Author: Dr. Stanislav Malinskiy, General Director of Information Agency “BUSINESS-INFORM”(Russia)
A science conference called “Digital Technologies in the Sphere of Transport Services was held at the Russian University of Transport in Moscow on October 11. During the conference, 24 reports were presented dedicated to various aspects of modern digital technologies usage. Information Agency “Business-Inform” presented two reports at the conference.
The swift development of office printing has given rise to dual concerns of printing quality and informational safety. How to provide consistent, quality printing on a limited budget? Do modern office printing devices pose a threat to corporate data safety, and if yes, how does one identify and protect against the threat?
Modern trends in office printing in the Russian market:
These trends are quite dynamic. The Russian market changes very quickly, so any decisions to provide quality and information safety require endless monitoring.
Determining print quality in monochrome laser cartridges is a well-established process. The most popular standardized method to assess the quality of prints is the STMC (Standardized Test Methods Committee) guideline method. STMC testing was designed to be easy and affordable. However, some questions remain unanswered:
Choosing the right service model is a complex task and the decision should be left with office printing experts.
Outsourcing is growing in the Russian printing market. More companies seeking cost-efficient and quality printing are resorting to the help of a third-party to assess the integrity of their printer fleet. They undergo an initial fleet assessment and install software on their corporate computers to track the demands placed upon each printer. They assess each printer’s workload in comparison with other available printers. They also monitor the printer cartridge’s lifecycle.
Driven by the desire to achieve cost-efficient, quality printing, these companies allow these managed print service specialists (MPS) onto their premises to access to the company’s precious data. It is at this point new risks for the security of the company’s information emerges. These specialists are able to see the company’s data as they make decisions about incorporating new printers into the fleet. These outsourcers also recommended which cartridges will be used. In most cases these are Aftermarket cartridges containing chips that will remain a mystery for users during the life cycle of the cartridge.
Experts from Quocirca1 independently assessed the leading printing MPS providers in 2017. As a result of a customer survey, the organisation found three major issues were being faced by the customers of MPS providers:
It is evident the issues on the implementation of MPS services are of concern to corporate users. This is especially interesting when reviewed together with information supplied in the InfoTrends2 2017 research report entitled “Office Document Technology Security.” According to InfoTrends, respondents had been spending 25-100 percent more on the security of their computers than on the security of their printers and MFPs.
There are certain risks for corporate data safety inherent in the businesses’ own printing devices. There are still misconceptions regarding printers among users:
The truth is, however, completed tasks can remain within the memory of the printer, sometimes indefinitely. The printer is a very convenient “entrance” or gateway into the corporate computer network. Despite most modern printers having an obligatory delete function in their print settings, the overwhelming majority of users simply neglect the chance to study and activate these settings.
This is completely untrue. The modern printer is a very powerful system, and according to statistics, 80 percent of the time the printer is idle (in sleep mode). All the resources of the printer are available during this time and can be used with malicious intent.
The manufacturers of printing devices are also far from perfect in terms of providing data security with their printers. They do support their customers by providing data safety measures to thwart external cyber criminals. For instance, modern HP software performs unceasing device monitoring with a settings check (HP JetAdvantage Security Manager), using a program check (Whitelisting technology), and, in the case of a threat, BIOS loading (HP Sure Start). Many modern printers have the ISO/IEC 15408 data security certification.
However, the assessment of cyber-security risks in office printing devices is a very real concern. For instance, in January 2018 it was reported3 “NewSky Security specialists found 1,123 Lexmark printers installed in various companies, administration buildings and universities in the USA would have been quite vulnerable in case of attacks due to the user’s gross negligence. Those printers were incorrectly configured, open to the public Internet and easily accessible to anyone interested in controlling this type of device.” NewSky Security also found that 700 Brother printers were also configured in an unsafe way and open to the Internet access. As in the case with the Lexmark printers, administrative functions were also remotely accessible.
In some cases printer manufacturers overreach their claims of vigilance for security purposes. HP and others have misled consumers by tying the use of an OEM cartridge with the safety of the printer and data. “The printer is intended for use only with cartridges containing an original HP chip,” for example. They use chips as a way to thwart competing aftermarket cartridge functions. Cartridges with chips from other manufacturers may not work, and those working now may cease to work in the future. This way printer manufacturers urge users, for the sake of data security, to work only with original cartridges (expensive and with chips whose algorithms are known and understood by the manufacturer only)! Consumers are also warned not to interfere with the manufacturer’s subsequent firmware upgrades, which often render aftermarket solutions useless.
Press releases regarding the certification of modern Epson inkjet printers state that the versions of firmware, manuals, and other components were evaluated under ISO/IEC 15408 certification criteria. The firmware version in the ordered product may differ from the certificated version; and that the usage of the certified version may impose limitations of some of the functions. The consumer is caught in competitive crossfire, and is utterly confused.
We shouldn’t forget about the real perpetrators wanting to get into your corporate network through a printer. According to one HP report4, the printer is one of the most vulnerable points through which hackers can get into the IT-structure of a company. In 60 percent of businesses, whose data had been hacked, the intrusion has been committed through the printers. As for serious intrusions, according to IT specialists, 26 percent were made through the printers.
These widespread user mistakes allow hackers to get into corporate computer networks. They are all easily recognized5:
Printing devices have a range of services included by default, which opens a potential entrance to the printing device for hackers, and then into the corporate network as a whole.
Quite often users lazily leave the passwords set to the default setting on the printer. This allows the hacker to manipulate with configurations, to change the tasks for printing and even to install malware on the devices that will further attack the rest of the corporate network threatening sensitive data and the system’s safety.
Many organizations allow their employees to access their network both internally and externally (remotely) from outside the office premises. By doing so, they provide an opportunity for access to hackers.
As in case of workstations, servers and other network equipment, printing devices also have their vulnerabilities. For example, a recent notice emerged that the HP OfficeJet MFP has a very serious vulnerability. The transmission of a compromised fax message from this HP device can provide hackers with full control over this device, and consequently access to the corporate network.
Be warned: printing devices are major points of vulnerability for corporate computer networks. Take the issues of data security seriously, especially as it pertains to printers. Share this information with your customers so as to not make their corporate network easy prey for both professional infiltrators and rookie computer hooligans alike.