Russia: Dealing with Issues of Data Security in the Office

Russia: Dealing with Issues of Data Security in the Office

A science conference called “Digital Technologies in the Sphere of Transport Services was held at the Russian University of Transport in Moscow on October 11.  During the conference, 24 reports were presented dedicated to various aspects of modern digital technologies usage. Information Agency “Business-Inform” presented two reports at the conference.

The swift development of office printing has given rise to dual concerns of printing quality and informational safety. How to provide consistent, quality printing on a limited budget? Do modern office printing devices pose a threat to corporate data safety, and if yes, how does one identify and protect against the threat?

Modern trends in office printing in the Russian market:

• Inkjet printing is pushing out laser printing;
• Compatible supplies are pushing out OEM supplies;
• The price of a printing device ceases to be the decisive economic factor for purchase, and is re-placed by the cost of ownership (three years as a rule);
• Printer fleet service is rising. Companies that provide highly professional servicing of a corporation’s printer fleet are emerging and taking an increased share of the market.  (The growth of the printing outsourcing market in Russia is 20-25 percent annually);
• Imports are declining. Russian startups are producing printing devices (Katusha printers/MFPs), laser cartridges (Cactus), and toner (Rostoner Ltd.)

These trends are quite dynamic. The Russian market changes very quickly, so any decisions to provide quality and information safety require endless monitoring.

Determining print quality in monochrome laser cartridges is a well-established process. The most popular standardized method to assess the quality of prints is the STMC (Standardized Test Methods Committee) guideline method. STMC testing was designed to be easy and affordable.  However, some questions remain unanswered:

• Which printer service model do you choose to care for your fleet of devices?
• Should OEM cartridges be used for remanufacturing? Or it is better to use quality, Chinese new-build cartridges instead?
• Should the focus on testing remanufactured cartridges be on well-known American, European, Chinese, or Russian brands?

Choosing the right service model is a complex task and the decision should be left with office printing experts.

Outsourcing is growing in the Russian printing market. More companies seeking cost-efficient and quality printing are resorting to the help of a third-party to assess the integrity of their printer fleet.  They undergo an initial fleet assessment and install software on their corporate computers to track the demands placed upon each printer. They assess each printer’s workload in comparison with other available printers. They also monitor the printer cartridge’s lifecycle.

Driven by the desire to achieve cost-efficient, quality printing, these companies allow these managed print service specialists (MPS) onto their premises to access to the company’s precious data. It is at this point new risks for the security of the company’s information emerges. These specialists are able to see the company’s data as they make decisions about incorporating new printers into the fleet. These outsourcers also recommended which cartridges will be used. In most cases these are Aftermarket cartridges containing chips that will remain a mystery for users during the life cycle of the cartridge.

Experts from Quocirca¹ independently assessed the leading printing MPS providers in 2017. As a result of a customer survey, the organisation found three major issues were being faced by the customers of MPS providers:

1. 82 percent of respondents noted that data safety risks are the first priority for them;
2. Only 25 percent of respondents were sure that their office printing networks were safe;
3. 60 percent of respondents indicated they had at least one data leak during the last year.

It is evident the issues on the implementation of MPS services are of concern to corporate users. This is especially interesting when reviewed together with information supplied in the InfoTrends² 2017 research report entitled “Office Document Technology Security.” According to InfoTrends, respondents had been spending 25-100 percent more on the security of their computers than on the security of their printers and MFPs.

There are certain risks for corporate data safety inherent in the businesses’ own printing devices. There are still misconceptions regarding printers among users:

1. The printer is a “typing machine” with limited programs installed. The truth, however, is a modern printer resembles a computer more than a typewriter.
2. A printer is a peripheral device that doesn’t store any confidential data, so an attack on it would be ineffective and illogical.

The truth is, however, completed tasks can remain within the memory of the printer, sometimes indefinitely. The printer is a very convenient “entrance” or gateway into the corporate computer network. Despite most modern printers having an obligatory delete function in their print settings, the overwhelming majority of users simply neglect the chance to study and activate these settings.

3. A printer is a low-capacity and low-productivity device.

This is completely untrue. The modern printer is a very powerful system, and according to statistics, 80 percent of the time the printer is idle (in sleep mode). All the resources of the printer are available during this time and can be used with malicious intent.

The manufacturers of printing devices are also far from perfect in terms of providing data security with their printers. They do support their customers by providing data safety measures to thwart external cyber criminals. For instance, modern HP software performs unceasing device monitoring with a settings check (HP JetAdvantage Security Manager), using a program check (Whitelisting technology), and, in the case of a threat, BIOS loading (HP Sure Start). Many modern printers have the ISO/IEC 15408 data security certification.

However, the assessment of cyber-security risks in office printing devices is a very real concern. For instance, in January 2018 it was reported³ “NewSky Security specialists found 1,123 Lexmark printers installed in various companies, administration buildings and universities in the USA would have been quite vulnerable in case of attacks due to the user’s gross negligence. Those printers were incorrectly configured, open to the public Internet and easily accessible to anyone interested in controlling this type of device.” NewSky Security also found that 700 Brother printers were also configured in an unsafe way and open to the Internet access. As in the case with the Lexmark printers, administrative functions were also remotely accessible.

In some cases printer manufacturers overreach their claims of vigilance for security purposes. HP and others have misled consumers by tying the use of an OEM cartridge with the safety of the printer and data. “The printer is intended for use only with cartridges containing an original HP chip,” for example. They use chips as a way to thwart competing aftermarket cartridge functions. Cartridges with chips from other manufacturers may not work, and those working now may cease to work in the future. This way printer manufacturers urge users, for the sake of data security, to work only with original cartridges (expensive and with chips whose algorithms are known and understood by the manufacturer only)! Consumers are also warned not to interfere with the manufacturer’s subsequent firmware upgrades, which often render aftermarket solutions useless.

Press releases regarding the certification of modern Epson inkjet printers state that the versions of firmware, manuals, and other components were evaluated under ISO/IEC 15408 certification criteria. The firmware version in the ordered product may differ from the certificated version; and that the usage of the certified version may impose limitations of some of the functions.  The consumer is caught in competitive crossfire, and is utterly confused.

We shouldn’t forget about the real perpetrators wanting to get into your corporate network through a printer. According to one HP report⁴, the printer is one of the most vulnerable points through which hackers can get into the IT-structure of a company. In 60 percent of businesses, whose data had been hacked, the intrusion has been committed through the printers. As for serious intrusions, according to IT specialists, 26 percent were made through the printers.

These widespread user mistakes allow hackers to get into corporate computer networks. They are all easily recognized⁵:

• Too much trust is given to the devices.

Printing devices have a range of services included by default, which opens a potential entrance to the printing device for hackers, and then into the corporate network as a whole.

• Default passwords are left unaltered.

Quite often users lazily leave the passwords set to the default setting on the printer. This allows the hacker to manipulate with configurations, to change the tasks for printing and even to install malware on the devices that will further attack the rest of the corporate network threatening sensitive data and the system’s safety.

• Open remote access.

Many organizations allow their employees to access their network both internally and externally (remotely) from outside the office premises. By doing so, they provide an opportunity for access to hackers.

• Printing devices vulnerabilities.

As in case of workstations, servers and other network equipment, printing devices also have their vulnerabilities. For example, a recent notice emerged that the HP OfficeJet MFP has a very serious vulnerability. The transmission of a compromised fax message from this HP device can provide hackers with full control over this device, and consequently access to the corporate network.

• Cloud printing.
• Performing printing on public infrastructure, such as the Cloud, can open the device to attacks from hackers, and open up further network intrusion.

Be warned: printing devices are major points of vulnerability for corporate computer networks. Take the issues of data security seriously, especially as it pertains to printers. Share this information with your customers so as to not make their corporate network easy prey for both professional infiltrators and rookie computer hooligans alike.

Bibliography:

1. Quocirica Has Evaluated Main Trends on the MPS Market (Quocirica оценила основные тренды на рынке MPS) – Business-Inform Review (Issue #17, 2017). – p.32
2. InfoTrends Announces New Document Security Report (InfoTrends выпустило отчет о документационной безопас­ности) – Business-Inform Review (issue #15, 2017) – p.29
3. Hundreds of Lexmark Printers Vulnerable to Attack (Сотни принтеров Lexmark уязвимы перед атаками) – Business-Inform Review (issue #18, 2018) – p.37
4. HP Inc Discusses Secure MPS (В компании HP Inc обсуждают безопасность MPS) – Business-Inform Review (issue #14, 2017) – p.31
5. Bart Barcewicz. Is Your Printer a Gateway to You Being Attacked? (Барт Барцевич. Защищен ли Ваш принтер от атак?) – RT Imaging World (issue #102, 2018) – pp. 35-39

Related:

• HP to Emphasize Printer Security
• Americans Reflect on Chinese Printer Security Issues
• Printer Security Trumped – Berto panicks
• HP Rolls out Enhanced Printer Security Feature
• Printer Security of MFPs
• Canon Provides SMEs with Printer Security Capabilities
• Printer Security Highlighted By State Officials

Comment:

Please add your comments below about this article, “Russia: Dealing with Issues of Data Security in the Office.”