Not secure enough

IN THIS DAY AND AGE USERS NEED to be aware of the security implications of using any network-attached equipment such as the humble office printer. As printers become more “intelligent” and extend their reach outside of the intranet/corporate network with features such as direct printing of html pages and PDF documents directly from the net, the chance of a printer being hijacked becomes more likely.

Users should realise there may be a security risk using sites external to the corporate network just as they must be cautious about viewing external websites in a browser.

Rishi Ghai, senior analyst, hardcopy peripherals at IDC believes people don’t pay enough attention to the security implications of printing devices.

“Unless you are a government agency or enterprise that would place emphasis on having password protection, most of the security implications relating to printers and print devices are ignored,” he said.

Just a part of the network
According to Ghai, the average organisation leaves the security of such devices to become part of the organisation’s network security policy. They often don’t realise many high-end printers have built-in hard drives or a mechanism which stores a printout’s content to be accessed whenever and by whomever.

“Most organisations don’t pay attention to this aspect of printing and imaging. IDC recently ran a survey on printing which clearly showed end-users don’t pay adequate attention to such things. They are more concerned with the costs of the machine and replacing them,” said Ghai. “It basically indicates these people are only concerned with the low function of these machines and don’t want to pay much attention to anything except how smoothly and streamlined they work. Barring top organisations, the majority of businesses don’t look at security.”

The specifics of security surrounding printers can vary from organisation to organisation. While most people presume the security of a printer is covered by network security, not many people check to ensure security mechanisms with printers are put in place, said Ghair.

Who’s looking at your document?
“Anyone can access sensitive information and anyone can pick up sensitive information from printouts at the printer. Also the data stored on printers can be removed to a hard disk and can be accessed by someone doing harm. It’s all about authorisation and making sure people take the print area seriously,” he said.

Michael Johnson, pre-sales support specialist at Fuji Xerox Printers said resellers can benefit from knowing the pros and cons of any feature of a device.

“Knowledge is power, and the ability to explain the benefits, implications and dangers of the next “killer feature” may separate them from the crowd,” he said.

Four categories of printer security
Johnson believes printer security can be placed into four distinct categories;

The first is the physical security of the device and who can use it. This is normally addressed through using network authentication mechanisms such as LDAP, Kerebos or NT authentication. However Johnson believes it’s important to ask how do we stop unwanted usage? “This can be addressed through the use of lock-out periods or control panel locking etc,” he said.

The next category is network. Most modern printers are network-connected devices which receive and transmit information across a network. This should be taken into consideration, especially when talking about multi-function printers with both fax and network connectivity.

“Issues that need to be examined include whether or not the analogue fax port is connected to the network or does the controller architecture isolate the fax telephone line and the network connection to foil in-coming attacks. Does the fact that some newer printers and MFPs using open source embedded operating systems leave them susceptible to the same vulnerabilities that these operating systems have when used in computers? We have already seen cases of external print servers contracting PC-born viruses,” he said.

The third priority is document security. More organisations are becoming concerned with document security both during and after printing.

Questions such as “who can see the document being sent across the network?” and “does the document stay on the printer’s hard disk after it’s printed” are becoming more prevalent. These questions are being answered by manufacturers with features such as encrypted communications and disk Image Overwrite (this feature electronically erases data that has been processed to the hard disk in print, copy, scan, Internet and server fax modes).

More emphasis is being placed on secure document printing with features such as Secure Print (where the document is not printed until a PIN (Personal Identification Number) is entered at the printer) and remote print release (often called “Follow Me” printing) where the document is not printed until the user arrives at the printer and identifies themselves.

The last issue relates to print security. Many organisations track and monitor the print volume on their devices, making sure that each document printed is productive and matches the use for which it is intended.

“For example, many people still believe that all emails received need to be printed and printed in full colour. Printer management and cost recovery applications can help to keep this kind of activity in check and lead to some cost savings as well,” he said.

How can resellers help?
Resellers need to understand that rather than a printer being a part of an end-user’s network, it’s more about understanding how the customer completes their printing environment.

“They need to examine what types of documents are they printing? Where do they originate from? What applications are they using to print? And, more importantly, how important is security to them?

Johnson said we’ve already seen cases of print server devices becoming infected with viruses and worms, but that is a worst case scenario and is extremely rare. He believes a growing trend in printer security is more around encrypting the print traffic across the network and securing the document between the time the user hits print and collects the printed pages. It’s about securing the information that’s being printed, rather than securing the printer.

“In the printer industry we have been lucky in avoiding the gaze of virus and worm creators as it has been far easier for them to target PCs because they have a deeper market penetration, a limited number of operating systems and a whole load of open network ports and vulnerabilities just waiting to be found,” he said.

However, as operating systems become more secure and vulnerabilities harder to find there is a chance that the focus could move to other connected devices.

“Resellers can make themselves standout by becoming familiar with the security features of modern print devices and taking a deeper interest in the security concerns and issues that their customers may have,” he said.