Welcome to part two in a two-part series on the role of printers in law firms. In the first instalment, we discussed what firms want in printers. Today we’ll look at keeping printers safe from hackers.
Today’s printers offer law firms brilliant labour-saving features. Unfortunately, many of those features can open security holes in their networks. It’s up to the firm to keep their data secure as they enjoy those features.
Not enough security built into today’s printers
Printer manufacturer security efforts concern Chuck Rothman. “I rarely see anything on security when I look at printer specs online,” said the director of e-discovery services with information governance, e-discovery and technology strategies firm Wortzman’s Professional Corporation.
John Simek has spotted “anti-security” requirements that make him scratch his head. For instance, to perform advanced tasks like faxing and e-mailing, modern multifunction printers often require administrator IDs. “How crazy is that?” asked Simek, vice-president of digital forensics, information security and legal technology company Sensei Enterprises, Inc. “You want to give it god rights!”
Ivaylo (Ivo) Nikolov put it more bluntly. “You don’t have to hack my computer,” said the director of information technology for Davies Ward Phillips & Vineberg LLP. “You can hack my printer and from there go to my computer.”
What printer hacks can look like
How creative can these hacks be? After our interview, Rothman sent me links to several articles on the topic. One of them outlined the proof-of-concept hack of a wireless network on the 30th floor of a skyscraper using a drone carrying a mobile phone that ran apps designed to detect and hack wireless devices, including printers.
Securing printers
An easy way to tighten security is to disable printer features the firm doesn’t use. “On our network, I don’t have the printer set up for faxing,” Simek said. “We do allow scanning to PDF and sending PDFs to e-mail addresses, but we cannot send stuff outside our network.”
Network monitoring not enough
If such setups seem draconian, they respect the fact that tracing suspicious activity after the fact might not be possible. Even if a device maintains a log (Simek says few machines do), they don’t show who did what “It’s the machine’s ID that does all the work!” he said. Network monitoring tools can fill in this gap with their logs. Also, firms can prevent this lack of clarity by acquiring printers set up to demand PINs from people who use them.
Printer administrator interface
Even on basic network-connected printers, people can access the administrative interface using a web browser. Like other advanced features, this convenience can also become a security hole. “They are a bad thing, enabled by default,” said Simek. “Hackers scan for access to such printers so they can change their configuration.”
In his role as a technology consultant, “in a small firm, I disable the web interface,” he continued. “If you need to configure the device, you walk up to the device and you walk through the menu choices.” Administrators can also restrict traffic to the printer using network security settings.
“Self-healing” printer settings
Not all printers stay vulnerable. Nikolov noted Hewlett-Packard’s program for hardening and maintaining printers. It offers “self-healing” abilities that Davies was implementing when I spoke with Nikolov for this article. “You come up with a template, you push it out to all your printing devices,” he explained. “If something happens on a printer, like changing a setting or enabling a nonessential service, the system will check and reset it back to what it was before.”
Limit number of accessible printers
In many workplaces, people can access printers near their desks but not others. Certain staff, like those in accounting or human resources, may have their own local printers accessible to them alone to prevent the leak of confidential information.
Printer hard disk drives
Permanent storage devices like hard disk drives make printers more convenient. For instance, when several people send print jobs to a printer at the same time, the machine queues their jobs on the storage device. On copiers, multiple copies don’t require multiple scans of a document. The machine scans once to a storage device, then creates copies using that image.
As a result, printer/copier hard drives can contain records of every job they’ve ever handled, plus metadata pertaining to those jobs. Information stored on printer hard drives can pose a security risk if it stays there after the printer no longer needs to read it.
Simek configured his Konica Minolta printer to “wipe” data once the machine finishes its job and no longer needs said data. He noted this feature is a recent development and “different manufacturers handle it differently.”
Removable printer data storage
Certain printers feature ports for removable storage devices like USB memory sticks. Elliott Williams noted that certain Epson products feature such removable storage ports. And he admitted that thumb drives could carry malware-infested files meant to help hackers access networks just as easily as they do documents meant to be printed. Epson’s answer is architectural: “We separate that [removable storage] feature from the electronics that connect back to the network,” said the product manager for commercial inkjet printers for Epson America.
Encrypting printer traffic
Printer user traffic makes several stops on networks on its journey from a computer to a printer. Adding one more device to that journey can enable a hacker to record all traffic going to a printer. Printers and print servers that enable encrypted connections between printers and computers can keep such “man in the middle” attacks from bearing fruit.
Disposing of old printers
When returning off-lease printers or disposing of old printers, lawyers must ensure any information on those printers doesn’t end up in other people’s hands. If the printers don’t automatically wipe data on the hard drives after each job, law firms “must write into leases that when they turn the lease in, one of two things must happen,” Simek said. “They can take the hard drives from the machine. (Some machines have more than one drive.) Or they can wipe the hard drives before returning the machines.” Nikolov concurred. He has these drives shredded.
Rothman recommended another step: “Reset the printer to factory settings. The printer may store company-specific information, like an IP address, a list of users and their e-mail addresses and logs. You want to clear all that information as well.”
Read part one of the series here.
This article originally appeared on The Lawyer’s Daily website, published by LexisNexis Canada Inc.