Comprehensive security needed to prevent printer hacking

The long view of security strategies for your network.

This is the second of a two-part series by Dale Morris and Gary Lefkowitz of HP looking at printer security.

* * *

Technology development has outstripped the earlier IT view of security in the imaging and printing environment. Printers and imaging devices were considered simple network appliances, with none of the risks of desktop PCs and servers. However, these devices have grown in sophistication - running full-capability operating systems like Linux and Windows and featuring built-in FTP services and Web servers.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This is the second of a two-part series by Dale Morris and Gary Lefkowitz of HP looking at printer security.

* * *

Technology development has outstripped the earlier IT view of security in the imaging and printing environment. Printers and imaging devices were considered simple network appliances, with none of the risks of desktop PCs and servers. However, these devices have grown in sophistication - running full-capability operating systems like Linux and Windows and featuring built-in FTP services and Web servers.

Vulnerabilities exist in the network flow (client to print server, print server to printer) and the printer itself (printer memory awaiting print, output tray awaiting pickup). In addition, inadequate authentication and insufficient print activity records can compromise security. In general, there is little or no control over the IT infrastructure responsible for printing.

Traditional secure-printing initiatives have generally employed a heterogeneous mixture of four different types of point solutions:
* Secure the device
* Protect the network
* Encrypt the document
* Effectively monitor and manage printing and audit devices

Although they do work, these solutions cannot guarantee security policy enforcement, and the task of integration is non-trivial.

Securing print and imaging devices requires creating access controls for management and use, securing file deletion, and even locking the doors to the printing station. However, securing the device alone does not create a secure print environment. For example, users can reset the device without the knowledge of the security administrator. To be secure, the devices must also work within a secure network which is overseen by security policy.

Forty years ago, banks thought that simply protecting networks would solve ATM security problems - but that didn’t work. Adding enforcement policies on the network, however, caused ATM abuses to decline.

Printing and imaging security is similar. Protecting the network with simple link-layer security (such as IPSec or other point solutions) fails for many reasons. For example, IT departments and intrusion-detection systems do not typically check printing applications, even though they are subject to Trojan horses and viruses.

Anyway, policy enforcement across a large number of imaging and printing devices can be circumvented and data integrity can be compromised. Securing the network, although important, is not enough to create a secure print environment.

Document encryption – another important component of secure printing – has its own drawbacks, particularly manageability. For example, if the printer gets out of crypto-sync (i.e., the requirement that encryption and decryption keys must remain synchronized at all times), an administrator must manually press a configuration button. This can cause printing of the crypto-key, defeating its purpose. Improper key management ignores expected security standards and creates a non-secure network environment.

Managing heterogeneous print devices and authentication systems also has challenges. Multiple, competing security and authentication systems within the same environment are not easily integrated. Ad-hoc and inconsistent security implementations leave users more vulnerable to attack and administrators burdened with extra administrative tasks.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.