of the whole fleet, is complicated and is guaranteed to have disruptive and costly consequences. While the discussion is often in terms of “automatic” configuration or operation, this approach involves the same risk and labor cost and is DIY.

Option 3c: Rely on Managed Print Services (MPS) Providers. MPS providers may attempt to cobble together OEM brand-limited software products or attempt to manually address this risk, but their approach is the same DIY strategy. The biggest issue with this strategy is that MPS vendors are not focused on or trained in security. Instead, they’re focused on supplying and servicing the printers and supplying the consumables (toner and staples) to maintain the important print service in a cost-effective manner. The common print fleet management tools that MPS providers use to track image counts and consumables do not report, monitor or remediate printer security settings. Security settings are hidden from them. MPS providers offer other software such as pull printing (also referred to as secure release) software to protect printer output (printed sheets) from being seen by the wrong eyes and enterprise output management software products to establish administrative rules for printing (like printing on both sides or only in black and white) to save cost. But these products, while delivering an aspect of security, do not address the printers’ security configurations or patch management.

Option 3d: Firmware only. Some businesses request a firmware only approach from their vendors. While patching is an important part of a comprehensive printer security program, updating firmware alone is inadequate to protect printers, impossible to maintain without breakage and corresponding business interruptions and requires automation.

Option 3e: CVEs only. Similarly, some businesses request vendors to focus solely on the Common Vulnerability Exposures (“CVEs”) offered by some printer OEMs, as revealed in externally facing vulnerability scans. Eliminating vulnerabilities from unauthenticated scans of printers is part of any comprehensive program but alone this CVE only approach is similarly inadequate. It does not address each printer’s configurability for security including important risk exposures from inadequate passwords, unprotected USB ports and unencrypted hard drives. This approach also does not include all makes and models of printers. (Many printer OEMs do not report CVEs).

Option 4: Symphion.

A comprehensive, perpetual print fleet cyber security program established, implemented, monitored, maintained, and reported, all done for you by Symphion. Symphion affordably provides the solution to fill this cyber security gap by establishing and maintaining a cyber hygiene program including perpetual inventor/life cycle asset management, security configuration management, remediation and patching for all the printers in any print fleet, as a seamless extension customers’ teams. Symphion’s solution known as “Print Fleet Cyber Security as a Service™” includes both Symphion software and the specialists known as “Concierges” to operate that software to deliver a hardened, patched, monitored, and maintained print fleet for customers, thereby eliminating operation lift and associated costs. It also includes a Print Fleet Cyber Security Program Management Office to guide you in important decisions to secure and maintain your fleet as well as regular executive management reporting.

Advantages
Total cyber security program established and maintained, for all printers.
All delivered for you. No operational lift. Extends your internal team.
Perpetual monitoring and remediation.
Seamlessly adapts to change.
Includes management consulting guidance.
One fixed, affordable price and predictable TCO.

Disadvantages
No previous line item for print fleet cyber security.

Note: Managed Security Services Providers (MSSPs) & Other security Software Products do not harden or patch printers. Managed security service providers provide excellent solutions to address most IT security needs; however, if they include printers in the scope of their services, they are limited to reporting externally scanned vulnerabilities and only recommending (not implementing or remediating) security controls. Other software products, such as Security Information Event Management (SIEM), simply do not report or manage printer security configurations or patch printers because they cannot access the devices. Similarly, there are software products that inventory Internet of Things (IoT) devices on corporate networks by sniffing the network traffic, but these products also do not provide basic printer cyber hygiene of printer security configuration management or patch management.