The reality is that network-enabled printers are a serious security threat to your district's network. All of us rarely think about printers as a potential source of risk. The bad guys know this. It is estimated that 43% of all organizations flat-out ignore printers when discussing endpoint security.
As part of your NIST alignment process, you need to account for your multi-function printers, scanners, and copiers. These "printers" are in fact computers. Most printers are configured from the factory to allow broad access from the network. Everyone hates printing problems.
However, there are some significant steps you must take to harden your printing infrastructure:
- Put all your printers on a printing network. Most likely your printers came from one or more outside vendors. You should treat your printers like any third-party contractor and isolate them and then allow very specific access as needed between your endpoints and printers.
- Change all default passwords. Default passwords are always very bad. Make sure every printer does not have a default password, and if possible, don't have every printer in your network have the same password. A few years ago I wrote about the "Attack of the Killer Coke Machine" where a soda machine that was internet-enabled and contained malware. It was not segmented and the malware accessed and locked the College out of 5,000 devices that had each had to be manually reset! All the devices were using the same passwords. Make this part of any printer setup configuration requirement - whether with your staff or an outside vendor.
- To the best of your ability don't let third-party vendors re-use the same passwords that they use at other sites. I come in contact with a large number of district networks. Districts often buy the same things from the same vendors. There are many cases where the credentials for another district work on the same devices in a completely different district. It is hard to police, but important. We have also caught vendors who were forced to change to a robust password and subsequently have a future tech change the password back (without permission) because the strong password "was too hard to remember".
- NIST wants data encrypted in transit and at rest. In today's world anything clear text is not good.
- Your MFA printers can potentially be taken offline by a denial-of-service attack. Limit your protocols and data sources as much as practical.
- Keep your firmware updated. Firmware is often updated to address known vulnerabilities.
- Disable USB ports. No one should be connecting anything to your printers without your permission.
- Turn off SMBv1. If you are still running SMBv1 to accommodate legacy MFP devices scanning to folders, you are at extreme risk. You must turn off SMB to at least v2 or beyond. If your printer can't do MFP, you must retire it. It is simply too risky to knowingly keep an SMBv1-only device in your network.
- Implement Follow Me Printing. This allows you to make sure the printing is more likely to be going to the intended person.
- When you retire old MFP printers, wipe the hard drives clean. Since the printer is really a computer, you have to follow the same process you would with a normal computer endpoint that you know contains sensitive/confidential data.
-Scott Quimby, CISSP